[PATCH] build: Fix build with Ubuntu

[PATCH] build: Fix build with Ubuntu

[Andrew Cooper]

This supercedes "x86/build: Unilaterally disable -fcf-protection"

Andrew Cooper (2):
  x86/build: move -fno-asynchronous-unwind-tables into EMBEDDED_EXTRA_CFLAGS
  x86/build: Unilaterally disable -fcf-protection

 Config.mk                            | 3 ++-
 tools/tests/x86_emulator/testcase.mk | 2 +-
 xen/arch/x86/arch.mk                 | 2 +-
 xen/arch/x86/boot/build32.mk         | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

-- 
2.11.0

[PATCH] x86/build: move -fno-asynchronous-unwind-tables into EMBEDDED_EXTRA_CFLAGS

[Andrew Cooper]

Users of EMBEDDED_EXTRA_CFLAGS already use -fno-asynchronous-unwind-tables, or
ought to.  This shrinks the size of the rombios 32bit stubs in guest memory.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Wei Liu <wl@xen.org>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: George Dunlap <George.Dunlap@eu.citrix.com>
CC: Ian Jackson <ian.jackson@citrix.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien@xen.org>
---
 Config.mk                            | 2 +-
 tools/tests/x86_emulator/testcase.mk | 2 +-
 xen/arch/x86/arch.mk                 | 2 +-
 xen/arch/x86/boot/build32.mk         | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Config.mk b/Config.mk
index 3621162ae4..b0f16680f3 100644
--- a/Config.mk
+++ b/Config.mk
@@ -204,7 +204,7 @@ APPEND_LDFLAGS += $(foreach i, $(APPEND_LIB), -L$(i))
 APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 
 EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
-EMBEDDED_EXTRA_CFLAGS += -fno-exceptions
+EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
 
 XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
diff --git a/tools/tests/x86_emulator/testcase.mk b/tools/tests/x86_emulator/testcase.mk
index a565d15524..dafeb6caf7 100644
--- a/tools/tests/x86_emulator/testcase.mk
+++ b/tools/tests/x86_emulator/testcase.mk
@@ -4,7 +4,7 @@ include $(XEN_ROOT)/tools/Rules.mk
 
 $(call cc-options-add,CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS))
 
-CFLAGS += -fno-builtin -fno-asynchronous-unwind-tables -g0 $($(TESTCASE)-cflags)
+CFLAGS += -fno-builtin -g0 $($(TESTCASE)-cflags)
 
 .PHONY: all
 all: $(TESTCASE).bin
diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
index 2a51553edb..62b7c97007 100644
--- a/xen/arch/x86/arch.mk
+++ b/xen/arch/x86/arch.mk
@@ -56,7 +56,7 @@ $(call as-option-add,CFLAGS,CC,\
 $(call as-option-add,CFLAGS,CC,\
     ".L1: .L2: .nops (.L2 - .L1)$$(comma)9",-DHAVE_AS_NOPS_DIRECTIVE)
 
-CFLAGS += -mno-red-zone -fpic -fno-asynchronous-unwind-tables
+CFLAGS += -mno-red-zone -fpic
 
 # Xen doesn't use SSE interally.  If the compiler supports it, also skip the
 # SSE setup for variadic function calls.
diff --git a/xen/arch/x86/boot/build32.mk b/xen/arch/x86/boot/build32.mk
index 48c7407c00..5851ebff5f 100644
--- a/xen/arch/x86/boot/build32.mk
+++ b/xen/arch/x86/boot/build32.mk
@@ -4,7 +4,7 @@ include $(XEN_ROOT)/Config.mk
 
 $(call cc-options-add,CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS))
 
-CFLAGS += -Werror -fno-asynchronous-unwind-tables -fno-builtin -g0 -msoft-float
+CFLAGS += -Werror -fno-builtin -g0 -msoft-float
 CFLAGS += -I$(XEN_ROOT)/xen/include
 CFLAGS := $(filter-out -flto,$(CFLAGS)) 
 
-- 
2.11.0

Re: [PATCH] x86/build: move -fno-asynchronous-unwind-tables into EMBEDDED_EXTRA_CFLAGS

[Jan Beulich]

On 13.05.2020 15:55, Andrew Cooper wrote:
> Users of EMBEDDED_EXTRA_CFLAGS already use -fno-asynchronous-unwind-tables, or
> ought to.

It's not really well defined what they're supposed to be used for
(and where it's not supposed to be used). I notice in particular
a use in stubdom/Makefile which I'm unsure whether it indeed wants
this adjustment. Therefore ...

>  This shrinks the size of the rombios 32bit stubs in guest memory.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>
with the request that Samuel also ack (or otherwise) the change
from a stubdom perspective.

Jan

Re: [PATCH] x86/build: move -fno-asynchronous-unwind-tables into EMBEDDED_EXTRA_CFLAGS

[Samuel Thibault]

Hello,

Jan Beulich, le mer. 13 mai 2020 16:11:00 +0200, a ecrit:
> On 13.05.2020 15:55, Andrew Cooper wrote:
> > Users of EMBEDDED_EXTRA_CFLAGS already use -fno-asynchronous-unwind-tables, or
> > ought to.
> 
> It's not really well defined what they're supposed to be used for
> (and where it's not supposed to be used). I notice in particular
> a use in stubdom/Makefile which I'm unsure whether it indeed wants
> this adjustment. Therefore ...

I don't know why this is there in mini-os. It dates back 2005
8afe079be ('Mini-OS cleanups. Bug fixes in x86_64 assembly code.')

It indeed looks to me like a general option to minimize binary size, so
I'd say it is fine to make its activation general.

> >  This shrinks the size of the rombios 32bit stubs in guest memory.
> > 
> > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
> with the request that Samuel also ack (or otherwise) the change
> from a stubdom perspective.

Samuel

[PATCH] x86/build: Unilaterally disable -fcf-protection

[Andrew Cooper]

Xen doesn't support CET-IBT yet.  At a minimum, logic is required to enable it
for supervisor use, but the livepatch functionality needs to learn not to
overwrite ENDBR64 instructions.

Furthermore, Ubuntu enables -fcf-protection by default, along with a buggy
version of GCC-9 which objects to it in combination with
-mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4).

Various objects (Xen boot path, Rombios 32 stubs) require .text to be at the
beginning of the object.  These paths explode when .note.gnu.properties gets
put ahead of .text and we end up executing the notes data.

Disable -fcf-protection for all embedded objects.

Reported-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Wei Liu <wl@xen.org>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Jason Andryuk <jandryuk@gmail.com>
CC: Stefan Bader <stefan.bader@canonical.com>

v2:
 * Fix Rombios 32 stubs as well.
---
 Config.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Config.mk b/Config.mk
index b0f16680f3..7d556aed30 100644
--- a/Config.mk
+++ b/Config.mk
@@ -205,6 +205,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
 
 EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
 EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
+EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
 
 XEN_EXTFILES_URL ?= http://xenbits.xen.org/xen-extfiles
 # All the files at that location were downloaded from elsewhere on
-- 
2.11.0

Re: [PATCH] x86/build: Unilaterally disable -fcf-protection

[Jan Beulich]

On 13.05.2020 15:55, Andrew Cooper wrote:
> Xen doesn't support CET-IBT yet.  At a minimum, logic is required to enable it
> for supervisor use, but the livepatch functionality needs to learn not to
> overwrite ENDBR64 instructions.
> 
> Furthermore, Ubuntu enables -fcf-protection by default, along with a buggy
> version of GCC-9 which objects to it in combination with
> -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4).
> 
> Various objects (Xen boot path, Rombios 32 stubs) require .text to be at the
> beginning of the object.  These paths explode when .note.gnu.properties gets
> put ahead of .text and we end up executing the notes data.
> 
> Disable -fcf-protection for all embedded objects.
> 
> Reported-by: Jason Andryuk <jandryuk@gmail.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

For the immediate purpose
Reviewed-by: Jan Beulich <jbeulich@suse.com>

I wonder however ...

> --- a/Config.mk
> +++ b/Config.mk
> @@ -205,6 +205,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
>  
>  EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
>  EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
> +EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none

... whether this isn't going to bite us once some of the consumers
of this variable want to enable some different mode.

Jan

Re: [PATCH] x86/build: Unilaterally disable -fcf-protection

[Andrew Cooper]

On 13/05/2020 15:13, Jan Beulich wrote:
> [CAUTION - EXTERNAL EMAIL] DO NOT reply, click links, or open attachments unless you have verified the sender and know the content is safe.
>
> On 13.05.2020 15:55, Andrew Cooper wrote:
>> Xen doesn't support CET-IBT yet.  At a minimum, logic is required to enable it
>> for supervisor use, but the livepatch functionality needs to learn not to
>> overwrite ENDBR64 instructions.
>>
>> Furthermore, Ubuntu enables -fcf-protection by default, along with a buggy
>> version of GCC-9 which objects to it in combination with
>> -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4).
>>
>> Various objects (Xen boot path, Rombios 32 stubs) require .text to be at the
>> beginning of the object.  These paths explode when .note.gnu.properties gets
>> put ahead of .text and we end up executing the notes data.
>>
>> Disable -fcf-protection for all embedded objects.
>>
>> Reported-by: Jason Andryuk <jandryuk@gmail.com>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> For the immediate purpose
> Reviewed-by: Jan Beulich <jbeulich@suse.com>

Thanks.

>
> I wonder however ...
>
>> --- a/Config.mk
>> +++ b/Config.mk
>> @@ -205,6 +205,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i))
>>  
>>  EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all
>>  EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables
>> +EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
> ... whether this isn't going to bite us once some of the consumers
> of this variable want to enable some different mode.

I'm not overly happy with EMBEDDED_EXTRA_CFLAGS as a concept, but these
build fixes do need backporting.

All embedded targets may in principle use some/all of these options at
some point in the future.

~Andrew

Re: [PATCH] x86/build: Unilaterally disable -fcf-protection

[Jason Andryuk]

On Wed, May 13, 2020 at 9:56 AM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>
> Xen doesn't support CET-IBT yet.  At a minimum, logic is required to enable it
> for supervisor use, but the livepatch functionality needs to learn not to
> overwrite ENDBR64 instructions.
>
> Furthermore, Ubuntu enables -fcf-protection by default, along with a buggy
> version of GCC-9 which objects to it in combination with
> -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4).
>
> Various objects (Xen boot path, Rombios 32 stubs) require .text to be at the
> beginning of the object.  These paths explode when .note.gnu.properties gets
> put ahead of .text and we end up executing the notes data.
>
> Disable -fcf-protection for all embedded objects.
>
> Reported-by: Jason Andryuk <jandryuk@gmail.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Jason Andryuk <jandryuk@gmail.com>

I have not re-tested this posting, but I tested an equivalent change
~2 weeks ago (in case that counts for Tested-by).

-Jason

[PATCH] x86/build: Unilaterally disable -fcf-protection

[Andrew Cooper]

See comment for details.  Works around a GCC-9 bug which breaks the build on
Ubuntu.

Reported-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Wei Liu <wl@xen.org>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Jason Andryuk <jandryuk@gmail.com>
CC: Stefan Bader <stefan.bader@canonical.com>

Sorry for messing you around with how to fix this.  I'd neglected to consider
the CONFIG_LIVEPATCH interaction.  With that extra observation, there is no
point having the extra complexity given that the result with CET-IBT and
Retpoline still isn't usable.
---
 xen/arch/x86/arch.mk         | 9 +++++++++
 xen/arch/x86/boot/build32.mk | 1 +
 2 files changed, 10 insertions(+)

diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
index 2a51553edb..93e30e4bea 100644
--- a/xen/arch/x86/arch.mk
+++ b/xen/arch/x86/arch.mk
@@ -67,6 +67,15 @@ CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern
 CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register
 CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables
 
+# Xen doesn't support CET-IBT yet.  At a minimum, logic is required to
+# enable it for supervisor use, but the Livepatch functionality needs
+# to learn not to overwrite ENDBR64 instructions.
+#
+# Furthermore, Ubuntu enables -fcf-protection by default, along with a
+# buggy version of GCC-9 which objects to it in combination with
+# -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4).
+$(call cc-option-add,CFLAGS,CC,-fcf-protection=none)
+
 # If supported by the compiler, reduce stack alignment to 8 bytes. But allow
 # this to be overridden elsewhere.
 $(call cc-option-add,CFLAGS-stack-boundary,CC,-mpreferred-stack-boundary=3)
diff --git a/xen/arch/x86/boot/build32.mk b/xen/arch/x86/boot/build32.mk
index 48c7407c00..5a00755512 100644
--- a/xen/arch/x86/boot/build32.mk
+++ b/xen/arch/x86/boot/build32.mk
@@ -3,6 +3,7 @@ CFLAGS =
 include $(XEN_ROOT)/Config.mk
 
 $(call cc-options-add,CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS))
+$(call cc-option-add,CFLAGS,CC,-fcf-protection=none)
 
 CFLAGS += -Werror -fno-asynchronous-unwind-tables -fno-builtin -g0 -msoft-float
 CFLAGS += -I$(XEN_ROOT)/xen/include
-- 
2.11.0

Re: [PATCH] x86/build: Unilaterally disable -fcf-protection

[Jason Andryuk]

On Tue, May 12, 2020 at 3:11 PM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>
> See comment for details.  Works around a GCC-9 bug which breaks the build on
> Ubuntu.
>
> Reported-by: Jason Andryuk <jandryuk@gmail.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Tested-by: Jason Andryuk <jandryuk@gmail.com>
Reviewed-by: Jason Andryuk <jandryuk@gmail.com>

> diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
> index 2a51553edb..93e30e4bea 100644
> --- a/xen/arch/x86/arch.mk
> +++ b/xen/arch/x86/arch.mk
> @@ -67,6 +67,15 @@ CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern
>  CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register
>  CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables
>
> +# Xen doesn't support CET-IBT yet.  At a minimum, logic is required to
> +# enable it for supervisor use, but the Livepatch functionality needs
> +# to learn not to overwrite ENDBR64 instructions.

Is the problem that existing functions start with ENDBR64, but the
livepatch overwrites with a "real" instruction?

Regards,
Jason

Re: [PATCH] x86/build: Unilaterally disable -fcf-protection

[Andrew Cooper]

On 13/05/2020 03:35, Jason Andryuk wrote:
> [CAUTION - EXTERNAL EMAIL] DO NOT reply, click links, or open attachments unless you have verified the sender and know the content is safe.
>
> On Tue, May 12, 2020 at 3:11 PM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>> See comment for details.  Works around a GCC-9 bug which breaks the build on
>> Ubuntu.
>>
>> Reported-by: Jason Andryuk <jandryuk@gmail.com>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Tested-by: Jason Andryuk <jandryuk@gmail.com>
> Reviewed-by: Jason Andryuk <jandryuk@gmail.com>
>
>> diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk
>> index 2a51553edb..93e30e4bea 100644
>> --- a/xen/arch/x86/arch.mk
>> +++ b/xen/arch/x86/arch.mk
>> @@ -67,6 +67,15 @@ CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch=thunk-extern
>>  CFLAGS-$(CONFIG_INDIRECT_THUNK) += -mindirect-branch-register
>>  CFLAGS-$(CONFIG_INDIRECT_THUNK) += -fno-jump-tables
>>
>> +# Xen doesn't support CET-IBT yet.  At a minimum, logic is required to
>> +# enable it for supervisor use, but the Livepatch functionality needs
>> +# to learn not to overwrite ENDBR64 instructions.
> Is the problem that existing functions start with ENDBR64, but the
> livepatch overwrites with a "real" instruction?

We livepatch by creating a new complete copy of the function, and
putting `jmp new` at the head of the old one.

This means we don't need to patch every callsite and track every
function pointer to the old function, and we can fully revert by
replacing the 5 bytes which became `jmp new`.

With CET-IBT in the mix, livepatch will have to learn to spot an ENDBR64
instruction and leave it intact, patching instead the next 5 bytes, so
an old function pointer still lands on the ENDBR64 instruction.

~Andrew

Re: [PATCH] x86/build: Unilaterally disable -fcf-protection

[Jason Andryuk]

On Wed, May 13, 2020 at 7:01 AM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>
> On 13/05/2020 03:35, Jason Andryuk wrote:
> > [CAUTION - EXTERNAL EMAIL] DO NOT reply, click links, or open attachments unless you have verified the sender and know the content is safe.
> >
> > On Tue, May 12, 2020 at 3:11 PM Andrew Cooper <andrew.cooper3@citrix.com> wrote:
> >> +# Xen doesn't support CET-IBT yet.  At a minimum, logic is required to
> >> +# enable it for supervisor use, but the Livepatch functionality needs
> >> +# to learn not to overwrite ENDBR64 instructions.
> > Is the problem that existing functions start with ENDBR64, but the
> > livepatch overwrites with a "real" instruction?
>
> We livepatch by creating a new complete copy of the function, and
> putting `jmp new` at the head of the old one.
>
> This means we don't need to patch every callsite and track every
> function pointer to the old function, and we can fully revert by
> replacing the 5 bytes which became `jmp new`.
>
> With CET-IBT in the mix, livepatch will have to learn to spot an ENDBR64
> instruction and leave it intact, patching instead the next 5 bytes, so
> an old function pointer still lands on the ENDBR64 instruction.

Ah, okay.  Thanks for the explanation.

-Jason

Re: [PATCH] x86/build: Unilaterally disable -fcf-protection

[Jan Beulich]

On 12.05.2020 21:11, Andrew Cooper wrote:
> See comment for details.  Works around a GCC-9 bug which breaks the build on
> Ubuntu.
> 
> Reported-by: Jason Andryuk <jandryuk@gmail.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>