Hi Andrew, > On 26 Apr 2022, at 00:06, Andrew Cooper <andrew.coop...@citrix.com> wrote: > > In a GNU compatbile makefile, $(LDFLAGS) are passed to $(CC), not $(LD).
You mean because CC is used for linking or even when compiling object files ? If not, what is the expected way to pass linker flags ? > > In a default CentOS 7 build environment, $(LDFLAGS) is set to -Wl,-z,relro, > which causes the Xen build to explode with: > > ld: unrecognized option '-Wl,-z,relro' > ld: use the --help option for usage information > > It turns out that many downstreams identify this as a breakage in Xen's build > system and bodge around it in various ways, mostly by unsetting all of > $(CFLAGS), $(AFLAGS) and $(LDFLAGS). > > However, that is a security issue because it means that tools/ is not built > with the distro-wide hardening flags that are otherwise expected of > packages (relro, _FORTIFY_SOURCE, stack-protector, etc). > > tools/ specifically should honour the packaging environment's choice of flags, > while xen/ must not pass $(LDFLAGS) to $(LD), and should not be influenced by > the others either. > > Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> > --- > CC: Anthony PERARD <anthony.per...@citrix.com> > CC: Bertrand Marquis <bertrand.marq...@arm.com> > CC: George Dunlap <george.dun...@eu.citrix.com> > CC: Jan Beulich <jbeul...@suse.com> > CC: Juergen Gross <jgr...@suse.com> > CC: Julien Grall <jul...@xen.org> > CC: Roger Pau Monné <roger....@citrix.com> > CC: Stefano Stabellini <sstabell...@kernel.org> > CC: Volodymyr Babchuk <volodymyr_babc...@epam.com> > CC: Wei Liu <w...@xen.org> > > RFC, because CFLAGS/AFLAGS need nuking too, and they're rather more entangled. > I expect this to cause some disgreement, but Xen is behaving in a very > nonstandard way even among embedded projects and all downstreams are suffering > security problems as a consequence. > --- > xen/Makefile | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/xen/Makefile b/xen/Makefile > index ec34524ed21d..a8e1de54823b 100644 > --- a/xen/Makefile > +++ b/xen/Makefile > @@ -254,6 +254,8 @@ export KBUILD_DEFCONFIG := $(ARCH)_defconfig > # reparsing Config.mk by e.g. arch/x86/boot/. > export XEN_TREEWIDE_CFLAGS := $(CFLAGS) > > +LDFLAGS := > + This would require a comment in the Makefile to explain why this is done. Also how could anybody specify linker specific flags if this is done ? Regards Bertrand > # CLANG_FLAGS needs to be calculated before calling Kconfig > ifneq ($(shell $(CC) --version 2>&1 | head -n 1 | grep clang),) > CLANG_FLAGS := > -- > 2.11.0 >
