On 13/05/2020 15:13, Jan Beulich wrote: > [CAUTION - EXTERNAL EMAIL] DO NOT reply, click links, or open attachments > unless you have verified the sender and know the content is safe. > > On 13.05.2020 15:55, Andrew Cooper wrote: >> Xen doesn't support CET-IBT yet. At a minimum, logic is required to enable >> it >> for supervisor use, but the livepatch functionality needs to learn not to >> overwrite ENDBR64 instructions. >> >> Furthermore, Ubuntu enables -fcf-protection by default, along with a buggy >> version of GCC-9 which objects to it in combination with >> -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4). >> >> Various objects (Xen boot path, Rombios 32 stubs) require .text to be at the >> beginning of the object. These paths explode when .note.gnu.properties gets >> put ahead of .text and we end up executing the notes data. >> >> Disable -fcf-protection for all embedded objects. >> >> Reported-by: Jason Andryuk <jandr...@gmail.com> >> Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> > For the immediate purpose > Reviewed-by: Jan Beulich <jbeul...@suse.com>
Thanks. > > I wonder however ... > >> --- a/Config.mk >> +++ b/Config.mk >> @@ -205,6 +205,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i)) >> >> EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector >> -fno-stack-protector-all >> EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables >> +EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none > ... whether this isn't going to bite us once some of the consumers > of this variable want to enable some different mode. I'm not overly happy with EMBEDDED_EXTRA_CFLAGS as a concept, but these build fixes do need backporting. All embedded targets may in principle use some/all of these options at some point in the future. ~Andrew
