Summary: | sys-boot/grub-0.97-r9 with hardened i686 gcc 3.4.6 won't boot | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | mephinet <mephinet> |
Component: | Hardened | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | hardened, kanelxake, mail, zorry |
Priority: | High | Keywords: | EBUILD |
Version: | 2008.0 | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | done:0.97-r10 | ||
Package list: | Runtime testing required: | --- | |
Attachments: |
emerge --info
emerge --info with hardened gcc profile Ported the Grub2 -fPIE Check Old gcc 3.4.6 hardened defined __PIC__ instead of __PIE__ ebuild that applies the patch Clean -fPIE check patch |
Description
mephinet
2009-08-12 20:20:33 UTC
switched back and forth twice to double-check, always with the same result. this is a Via Esther processor. output of emerge --info comes in a few minues. Created attachment 201075 [details]
emerge --info
Created attachment 201076 [details]
emerge --info with hardened gcc profile
Hi can you try -hardenednopie or -hardenednossp gcc profile and see what profile make it not boot and are grub working from the command line? (In reply to comment #4) > Hi can you try -hardenednopie or -hardenednossp gcc profile and see what > profile > make it not boot and are grub working from the command line? I will try this in the evening. At least the commandline tool grub-install always worked fine. For completeness sake: the Via Esther is also called Via C7. My profile is hardened/linux/x86/2008.0/server/ nopie: boots nossp: does not boot. so pie is the one to blame here. Can't test the error but will look at it more and hope get a working patch. Some way the ebuild do not disable PIE/PIC for grub on your platform. Check the size of the boot/grub dir Size of stage1 and stage2? More accurate, please do: du -hs /lib/grub * Switching native-compiler to i686-pc-linux-gnu-3.4.6 ... ... emerging grub ... $ du -hs /lib/grub 368K /lib/grub * Switching native-compiler to i686-pc-linux-gnu-3.4.6-hardenednopie ... ... emerging grub ... $ du -hs /lib/grub 368K /lib/grub Sorry, I messed up! please ignore comment #11. Once again: * Switching native-compiler to i686-pc-linux-gnu-3.4.6 ... ... source /etc/profile, emerge grub ... $ du -hs /lib/grub 368K /lib/grub * Switching native-compiler to i686-pc-linux-gnu-3.4.6-hardenednopie ... $ du -hs /lib/grub 336K /lib/grub Some way do not the filter-flags -fPIE in the ebuild work as it should. Created attachment 203206 [details, diff]
Ported the Grub2 -fPIE Check
Try this patch and see if it works.
(In reply to comment #14) > Ported the Grub2 -fPIE Check > > Try this patch and see if it works. Dear Magnus, sorry it took so long for me to find an opportunity to make this test! I stored your patch in the files subdirectory, added the following line to the ebuild: epatch "${FILESDIR}"/grub-0.97-fpie_check.patch Now, with gcc-config set to i686-pc-linux-gnu-3.4.6, when I run configure, I see: $ ebuild grub-0.97-r9.ebuild compile ... * Applying grub-0.97-fpie_check.patch ... ok ... checking whether `i686-pc-linux-gnu-gcc' has `-fPIE' as default... no which is not what I expected... (In reply to comment #15) > (In reply to comment #14) > > Ported the Grub2 -fPIE Check > > > > Try this patch and see if it works. > > Dear Magnus, > > sorry it took so long for me to find an opportunity to make this test! > I stored your patch in the files subdirectory, added the following line to the > ebuild: > epatch "${FILESDIR}"/grub-0.97-fpie_check.patch > > Now, with gcc-config set to i686-pc-linux-gnu-3.4.6, when I run configure, I > see: > > $ ebuild grub-0.97-r9.ebuild compile > ... > * Applying grub-0.97-fpie_check.patch ... ok > ... > checking whether `i686-pc-linux-gnu-gcc' has `-fPIE' as default... no > > which is not what I expected... > Remove the filter-flags -fPIE line in the ebuild. Hi base-system, another grub+PIE fail. Re-assigning like bug 139277. Curious, what is the resistance to patching configure/make/whatever to filter pic/pie? thanks. (In reply to comment #16) > Remove the filter-flags -fPIE line in the ebuild. No matter whether I filter-flag, remove-flag, add-flag PIE or no-PIE in the ebuild, the size of the /lib/grub directory stays constant the the non-booting value... Created attachment 205767 [details, diff]
Old gcc 3.4.6 hardened defined __PIC__ instead of __PIE__
Can you check with this patch.
oh yes, this looks good - the PIE detection returns "yes" now and the /lib/grub size is as expected. I'll reboot tomorrow evening... Magnus, thanks a log for your support, the reboot was successful - so your fpie_check.patch fixes the issue. I don't know whether you want to add your patch to the grub patch collection tarball - in case you don't, here's the ebuild that applies your patch successfully... (I don't mark the bug as resolved, as it's not in the official tree yet - I hope that's the correct workflow...) Created attachment 205872 [details]
ebuild that applies the patch
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=b7b83daed781b58a0532d5d9c19f98d091a3b164 Thanks for finding the bug and testing the patch. @base-system this patch fix bug 139277 to. whohoo, this just saved my day... just for the records: i'm setting up a hardened amd64 box at the moment and when it came to installing grub 0.97-r9, after rebooting, grub came up with just a console and was just reporting "Error 28: Selected item cannot fit into memory" on every command you would type, it also detected 0K upper memory. now 0.97-r11 from hardened-dev overlay works fine Created attachment 222823 [details, diff]
Clean -fPIE check patch
Have clean the patch up
If i try to check for -nopie instead of -fPIE it allways true, if
i use the code from the -fno-stack-protector check.
that looks fine. the PIC stuff is odd, but not much we can do about it i guess. added to cvs http://sources.gentoo.org/gentoo/src/patchsets/grub/0.97/860_all_grub-0.97-pie.patch?rev=1.1 *** Bug 139277 has been marked as a duplicate of this bug. *** reopening to spin patchset tarball Now committed and published as new patchset: grub-0.97-patches-1.10.tar.bz2 Ebuild sys-boot/grub-0.97-r10 committed. gcc-6 (at least 6.4, didn't check others) drops the gentoo pie patches, and with it the 'nopie' option; the patch now needs to use '-no-pie' instead it seems. As this is contingent on the gcc version (and grub-0.97 likely has a limited lifespan) i'm going to sed -nopie to -no-pie on the patch on new-enough gcc rather than trying to conditionally apply different patches. |