Summary: | >=dev-util/ccache-3.2: kernel compile fails with hardened compiler | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | mike <mike> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | abandonedaccountubdprczb8hs, aoaaxy+gentoobugzilla, bug, zazdxscf+bugs.gentoo.org |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | genkernel.log |
Description
mike@marineau.org
2015-01-08 02:35:37 UTC
Created attachment 396416 [details]
genkernel.log
make -f ./scripts/Makefile.build obj=arch/x86/vdso
gcc -Wp,-MD,arch/x86/vdso/.vdso-image-64.o.d -nostdinc -isystem /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3/include -I./arch/x86/include -Iarch/x86/include/generated/uapi -Iarch/x86/include/generated -Iinclude -I./arch/x86/include/uapi -Iarch/x86/include/generated/uapi -I./include/uapi -Iinclude/generated/uapi -include ./include/linux/kconfig.h -D__KERNEL__ -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Werror-implicit-function-declaration -Wno-format-security -std=gnu89 -m64 -mno-80387 -mno-fp-ret-in-387 -mtune=generic -mno-red-zone -mcmodel=kernel -funit-at-a-time -maccumulate-outgoing-args -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -DCONFIG_AS_CFI_SECTIONS=1 -DCONFIG_AS_FXSAVEQ=1 -DCONFIG_AS_CRC32=1 -DCONFIG_AS_AVX=1 -DCONFIG_AS_AVX2=1 -pipe -Wno-sign-compare -fno-asynchronous-unwind-tables -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -fno-delete-null-pointer-checks -Os -Wno-maybe-uninitialized --param=allow-store-data-races=0 -Wframe-larger-than=2048 -fno-stack-protector -Wno-unused-but-set-variable -fno-omit-frame-pointer -fno-optimize-sibling-calls -fno-var-tracking-assignments -Wdeclaration-after-statement -Wno-pointer-sign -fno-strict-overflow -fconserve-stack -Werror=implicit-int -Werror=strict-prototypes -DCC_HAVE_ASM_GOTO -D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(vdso_image_64)" -D"KBUILD_MODNAME=KBUILD_STR(vdso_image_64)" -c -o arch/x86/vdso/.tmp_vdso-image-64.o arch/x86/vdso/vdso-image-64.c
arch/x86/vdso/vdso-image-64.c:1:0: error: code model kernel does not support PIC mode
/* AUTOMATICALLY GENERATED -- DO NOT EDIT */
^
scripts/Makefile.build:257: recipe for target 'arch/x86/vdso/vdso-image-64.o' failed
make[2]: *** [arch/x86/vdso/vdso-image-64.o] Error 1
scripts/Makefile.build:402: recipe for target 'arch/x86/vdso' failed
make[1]: *** [arch/x86/vdso] Error 2
Makefile:939: recipe for target 'arch/x86' failed
make: *** [arch/x86] Error 2
I forgot to mention the obvious, that gcc is ccache's gcc (in case there are any doubts): (chroot1) livecd / # echo $PATH /usr/lib/ccache/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3:~/bin (chroot1) livecd / # which gcc /usr/lib/ccache/bin/gcc (chroot1) livecd / # gcc --version gcc (Gentoo Hardened 4.8.3 p1.1, pie-0.5.9) 4.8.3 ... (ccache updated to 3.2.1 since my prev. comment) (chroot1) livecd / # ccache -V ccache version 3.2.1 ... workaround then, I guess. Skip ccache: (chroot1) livecd / # time PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3" genkernel all --bootdir="/but" --install --symlink --no-splash --makeopts="-j4 V=0" --no-keymap --lvm --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs --kernname=genkernel --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-clean --oldconfig --mountboot --no-postclear And just in case FEATURES has ccache set (in /etc/portage/make.conf),
then to be sure ccache is not used and also be sure PATH isn't pointing at ccache but without manually setting the path yourself, I did this:
# env-update && source /etc/profile ; hash -r
# time FEATURES="-ccache" genkernel all --bootdir="/but" --install --symlink --no-splash --no-mountboot --makeopts="-j4 V=0" --no-keymap --lvm --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs --kernname=genkernel --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-clean --oldconfig --no-mountboot --no-postclear
To explain the effects of the above:
hdual ~ # echo $PATH
/usr/lib/ccache/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.9.2:~/bin
hdual ~ # env-update && source /etc/profile ; hash -r
>>> Regenerating /etc/ld.so.cache...
hdual ~ # echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.9.2
hdual ~ #
that took care of PATH not pointing to ccache/bin (because sourcing /etc/profile didn't also source ~/.bashrc so PATH just got overridden by the former)
(just source /etc/profile should be enough though)
and the FEATURES="-ccache" on the second command makes sure genkernel doesn't use ccache for this invocation
("time" can be omitted from the command line)
All that allows me to skip this error when compiling the kernel:
scripts/mod/empty.c:1:0: error: code model kernel does not support PIC mode
and compiles kernel just fine.
Btw, thanks OP(mike) for the explanation!
Cheers.
Revisited this to see if I could move it along by submitting a patch for the hardened compiler but the flag triggering the error, -mcmodel=kernel, is x86 specific and there aren't any other kernel specific options being used. So as far as I can tell it is just not possible to fix this. When using ccache kernels must be built with a different gcc profile or -nopie must be added to the kernel's CFLAGS. Just wanted to note for others who may be seeing this that -nopie isn't the only option required, -fstack-check=no is also needed. The hardened default of enabling -fstack-check breaks vDSO w/ Go 1.3.x binaries, likely others too. The third and final hardened default flag, -fstack-protector, is not an issue because the kernel build explicitly enables/disables it as appropriate. So: > make KCFLAGS="-nopie -fstack-check=no" A little more detail here: https://github.com/coreos/coreos-overlay/pull/1359 we use upstream gcc pie default on pie support. |