535984 – >=dev-util/ccache-3.2: kernel compile fails with hardened compiler

Bug 535984 - >=dev-util/ccache-3.2: kernel compile fails with hardened compiler

Summary: >=dev-util/ccache-3.2: kernel compile fails with hardened compiler

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-08 02:35 UTC by mike@marineau.org
Modified:	2018-10-12 00:42 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
genkernel.log (genkernel.log,20.03 KB, text/plain) 2015-02-14 03:12 UTC, abandoned account	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mike@marineau.org 2015-01-08 02:35:37 UTC

The release notes for ccache 3.2 includes this nugget:

> ccache no longer passes preprocessor options like -D and -I to the compiler when compiling preprocessed output. This fixes warnings emitted by clang.

Unfortunately the hardened compiler (at least as of gcc-4.8.3) uses -D__KERNEL__ to detect kernel builds and turn off pie. So now kernel builds fail with the following error:

> error: code model kernel does not support PIC mode

Not sure if this is best addressed in ccache or gcc. It seems reasonable for ccache to assume preprocessor arguments don't matter for compile mode but I'm not sure if checking for -mcmodel=kernel, which I presume is what actually triggers the error, is sufficent. -D__KERNEL__ is used much more frequently than -mcmodel=kernel so there may be other things protected by -D__KERNEL__ right now.

Reproducible: Always

Comment 1 abandoned account 2015-02-14 03:12:32 UTC

Created attachment 396416 [details]
genkernel.log

make -f ./scripts/Makefile.build obj=arch/x86/vdso
  gcc -Wp,-MD,arch/x86/vdso/.vdso-image-64.o.d  -nostdinc -isystem /usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3/include -I./arch/x86/include -Iarch/x86/include/generated/uapi -Iarch/x86/include/generated  -Iinclude -I./arch/x86/include/uapi -Iarch/x86/include/generated/uapi -I./include/uapi -Iinclude/generated/uapi -include ./include/linux/kconfig.h -D__KERNEL__ -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Werror-implicit-function-declaration -Wno-format-security -std=gnu89 -m64 -mno-80387 -mno-fp-ret-in-387 -mtune=generic -mno-red-zone -mcmodel=kernel -funit-at-a-time -maccumulate-outgoing-args -DCONFIG_AS_CFI=1 -DCONFIG_AS_CFI_SIGNAL_FRAME=1 -DCONFIG_AS_CFI_SECTIONS=1 -DCONFIG_AS_FXSAVEQ=1 -DCONFIG_AS_CRC32=1 -DCONFIG_AS_AVX=1 -DCONFIG_AS_AVX2=1 -pipe -Wno-sign-compare -fno-asynchronous-unwind-tables -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx -fno-delete-null-pointer-checks -Os -Wno-maybe-uninitialized --param=allow-store-data-races=0 -Wframe-larger-than=2048 -fno-stack-protector -Wno-unused-but-set-variable -fno-omit-frame-pointer -fno-optimize-sibling-calls -fno-var-tracking-assignments -Wdeclaration-after-statement -Wno-pointer-sign -fno-strict-overflow -fconserve-stack -Werror=implicit-int -Werror=strict-prototypes -DCC_HAVE_ASM_GOTO    -D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(vdso_image_64)"  -D"KBUILD_MODNAME=KBUILD_STR(vdso_image_64)" -c -o arch/x86/vdso/.tmp_vdso-image-64.o arch/x86/vdso/vdso-image-64.c
arch/x86/vdso/vdso-image-64.c:1:0: error: code model kernel does not support PIC mode
 /* AUTOMATICALLY GENERATED -- DO NOT EDIT */
 ^
scripts/Makefile.build:257: recipe for target 'arch/x86/vdso/vdso-image-64.o' failed
make[2]: *** [arch/x86/vdso/vdso-image-64.o] Error 1
scripts/Makefile.build:402: recipe for target 'arch/x86/vdso' failed
make[1]: *** [arch/x86/vdso] Error 2
Makefile:939: recipe for target 'arch/x86' failed
make: *** [arch/x86] Error 2

Comment 2 abandoned account 2015-02-14 03:29:24 UTC

I forgot to mention the obvious, that gcc is ccache's gcc  (in case there are any doubts):

(chroot1) livecd / # echo $PATH
/usr/lib/ccache/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3:~/bin

(chroot1) livecd / # which gcc
/usr/lib/ccache/bin/gcc


(chroot1) livecd / # gcc --version
gcc (Gentoo Hardened 4.8.3 p1.1, pie-0.5.9) 4.8.3
...

(ccache updated to 3.2.1 since my prev. comment)
(chroot1) livecd / # ccache -V
ccache version 3.2.1
...



workaround then, I guess. Skip ccache:
(chroot1) livecd / # time PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3" genkernel all --bootdir="/but" --install --symlink --no-splash --makeopts="-j4 V=0" --no-keymap --lvm  --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs --kernname=genkernel --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-clean --oldconfig --mountboot --no-postclear

Comment 3 abandoned account 2015-04-11 19:03:17 UTC

And just in case  FEATURES  has  ccache  set (in /etc/portage/make.conf),
then to be sure ccache is not used and also be sure PATH isn't pointing at ccache but without manually setting the path yourself, I did this:
# env-update && source /etc/profile ; hash -r
# time FEATURES="-ccache" genkernel all --bootdir="/but" --install --symlink --no-splash --no-mountboot --makeopts="-j4 V=0" --no-keymap --lvm  --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs --kernname=genkernel --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-clean --oldconfig --no-mountboot --no-postclear



To explain the effects of the above:
hdual ~ # echo $PATH
/usr/lib/ccache/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.9.2:~/bin
hdual ~ # env-update && source /etc/profile ; hash -r
>>> Regenerating /etc/ld.so.cache...
hdual ~ # echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.9.2
hdual ~ # 

that took care of PATH not pointing to ccache/bin  (because sourcing /etc/profile didn't also source ~/.bashrc so PATH just got overridden by the former)
(just  source /etc/profile  should be enough though)

and the FEATURES="-ccache" on the second command  makes sure genkernel doesn't use ccache for this invocation
("time" can be omitted from the command line)

All that allows me to skip this error when compiling the kernel:
scripts/mod/empty.c:1:0: error: code model kernel does not support PIC mode
and compiles kernel just fine.

Btw, thanks OP(mike) for the explanation!

Cheers.

Comment 4 mike@marineau.org 2015-06-24 00:08:14 UTC

Revisited this to see if I could move it along by submitting a patch for the hardened compiler but the flag triggering the error, -mcmodel=kernel, is x86 specific and there aren't any other kernel specific options being used. So as far as I can tell it is just not possible to fix this. When using ccache kernels must be built with a different gcc profile or -nopie must be added to the kernel's CFLAGS.

Comment 5 mike@marineau.org 2015-07-15 02:09:21 UTC

Just wanted to note for others who may be seeing this that -nopie isn't the only option required, -fstack-check=no is also needed. The hardened default of enabling -fstack-check breaks vDSO w/ Go 1.3.x binaries, likely others too. The third and final hardened default flag, -fstack-protector, is not an issue because the kernel build explicitly enables/disables it as appropriate. So:

> make KCFLAGS="-nopie -fstack-check=no"

A little more detail here: https://github.com/coreos/coreos-overlay/pull/1359

Comment 6 Magnus Granberg gentoo-dev

2018-10-12 00:42:31 UTC

we use upstream gcc pie default on pie support.