Summary: | sys-apps/kexec-tools won't load a kernel image when build with a hardened toolchain | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | impulze |
Component: | New packages | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | dschridde+gentoobugs, f6a7c764, genstef, M4rkusXXL, neomagus00, pageexec, sergio.bevilacqua |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Disable the -fPIE -pie in the hardened compiler |
Description
impulze
2007-06-24 17:26:55 UTC
i know that hardened is not supposed to use kexec anyway since it might open a security hole in the kernel or even discard the whole "protecting userspace to touch the running kernel" but probably an einfo/ewarn in the ebuild would be sufficient imho CCing pipcas rel type 9 is R_386_GOTOFF so some PIC/PIE code must have been linked into the kernel, that's not good at all in general, better find out where it comes from (i thought the hardened compiler would detect kernel compilation and not enforce any of the usual PIE/SSP things, there's apparently something that evades this logic). on another note, KERNEXEC/UDEREF is not compatible with kexec, i'll see if it can be fixed with reasonable effort, but no promises. Note that this problem still exists... "Unhandled rela relocation: R_X86_64_PLT32" with kexec-tools-2.0.0-r1 on amd64 with hardened toolchain. The solution is to build kexec with vanilla toolchain or add CFLAGS=-fno-pie LDFLAGS=-fno-pie to the kexec-tools ebuild. With that change I can report successful kexec-based rebooting (kernel 2.6.26-hardened-r9 on amd64). I have absolutely no idea why compiling kexec-tools with pie causes it to give relocation errors upon loading the kernel; I'm sure someone will have fun figuring it out. Let me know if you need me to add some flag filtering to the ebuild (hopefully with a patch). Or if it is proper even, I don't know much about hardended stuff. thx Still broken. Simple workaround: # cat /etc/portage/env/sys-apps/kexec-tools CFLAGS="$CFLAGS -fno-pie" LDFLAGS="$LDFLAGS -fno-pie" We use -D__KERNEL_ to disable SSP/PIE in the kernel, it is in CPPFLAGS in the kernel sources. Add that to the needed kernel part or use filter-flags -fPIE filter-flags -fstack-protector append-ldflags -nopie from the flag-o-matic.eclass to filter the hardened flags Created attachment 238969 [details, diff]
Disable the -fPIE -pie in the hardened compiler
We disable the -fPIE -pie in the hardened compiler with this fix.
So fill free to test if this fix it.
After manually merging the changes from the proposed patch into sys-apps/kexec-tools-2.0.1.ebuild, kexec now works ok. fixed in kexec-tools-2.0.1-r1 |