Summary: | app-emulation/xen-tools-{4.5.1-r3,4.6.0} failed compilation/linking with USE="ovmf" on hardened profile | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jiří Moravec <qjim> |
Component: | Current packages | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | dmw, xen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Patch for -fPIC in xen-tools with ovmf |
Description
Jiří Moravec
2015-10-20 16:12:28 UTC
Same output for app-emulation/xen-tools-4.5.2-r2 Still a problem on amd64 hardened. Created attachment 430246 [details, diff]
Patch for -fPIC in xen-tools with ovmf
Build system in ovmf requires python2, used eselect to select python2 as global python. Probably should make a patch that fixes this in the makefile. USE="ovmf" depends on nasm. ovmf can not be built with pie you need to switch gcc profile to hardenednopie for this specific package. This problem also occurs with app-emulation/xen-tools-4.6.3-r1 (In reply to Mekong from comment #5) > ovmf can not be built with pie you need to switch gcc profile to > hardenednopie for this specific package. How do you switch this gcc profile? Sorry for the late reply, I don't check this regularly. I don't use ovmf with xen, but use with qemu and by chance found this post. Use "gcc-config" to switch your gcc profile. This is the easy way but this is for every packages. After this you may want to switch gcc profile per package . This is a bit more complicate. You create a file "/etc/portage/env/app-emulation/xen-tools" and copy GCC_SPECS line from your gcc hardenednopie profile under directory "/etc/env.d/gcc/" Example: GCC_SPECS="/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/hardenednopie.specs" This is back with 4.8.1 if ever fixed, but new GCC 6.x do not have switchable profiles anymore. Results in error containing: /var/tmp/portage/app-emulation/xen-tools-4.8.1-r1/work/xen-4.8.1/tools/firmware/ovmf-dir-remote/Build/OvmfX64/RELEASE_GCC44/X64/OvmfPkg/AcpiTables/AcpiTables/OUTPUT/./Madt.dll unsupported ELF EM_X86_64 relocation 0x1d. Xen looks like it fail with gcc 6.X to that have pie default enable in default profile. Do upsteam have any fix for it? Is not only Gentoo have PIE enable as default. The fix for bug #640162 solved this issue for me with xen-tools-4.9.1-r1 + gcc 6.4 and USE=ovmf. (The fix actually seems to be committed in 2bfd1dc774e87e20ccd6f77a4847ec7126501e43 not 57e910ccaa98ba21cfc65419508e3695828f5b28) |