gcc -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -DDEBUG -DTEXTADDR=0x000D0000 -I. -I../../../tools/libxc -fno-builtin -O2 -msoft-float -D__ASSEMBLY__ -DDEBUG -DTEXTADDR=0x000D0000 -c trap.S cpp -P -DDEBUG -DTEXTADDR=0x000D0000 vmxassist.ld > vmxassist.tmp ld -o vmxassist -m elf_i386 -nostdlib --fatal-warnings -N -T vmxassist.tmp head.o trap.o vm86.o setup.o util.o vm86.o: In function `address': vm86.c:(.text+0x19): undefined reference to `__guard' vm86.c:(.text+0x51): undefined reference to `__stack_smash_handler' vm86.c:(.text+0x8e): undefined reference to `__guard' vm86.o: In function `trace': vm86.c:(.text+0x189): undefined reference to `__guard' vm86.c:(.text+0x1d4): undefined reference to `__guard' vm86.c:(.text+0x1f0): undefined reference to `__stack_smash_handler' vm86.o: In function `getreg32': vm86.c:(.text+0x2fa): undefined reference to `__guard' vm86.o: In function `.L32': vm86.c:(.text+0x338): undefined reference to `__stack_smash_handler' vm86.o: In function `setreg32': vm86.c:(.text+0x39e): undefined reference to `__guard' vm86.o: In function `.L44': vm86.c:(.text+0x3d8): undefined reference to `__stack_smash_handler' vm86.o: In function `sib': vm86.c:(.text+0x42b): undefined reference to `__guard' vm86.c:(.text+0x484): undefined reference to `__guard' vm86.c:(.text+0x4a3): undefined reference to `__stack_smash_handler' vm86.o: In function `operand': vm86.c:(.text+0x56a): undefined reference to `__guard' vm86.c:(.text+0x6ad): undefined reference to `__stack_smash_handler' vm86.c:(.text+0x700): undefined reference to `__guard' vm86.c:(.text+0x70b): undefined reference to `__guard' vm86.o: In function `.L139': vm86.c:(.text+0x764): undefined reference to `__guard' vm86.o: In function `.L138': vm86.c:(.text+0x78e): undefined reference to `__guard' vm86.o: In function `movr': vm86.c:(.text+0x93b): undefined reference to `__guard' vm86.o:vm86.c:(.text+0x9c0): more undefined references to `__guard' follow vm86.o: In function `movr': vm86.c:(.text+0x9e0): undefined reference to `__stack_smash_handler' vm86.o: In function `load_seg': vm86.c:(.text+0xd4b): undefined reference to `__guard' vm86.c:(.text+0xda1): undefined reference to `__stack_smash_handler' vm86.o: In function `set_mode': vm86.c:(.text+0xf19): undefined reference to `__guard' vm86.c:(.text+0xf74): undefined reference to `__guard' vm86.c:(.text+0xf94): undefined reference to `__stack_smash_handler' vm86.o: In function `interrupt': vm86.c:(.text+0x139d): undefined reference to `__guard' vm86.c:(.text+0x1478): undefined reference to `__stack_smash_handler' vm86.o: In function `outbyte': vm86.c:(.text+0x14a9): undefined reference to `__guard' vm86.c:(.text+0x14e8): undefined reference to `__stack_smash_handler' vm86.c:(.text+0x1537): undefined reference to `__guard' vm86.o: In function `inbyte': vm86.c:(.text+0x1619): undefined reference to `__guard' vm86.c:(.text+0x1654): undefined reference to `__stack_smash_handler' vm86.o: In function `emulate': vm86.c:(.text+0x16b9): undefined reference to `__guard' vm86.o: In function `.L321': vm86.c:(.text+0x1795): undefined reference to `__guard' vm86.c:(.text+0x17b5): undefined reference to `__stack_smash_handler' vm86.o: In function `trap': vm86.c:(.text+0x2619): undefined reference to `__guard' vm86.c:(.text+0x264a): undefined reference to `__guard' vm86.c:(.text+0x2666): undefined reference to `__stack_smash_handler' vm86.c:(.text+0x26bc): undefined reference to `__guard' setup.o: In function `banner': setup.c:(.text+0x16): undefined reference to `__guard' setup.c:(.text+0x113): undefined reference to `__stack_smash_handler' setup.o: In function `setup_gdt': setup.c:(.text+0x14b): undefined reference to `__guard' setup.c:(.text+0x226): undefined reference to `__stack_smash_handler' setup.o: In function `set_intr_gate': setup.c:(.text+0x259): undefined reference to `__guard' setup.c:(.text+0x2b6): undefined reference to `__stack_smash_handler' setup.o: In function `setup_idt': setup.c:(.text+0x2e8): undefined reference to `__guard' setup.c:(.text+0x31e): undefined reference to `__guard' setup.c:(.text+0x33a): undefined reference to `__stack_smash_handler' setup.o: In function `setup_pic': setup.c:(.text+0x369): undefined reference to `__guard' setup.c:(.text+0x3d3): undefined reference to `__stack_smash_handler' setup.o: In function `setiomap': setup.c:(.text+0x409): undefined reference to `__guard' setup.c:(.text+0x449): undefined reference to `__stack_smash_handler' setup.o: In function `enter_real_mode': setup.c:(.text+0x478): undefined reference to `__guard' setup.c:(.text+0x573): undefined reference to `__guard' setup.c:(.text+0x58f): undefined reference to `__stack_smash_handler' setup.o: In function `setup_ctx': setup.c:(.text+0x5fb): undefined reference to `__guard' setup.c:(.text+0x795): undefined reference to `__stack_smash_handler' setup.o: In function `start_bios': setup.c:(.text+0x7c4): undefined reference to `__guard' setup.c:(.text+0x80f): undefined reference to `__guard' setup.c:(.text+0x82b): undefined reference to `__stack_smash_handler' setup.o: In function `main': setup.c:(.text+0x879): undefined reference to `__guard' setup.c:(.text+0x8d4): undefined reference to `__stack_smash_handler' util.o: In function `putchar': util.c:(.text+0x19): undefined reference to `__guard' util.c:(.text+0x3f): undefined reference to `__stack_smash_handler' util.o: In function `strlen': util.c:(.text+0x68): undefined reference to `__guard' util.c:(.text+0xa5): undefined reference to `__stack_smash_handler' util.o: In function `printnum': util.c:(.text+0xcb): undefined reference to `__guard' util.c:(.text+0x118): undefined reference to `__stack_smash_handler' util.o: In function `_doprint': util.c:(.text+0x15b): undefined reference to `__guard' util.c:(.text+0x2b4): undefined reference to `__guard' util.c:(.text+0x2d4): undefined reference to `__stack_smash_handler' util.o: In function `panic': util.c:(.text+0x409): undefined reference to `__guard' util.c:(.text+0x44f): undefined reference to `__stack_smash_handler' util.o: In function `vprintf': util.c:(.text+0x479): undefined reference to `__guard' util.c:(.text+0x4b0): undefined reference to `__stack_smash_handler' util.o: In function `printf': util.c:(.text+0x4d9): undefined reference to `__guard' util.c:(.text+0x510): undefined reference to `__stack_smash_handler' util.o: In function `dump_dtr': util.c:(.text+0x536): undefined reference to `__guard' util.c:(.text+0x5f9): undefined reference to `__guard' util.c:(.text+0x615): undefined reference to `__stack_smash_handler' util.o: In function `dump_vmx_context': util.c:(.text+0x649): undefined reference to `__guard' util.c:(.text+0xbc9): undefined reference to `__stack_smash_handler' util.o: In function `print_e820_map': util.c:(.text+0xbf9): undefined reference to `__guard' util.c:(.text+0xce2): undefined reference to `__guard' util.c:(.text+0xcfe): undefined reference to `__stack_smash_handler' util.o: In function `hexdump': util.c:(.text+0xd46): undefined reference to `__guard' util.c:(.text+0xe8e): undefined reference to `__guard' util.c:(.text+0xeaa): undefined reference to `__stack_smash_handler' util.o: In function `dump_regs': util.c:(.text+0xed8): undefined reference to `__guard' util.c:(.text+0x1005): undefined reference to `__guard' util.c:(.text+0x1021): undefined reference to `__stack_smash_handler' util.o: In function `memset': util.c:(.text+0x1059): undefined reference to `__guard' util.c:(.text+0x1091): undefined reference to `__stack_smash_handler' util.o: In function `memcpy': util.c:(.text+0x10c9): undefined reference to `__guard' util.c:(.text+0x1113): undefined reference to `__stack_smash_handler' make[2]: *** [vmxassist.bin] Error 1 make[2]: Leaving directory `/var/tmp/portage/xen-tools-3.0.2/work/xen-3.0.2/tools/firmware/vmxassist' make[1]: *** [all] Error 2 make[1]: Leaving directory `/var/tmp/portage/xen-tools-3.0.2/work/xen-3.0.2/tools/firmware' make: *** [all] Error 2 make: Leaving directory `/var/tmp/portage/xen-tools-3.0.2/work/xen-3.0.2/tools' !!! ERROR: app-emulation/xen-tools-3.0.2 failed. Call stack: ebuild.sh, line 1532: Called dyn_compile ebuild.sh, line 929: Called src_compile xen-tools-3.0.2.ebuild, line 69: Called die !!! compile failed !!! If you need support, post the topmost build error, and the call stack if relevant. mail xen-tools # emerge info Portage 2.1_pre7-r5 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r3, 2.6.16-rc5-xen i686) ================================================================= System uname: 2.6.16-rc5-xen i686 Intel(R) Pentium(R) 4 CPU 1.80GHz Gentoo Base System version 1.12.0_pre16 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] dev-lang/python: 2.4.2-r1 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r3 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -fforce-addr -mmmx -msse -msse2 -mfpmath=sse" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/mail/dspam /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control /var/run/dspam" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -fforce-addr -mmmx -msse -msse2 -mfpmath=sse" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer noinfo parallel-fetch sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.utf8" LINGUAS="en_US vi" MAKEOPTS="-j2" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/portage/overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="apache2 berkdb bzip2 crypt dlloader hardened ithreads mysql nls pam pic readline sasl ssl tcpd unicode userlocales utf8 vhosts x86 zlib elibc_glibc kernel_linux linguas_en_US linguas_vi userland_GNU" Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS If I set gcc to i686-pc-linux-gnu-3.4.6-vanilla, xen-tools-3.0.2 emerge fine.
The xen Makefiles try to filter CFLAGS building different parts of the source with the function: test-gcc-flag = $(shell $(1) -v --help 2>&1 | grep -q " $(2) " && echo $(2)) calls are like: ./xen/arch/x86/Rules.mk:CFLAGS += $(call test-gcc-flag,$(CC),-nopie) ./xen/arch/x86/Rules.mk:CFLAGS += $(call test-gcc-flag,$(CC),-fno-stack-protector) ./xen/arch/x86/Rules.mk:CFLAGS += $(call test-gcc-flag,$(CC),-fno-stack-protector-all) ./tools/ioemu/target-i386-dm/Makefile:SSE2 := $(call test-gcc-flag,$(CC),-msse2) $ gcc --help -v 2>&1|grep sse2 -mno-sse2 Do not support MMX, SSE and SSE2 built-in functions and code generation -msse2 Support MMX, SSE and SSE2 built-in functions and code generation $ gcc --help -v 2>&1|grep pie gcc version 3.4.6 (Gentoo 3.4.6, ssp-3.4.5-1.0, pie-8.7.9) -fpie Generate position-independent code for -pie, --pic-executable Create a position independent executable So the question is - why does gcc on Gentoo not show these -no* options in it's help for the hardened flags, when apparently other distros do? You could obviously filter the flags for all the built software, like the old ebuilds did, but that kind of negates the point of running hardened - only vmxassist and hvmloader need non-hardened flags.
I've tried to fix the problem by just adding the -nopie -no-stack* flags to the hvmloader and vmxassist Makefiles. Let me know if it works.
(In reply to comment #1) > The xen Makefiles try to filter CFLAGS building different parts of the source > with the function: > > test-gcc-flag = $(shell $(1) -v --help 2>&1 | grep -q " $(2) " && echo $(2)) > > calls are like: > > ./xen/arch/x86/Rules.mk:CFLAGS += $(call test-gcc-flag,$(CC),-nopie) > ./xen/arch/x86/Rules.mk:CFLAGS += $(call > test-gcc-flag,$(CC),-fno-stack-protector) > ./xen/arch/x86/Rules.mk:CFLAGS += $(call > test-gcc-flag,$(CC),-fno-stack-protector-all) > ./tools/ioemu/target-i386-dm/Makefile:SSE2 := $(call > test-gcc-flag,$(CC),-msse2) > > $ gcc --help -v 2>&1|grep sse2 > -mno-sse2 Do not support MMX, SSE and SSE2 built-in functions > and code generation > -msse2 Support MMX, SSE and SSE2 built-in functions and > code generation > > $ gcc --help -v 2>&1|grep pie > gcc version 3.4.6 (Gentoo 3.4.6, ssp-3.4.5-1.0, pie-8.7.9) > -fpie Generate position-independent code for > -pie, --pic-executable Create a position independent executable > > So the question is - why does gcc on Gentoo not show these -no* options in it's > help for the hardened flags, when apparently other distros do? > > You could obviously filter the flags for all the built software, like the old > ebuilds did, but that kind of negates the point of running hardened - only > vmxassist and hvmloader need non-hardened flags. > there are couple problem with the way they test for PIE/SSP. 1. if CFLAGS is unset, the test failed to detect gcc. I have to have USE=custom-cflags to buils xen-tools 2. with xen-tools-3.0.2, they unset CFLAGS in the tools/firmware/{hvmloader,vmxassist}Makefile which causes test-gcc-flag failed to detect hardened gcc . my workaround similar to your, but I just commented the "CFLAGS :=" line sed -i -e 's/CFLAGS :=/# CFLAGS :=/g' "${S}/tools/firmware/hvmloader/Makefile" "${S}/tools/firmware/vmxassist/Makefile"
It isn't the unset of CFLAGS that causes the failed gcc detect, it's the fact that under Gentoo 'gcc -v --help' doesn't show the nopie and no-stack-protector flags. Their code apparently works fine on other distributions. If you just comment out the CFLAG := in the Makefiles, where do your -nopie no-stack-protector flags come from? They must be set somewhere for vmxassist to build?
I wasn't clear in my last comment, I meant it failed to detect gentoo gcc. Why unset CFLAGS cause it failed I don't know (yet), but commented that line put "-nopie -fno-stack-protector" back in there as you can see below. I differed the Makefile from the older version and notice the new "CFLAGS :=" line make[2]: Entering directory `/var/tmp/portage/xen-tools-3.0.2/work/xen-3.0.2/tools/firmware/vmxassist' i686-pc-linux-gnu-gcc -O2 -march=pentium4 -fomit-frame-pointer -fforce-addr -mmmx -msse -msse2 -mfpmath=sse -nopie -fno-stack-protector -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -DDEBUG -DTEXTADDR=0x000D0000 -I. -I../../../tools/libxc -fno-builtin -O2 -msoft-float -D__ASSEMBLY__ -DDEBUG -DTEXTADDR=0x000D0000 -c head.S gcc -Wall -Werror -Wstrict-prototypes -Wdeclaration-after-statement -I. -I../../../tools/libxc -o gen gen.c i686-pc-linux-gnu-gcc -O2 -march=pentium4 -fomit-frame-pointer -fforce-addr -mmmx -msse -msse2 -mfpmath=sse -nopie -fno-stack-protector -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -DDEBUG -DTEXTADDR=0x000D0000 -I. -I../../../tools/libxc -fno-builtin -O2 -msoft-float -c vm86.c i686-pc-linux-gnu-gcc -O2 -march=pentium4 -fomit-frame-pointer -fforce-addr -mmmx -msse -msse2 -mfpmath=sse -nopie -fno-stack-protector -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -DDEBUG -DTEXTADDR=0x000D0000 -I. -I../../../tools/libxc -fno-builtin -O2 -msoft-float -c setup.c i686-pc-linux-gnu-gcc -O2 -march=pentium4 -fomit-frame-pointer -fforce-addr -mmmx -msse -msse2 -mfpmath=sse -nopie -fno-stack-protector -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -DDEBUG -DTEXTADDR=0x000D0000 -I. -I../../../tools/libxc -fno-builtin -O2 -msoft-float -c util.c ./gen > offsets.h i686-pc-linux-gnu-gcc -O2 -march=pentium4 -fomit-frame-pointer -fforce-addr -mmmx -msse -msse2 -mfpmath=sse -nopie -fno-stack-protector -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -DDEBUG -DTEXTADDR=0x000D0000 -I. -I../../../tools/libxc -fno-builtin -O2 -msoft-float -D__ASSEMBLY__ -DDEBUG -DTEXTADDR=0x000D0000 -c trap.S cpp -P -DDEBUG -DTEXTADDR=0x000D0000 vmxassist.ld > vmxassist.tmp ld -o vmxassist -m elf_i386 -nostdlib --fatal-warnings -N -T vmxassist.tmp head.o trap.o vm86.o setup.o util.o nm -n vmxassist > vmxassist.sym objcopy -p -O binary -R .note -R .comment -R .bss -S --gap-fill=0 vmxassist vmxassist.tmp dd if=vmxassist.tmp of=vmxassist.bin ibs=512 conv=sync 36+0 records in 36+0 records out 18432 bytes (18 kB) copied, 0.000756 seconds, 24.4 MB/s rm -f vmxassist.tmp make[2]: Leaving directory `/var/tmp/portage/xen-tools-3.0.2/work/xen-3.0.2/tools/firmware/vmxassist' make[2]: Entering directory `/var/tmp/portage/xen-tools-3.0.2/work/xen-3.0.2/tools/firmware/hvmloader' ./mkhex rombios ../rombios/BIOS-bochs-latest > roms.h ./mkhex vgabios_stdvga ../vgabios/VGABIOS-lgpl-latest.bin >> roms.h ./mkhex vgabios_cirrusvga ../vgabios/VGABIOS-lgpl-latest.cirrus.bin >> roms.h ./mkhex vmxassist ../vmxassist/vmxassist.bin >> roms.h ./mkhex acpi ../acpi/acpi.bin >> roms.h i686-pc-linux-gnu-gcc -O2 -march=pentium4 -fomit-frame-pointer -fforce-addr -mmmx -msse -msse2 -mfpmath=sse -nopie -fno-stack-protector -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -D__XEN_INTERFACE_VERSION__=0x00030101 -DNDEBUG -m32 -Wall -Wstrict-prototypes -Wdeclaration-after-statement -DDEBUG -I. -I../../../tools/libxc -fno-builtin -O2 -msoft-float -c hvmloader.c acpi_madt.c i686-pc-linux-gnu-gcc -m32 -nostdlib -Wl,-N -Wl,-Ttext -Wl,0x100000 -o hvmloader.tmp hvmloader.o acpi_madt.o objcopy hvmloader.tmp hvmloader rm -f hvmloader.tmp make[2]: Leaving directory `/var/tmp/portage/xen-tools-3.0.2/work/xen-3.0.2/tools/firmware/hvmloader' As for why `test-gcc-flag = $(shell $(1) -v --help 2>&1 | grep -q " $(2) " && echo $(2))` doesn't turn up any of "-nopie", "-fno-stack-protector", and "-fno-stack-protector-all" , may be the hardened team can tell.
my bad. thosee "-nopie -fno-stack-protector" came from ... if use custom-cflags; then filter-flags -fPIE -fstack-protector else ... and I have USE=custom-cflags the new ebuild pass this stage but failed at vga.c and you are already known about it. Using this patch http://lists.xensource.com/archives/html/xen-changelog/2006-04/msg00108.html I was be able to emerge xen-tools-3.0.2 on hardened profile.
sorry to spam. I forgot to mention that hardened USE flag is missing in IUSE.
It's not spam if it's a bug :) I've added the patch and fixed IUSE.
I was able to compile xen-tools while using a hardened profile