I cannot emerge grub with netboot enabled when using a hardened toolchain. The grub version I`m trying to emerge is grub-0.96-r2. It emerges normally on a system without a hardened toolchain. Error string: if i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../stage2 -I../stage1 -Wall -Wmissing-prototypes -Wunused -Wshadow -Wpointer-arith -falign-jumps=1 -falign-loops=1 -falign-functions=1 -Wundef -Os -fno-stack-protector -fno-builtin -nostdinc -DFSYS_TFTP=1 -DINCLUDE_3C509 -DINCLUDE_3C529=1 -DINCLUDE_3C595=1 -DINCLUDE_3C90X=1 -DINCLUDE_CS89X0=1 -DINCLUDE_DAVICOM=1 -DINCLUDE_DEPCA=1 -DINCLUDE_EEPRO=1 -DINCLUDE_EEPRO100=1 -DINCLUDE_EPIC100=1 -DINCLUDE_3C507=1 -DINCLUDE_EXOS205=1 -DINCLUDE_NI5210=1 -DINCLUDE_LANCE=1 -DINCLUDE_NE2100=1 -DINCLUDE_NI6510=1 -DINCLUDE_NATSEMI=1 -DINCLUDE_NI5010=1 -DINCLUDE_3C503=1 -DINCLUDE_NE=1 -DINCLUDE_NS8390=1 -DINCLUDE_WD=1 -DINCLUDE_OTULIP=1 -DINCLUDE_RTL8139=1 -DINCLUDE_SIS900=1 -DINCLUDE_SK_G16=1 -DINCLUDE_SMC9000=1 -DINCLUDE_TIARA=1 -DINCLUDE_TULIP=1 -DINCLUDE_VIA_RHINE=1 -DINCLUDE_W89C840=1 -DCONGESTED=1 -DNE_SCAN=0x280,0x300,0x320,0x340 -DWD_DEFAULT_MEM=0xCC000 -g -MT libdrivers_a-pci.o -MD -MP -MF ".deps/libdrivers_a-pci.Tpo" -c -o libdrivers_a-pci.o `test -f 'pci.c' || echo './'`pci.c; \ then mv -f ".deps/libdrivers_a-pci.Tpo" ".deps/libdrivers_a-pci.Po"; else rm -f ".deps/libdrivers_a-pci.Tpo"; exit 1; fi pci.c: In function `pcibios_read_config_byte': pci.c:143: error: can't find a register in class `BREG' while reloading `asm' make[2]: *** [libdrivers_a-pci.o] Error 1 make[2]: Leaving directory `/var/tmp/portage/grub-0.96-r2/work/grub-0.96/netboot' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/grub-0.96-r2/work/grub-0.96' make: *** [all] Error 2 !!! ERROR: sys-boot/grub-0.96-r2 failed. Call stack: ebuild.sh, line 1539: Called dyn_compile ebuild.sh, line 939: Called src_compile grub-0.96-r2.ebuild, line 82: Called die !!! making netboot stuff !!! If you need support, post the topmost build error, and the call stack if relevant. emerge --info: livecd / # emerge --info Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.15-gentoo-r5 i686) ================================================================= System uname: 2.6.15-gentoo-r5 i686 Celeron (Mendocino) Gentoo Base System version 1.6.15 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -mtune=pentium2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo" CXXFLAGS="-O2 -march=i686 -mtune=pentium2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distcc distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://gentoo-mirror:dupa@newhope.mordornet/gentoo http://gentoo.prz.rzeszow.pl http://gentoo.zie.pg.gda.pl" LINGUAS="pl" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X X509 acl acpi alsa apache2 arts avi berkdb bitmap-fonts bzip2 caps chroot cli crypt cups dlloader dri eds emboss encode erandom esd foomaticdb fortran gdbm gif gmp gpm gstreamer gtk2 hardened hpn imlib ipv6 isdnlog jpeg ldap libg++ libwww mad mikmod mmx motif mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pam_chroot pam_console pam_timestamp pcre pdflib perl png postgres pppd python qt qt3 qt4 quicktime readline reflection samba sasl sdl session sftplogging slp smartcard socks5 spell spl ssl tcpd truetype truetype-fonts type1-fonts udev unicode userlocales vorbis xinetd xml xmms xorg xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux linguas_pl userland_GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
*** Bug 146354 has been marked as a duplicate of this bug. ***
0.97-r2 builds fine in hardened env
Yes, 0.97-r2 does build fine without the "netboot" USE flag, but doesn't build with it. Have you tried with the "netboot" use flag ?
Not fixed, reopening.
It makes no sense to try to build netboot with PIE. pxeboot and nbgrub are standalone executables - completely standalone; no kernel let alone libc. You could do something like: if use netboot; then SAVE_CFLAGS=${CFLAGS} filter-flags -fPIE ... econf ... emake ... make clean CFLAGS=${SAVE_CFLAGS} fi in the netboot compilation section.
that wont help ... grub already ignores CFLAGS the pie crap is coming from the specs
(In reply to comment #7) > that wont help ... grub already ignores CFLAGS No it doesn't. It clears environment CFLAGS unless USE=custom-cflags, however CFLAGS set in the build where I suggested has the expected effect. > the pie crap is coming from the specs I know where the default PIE comes from, and calling it "pie crap" is not helpful. However, it also needs ssp disabled (for the same reasons) but even then it falls over as it can't find __outw and friends for reasons I don't have time right now to discover. The easiest thing to do for now would be to force the vanilla compiler for this package - something like: [[ -f $($(tc-getCC) -print-search-dirs | awk '$1=="install:" { print $2 }')/vanilla.specs ]] && export GCC_SPECS="vanilla.specs" at the start of src_compile().
> No it doesn't. It clears environment CFLAGS unless USE=custom-cflags, however > CFLAGS set in the build where I suggested has the expected effect. and if you're using USE=custom-cflags and grub fails to emerge: NOTABUG
(In reply to comment #9) > > No it doesn't. It clears environment CFLAGS unless USE=custom-cflags, however > > CFLAGS set in the build where I suggested has the expected effect. > > and if you're using USE=custom-cflags and grub fails to emerge: NOTABUG What does that have to do with it? My point was that (_regardless_ whether USE=custom-cflags or not) if CFLAGS is set inside the ebuild then it _does_ get passed to the compiler, which you had asserted was not the case.
So, this is still a problem - is there a real solution ???
Curious myself also, bumped into this problem too. Is there a workaround for it (without compromising the stability or security of the server grub is being installed on)? I wanted to setup my server as a PXE server to be able to serve gentoo install images or memtest images etc. so the security of the clients doesn't matter as much as the security of server itself.
you're really worrying over nothing grub is the bootloader so worrying about buffer overflows in grub is pointless from a security point of view
I agree here too, but it'd just be nice to be able to build grub with the "netboot" use flag.
Created attachment 106175 [details, diff] workaround for netboot compilation Although not the best approach, it works around the netboot problem for now. Due to the fact that pci.c uses inline assembly to do it's work and that's why building fails, we can avoid these inline assembly calls by going direct using the --enable-pci-direct. The attached patch does that when netboot is enabled. So it may not work for everyone.
any progress/news on this one?
Anyone ???
i'm using the attached workaround. also, i'm just using the netboot flag on my chrooted env. which isn't hardened so it's all good for me. it's still 'broken' though.
I had this same problem and solved it by emergeing grub-static instead. Would this be correct ?
It'd be considered a workaround, i'll work, but it won't be 'optimized' for your arch and what not.
Hi all I has same error "error: can't find a register in class `BREG' while reloading `asm'" when compiling some packages. I find solution how to write rite code for x86&amd64 for building using gcc’s -fPIC flag in this and similar situations: http://sam.zoy.org/blog/2007-04-13-shlib-with-non-pic-code-have-inline-assembly-and-pic-mix-well Can any body write patch, ask for that developers of grub, or try me?
*** Bug 250808 has been marked as a duplicate of this bug. ***
Created attachment 195840 [details, diff] grub-0.97-pie-safety.patch Please apply this patch to the sources and test it. Should apply on top of all the other patches. Grub does compile with it, but I don't have a hardened system to test if the generated grub is still bootable.
hardened: please test the patch I attached in the last comment, then I can include it into a final -r10 of Grub1.
Marking the grub version in the bug so it can be tracked specifically.
Please test the patch!
The patch allows =sys-boot/grub-0.97-r9 to compile with USE="netboot" on hardened amd64 and x86. The resultant grub still boots from local disk fine. However, I do not have the means to test PXE booting at this time, which is what really matters. Thankfully a hardened contributor on IRC is able to test the PXE aspect and report here shortly. Thanks Robin and to everyone else who has worked this bug.
I compiled grub-0.97-r9 with this patch on both x86 and amd64. It does compile on both but the resulting pxegrub leads to a kernel stack fault. I tested this on a vmware virtual machine (emulating e1000), on an HP t5135 thin client (via-rhine) and on a desktop (forcedeth). In each case, as soon as control is passed to pxegrub, the cpu does a hard reset and the system reboots.
Ok, so my patch is fail. If you can trace which function is causing it, that would be nice, but I think it's going to be really hard to do :-(. Patch now unqueued.
Created attachment 197595 [details, diff] Add -fno-PIE to CFLAGS Thanx for testing Anthony Basile.
Robin, any objections to the -fno-PIE build patch?
*** This bug has been marked as a duplicate of bug 281246 ***
