i struggled almost a year (sad enough though) since i actually tried the gentoo forums for help.. http://forums.gentoo.org/viewtopic-t-294644-highlight-kexec.html the kexec binary won't load a kernel image when build with a hardened toolchain, it always gives "Unknown rel relocation: 9" no matter if it's used with --debug or not. i've rebuilt the kexec-tools with my i686-pc-linux-gnu cross compiler from my desktop, fired it up on my hardened box and tada... kernel loads (please don't say firing up a kernel via kexec on a hardened box is pretty stupid anyway... i know it is) i wonder if one could warn you from trying to actually kexec-load a kernel on a hardened box. btw this applies to all versions Reproducible: Always Steps to Reproduce: 1. get a hardened toolchain 2. compile kexec-tools 3. load any kernel image
i know that hardened is not supposed to use kexec anyway since it might open a security hole in the kernel or even discard the whole "protecting userspace to touch the running kernel" but probably an einfo/ewarn in the ebuild would be sufficient imho
CCing pipcas
rel type 9 is R_386_GOTOFF so some PIC/PIE code must have been linked into the kernel, that's not good at all in general, better find out where it comes from (i thought the hardened compiler would detect kernel compilation and not enforce any of the usual PIE/SSP things, there's apparently something that evades this logic). on another note, KERNEXEC/UDEREF is not compatible with kexec, i'll see if it can be fixed with reasonable effort, but no promises.
Note that this problem still exists... "Unhandled rela relocation: R_X86_64_PLT32" with kexec-tools-2.0.0-r1 on amd64 with hardened toolchain. The solution is to build kexec with vanilla toolchain or add CFLAGS=-fno-pie LDFLAGS=-fno-pie to the kexec-tools ebuild. With that change I can report successful kexec-based rebooting (kernel 2.6.26-hardened-r9 on amd64). I have absolutely no idea why compiling kexec-tools with pie causes it to give relocation errors upon loading the kernel; I'm sure someone will have fun figuring it out.
Let me know if you need me to add some flag filtering to the ebuild (hopefully with a patch). Or if it is proper even, I don't know much about hardended stuff. thx
Still broken. Simple workaround: # cat /etc/portage/env/sys-apps/kexec-tools CFLAGS="$CFLAGS -fno-pie" LDFLAGS="$LDFLAGS -fno-pie"
We use -D__KERNEL_ to disable SSP/PIE in the kernel, it is in CPPFLAGS in the kernel sources. Add that to the needed kernel part or use filter-flags -fPIE filter-flags -fstack-protector append-ldflags -nopie from the flag-o-matic.eclass to filter the hardened flags
Created attachment 238969 [details, diff] Disable the -fPIE -pie in the hardened compiler We disable the -fPIE -pie in the hardened compiler with this fix. So fill free to test if this fix it.
After manually merging the changes from the proposed patch into sys-apps/kexec-tools-2.0.1.ebuild, kexec now works ok.
fixed in kexec-tools-2.0.1-r1
