xen-tools compilation with enabled "ovmf" on hardened profile failed: make[8]: Entering directory '/var/tmp/portage/app-emulation/xen-tools-4.5.1-r3/work/xen-4.5.1/tools/firmware/ovmf-dir-remote/BaseTools/Source/C/GnuGenBootSector' mkdir ../bin x86_64-pc-linux-gnu-gcc -c -MD -fshort-wchar -fno-strict-aliasing -Wall -Wno-error -Wno-unused-but-set-variable -Wno-deprecated-declarations -nostdlib -c -g -I .. -I ../Include/Common -I ../Include/ -I ../Include/IndustryStandard -I ../Common/ -I .. -I . -I ../Include/X64/ GnuGenBootSector.c -o GnuGenBootSector.o x86_64-pc-linux-gnu-gcc -o ../bin/GnuGenBootSector GnuGenBootSector.o -L../libs -lCommon /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/../../../../x86_64-pc-linux-gnu/bin/ld: GnuGenBootSector.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC GnuGenBootSector.o: error adding symbols: Bad value collect2: error: ld returned 1 exit status ../Makefiles/app.makefile:24: recipe for target '../bin/GnuGenBootSector' failed make[8]: *** [../bin/GnuGenBootSector] Error 1 make[8]: Leaving directory '/var/tmp/portage/app-emulation/xen-tools-4.5.1-r3/work/xen-4.5.1/tools/firmware/ovmf-dir-remote/BaseTools/Source/C/GnuGenBootSector' PS: x86_64-pc-linux-gnu-4.9.3-hardenednopie x86_64-pc-linux-gnu-4.9.3-hardenednopiessp are without problem... Reproducible: Always Steps to Reproduce: 1. hardened profile, gcc with full pie and ssp 2. USE="ovmf" emerge -v1 app-emulation/xen-tools 3. Actual Results: failed with "GnuGenBootSector.o: relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC" Expected Results: compilation/linking success Portage 2.2.23 (python 2.7.10-final-0, hardened/linux/amd64, gcc-4.9.3, glibc-2.20-r2, 4.2.3-x1 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-4.2.3-x1-x86_64-AMD_FX-tm-8350_Eight-Core_Processor-with-gentoo-2.2 KiB Mem: 16366964 total, 4833608 free KiB Swap: 50331632 total, 49543604 free Timestamp of repository gentoo: Tue, 20 Oct 2015 07:30:01 +0000 sh bash 4.3_p42 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 ccache version 3.2.4 [enabled] app-shells/bash: 4.3_p42::gentoo dev-java/java-config: 2.2.0::gentoo dev-lang/perl: 5.20.2::gentoo dev-lang/python: 2.7.10::gentoo, 3.4.3::gentoo dev-util/ccache: 3.2.4::gentoo dev-util/cmake: 3.3.1-r1::gentoo dev-util/pkgconfig: 0.28-r3::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.18.3::gentoo sys-apps/sandbox: 2.6-r1::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo sys-devel/automake: 1.4_p6-r2::gentoo, 1.11.6-r1::gentoo, 1.12.6::gentoo, 1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.25.1-r1::gentoo sys-devel/gcc: 4.9.3::jim-private, 5.2.0::jim-private sys-devel/gcc-config: 1.8::gentoo sys-devel/libtool: 2.4.6::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 4.2::gentoo (virtual/os-headers) sys-libs/glibc: 2.20-r2::gentoo Repositories: gentoo location: /usr/portage/ebuilds sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 openstreetmap location: /usr/portage/overlays/layman/openstreetmap masters: gentoo priority: 0 gentoo-el location: /usr/portage/overlays/layman/gentoo-el masters: gentoo priority: 1 java location: /usr/portage/overlays/layman/java masters: gentoo priority: 2 seden location: /usr/portage/overlays/layman/seden masters: gentoo priority: 3 sunrise location: /usr/portage/overlays/layman/sunrise masters: gentoo priority: 4 x11 location: /usr/portage/overlays/layman/x11 masters: gentoo priority: 5 bliss-overlay location: /usr/portage/overlays/layman/bliss-overlay masters: gentoo priority: 6 ROKO__ location: /usr/portage/overlays/layman/ROKO__ masters: gentoo priority: 7 grub2-themes location: /usr/portage/overlays/layman/grub2-themes masters: gentoo priority: 8 zugaina location: /usr/portage/overlays/layman/zugaina masters: gentoo priority: 9 init6 location: /usr/portage/overlays/layman/init6 masters: gentoo priority: 10 jim-private location: /usr/portage/overlays/jim masters: gentoo priority: 11 crossdev location: /usr/portage/overlays/crossdev masters: gentoo priority: 12 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe -mtune=native -mvzeroupper -fno-lto -fdiagnostics-color=auto" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -O2 -pipe -mtune=native -mvzeroupper -fno-lto -fdiagnostics-color=auto" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--keep-going --ask-enter-invalid --quiet-build=y --quiet-fail=y --jobs=8 --load-average=7.8 --autounmask-keep-masks" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs buildpkg ccache config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo http://www.mirrorservice.org/sites/www.ibiblio.org/gentoo/" LANG="cs_CZ.utf-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -O2 -Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -fno-lto" MAKEOPTS="-j8 -l7.8" PKGDIR="/usr/portage/packages/current" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" USE="7zip X aac acl acpi alsa amd64 bash-completion berkdb bzip2 cairo caps cli cracklib crypt cxx dbus dri dvd egl encode evdev faac faad fbcon fbcondecor fbsplash ffmpeg fftw flac gallium gdbm gif glamor gnutls gpm gtk hardened hvm iconv id3tag iproute2 ipv6 java java6 jpeg jpeg2k justify kde kerberos lzma lzo mad matroska mmx mmxext mng mod modules mp3 mp4 mpeg mpeg2 mpeg4 multilib mysql ncurses netlink nfs nfsv3 nfsv4 nls nptl nsplugin ntfs ogg openal opengl openmp ovmf pam pax_kernel pcre pdf perl php pic pie png python qt3support qt4 qt5 rdp readline samba sdl sdl2 seccomp semantic-desktop session slang sse sse2 ssl ssp svg tcpd theora tiff truetype unicode urandom usb userlocales vdpau vlc vnc vorbis vpx webkit webp x264 x265 xattr xen xml xtpax xv xvmc zlib" ABI_X86="64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias proxy proxy_fcgi proxy_ftp proxy_http" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx fma3 fma4 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 xop" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc efi-64 xen" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="cs" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" QEMU_SOFTMMU_TARGETS="i386 x86_64 or32 ppc64" QEMU_USER_TARGETS="i386 x86_64 or32 ppc64" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="radeon r600 radeonsi amdgpu" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= app-emulation/xen-tools-4.6.0::gentoo was built with the following: USE="hvm ovmf pam python system-qemu system-seabios -api -custom-cflags -debug -doc -flask -ocaml -pygrub -qemu -screen -static-libs" ABI_X86="64" PYTHON_TARGETS="python2_7" CFLAGS="" CXXFLAGS="-march=native -O2 -pipe -mtune=native -mvzeroupper -fno-lto -fdiagnostics-color=auto -fno-strict-overflow" LDFLAGS=""
Same output for app-emulation/xen-tools-4.5.2-r2
Still a problem on amd64 hardened.
Created attachment 430246 [details, diff] Patch for -fPIC in xen-tools with ovmf
Build system in ovmf requires python2, used eselect to select python2 as global python. Probably should make a patch that fixes this in the makefile. USE="ovmf" depends on nasm.
ovmf can not be built with pie you need to switch gcc profile to hardenednopie for this specific package.
This problem also occurs with app-emulation/xen-tools-4.6.3-r1
(In reply to Mekong from comment #5) > ovmf can not be built with pie you need to switch gcc profile to > hardenednopie for this specific package. How do you switch this gcc profile?
Sorry for the late reply, I don't check this regularly. I don't use ovmf with xen, but use with qemu and by chance found this post. Use "gcc-config" to switch your gcc profile. This is the easy way but this is for every packages. After this you may want to switch gcc profile per package . This is a bit more complicate. You create a file "/etc/portage/env/app-emulation/xen-tools" and copy GCC_SPECS line from your gcc hardenednopie profile under directory "/etc/env.d/gcc/" Example: GCC_SPECS="/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/hardenednopie.specs"
This is back with 4.8.1 if ever fixed, but new GCC 6.x do not have switchable profiles anymore. Results in error containing: /var/tmp/portage/app-emulation/xen-tools-4.8.1-r1/work/xen-4.8.1/tools/firmware/ovmf-dir-remote/Build/OvmfX64/RELEASE_GCC44/X64/OvmfPkg/AcpiTables/AcpiTables/OUTPUT/./Madt.dll unsupported ELF EM_X86_64 relocation 0x1d.
Xen looks like it fail with gcc 6.X to that have pie default enable in default profile. Do upsteam have any fix for it? Is not only Gentoo have PIE enable as default.
The fix for bug #640162 solved this issue for me with xen-tools-4.9.1-r1 + gcc 6.4 and USE=ovmf. (The fix actually seems to be committed in 2bfd1dc774e87e20ccd6f77a4847ec7126501e43 not 57e910ccaa98ba21cfc65419508e3695828f5b28)