Re: [tboot-devel] [PATCH] Disable fstack-check during build
Hi Ning, I was packaging tboot for Gentoo Linux and it would never actually manage to load linux. It managed to SENTER fine but once it tried to jump to the linux entry point it would fail and reboot. Gentoo Hardened adds fstack-check by default (among other things) to the gcc specs. After a lot of trial and error disabling SSP with -fstack-check=no made it work. tboot already disables fstack-protector and fstack-protector-all which are similar so it makes sense that fstack-check must also be disabled. There is no comment explaining why fstack-protector is disabled in the makefile unfortunately. I do not have a very good way of debugging since it wouldnt work in an emulator so I do not know *exactly* where it broke but the assembly generated by my gcc and the objdump'd one from fedora were quite different at the last stages of tboot. I saw the jumping to Linux @0xxx message on the console and then it would reboot so it was very late in the initialization. I was using Gcc 4.8.4 from Gentoo Hardened[1]. If you are on a different distro, add -fstack-check to the CFLAGs and you will probably be able to replicate. Thanks, Jason [1]: https://wiki.gentoo.org/wiki/Hardened/Toolchain#Default_addition_of_the_Stack_Smashing_Protector_.28SSP.29 On Thu, May 07, 2015 at 05:51:53PM +, Sun, Ning wrote: Hi Zaman, Thanks for your patch, for us to better understand the purpose of your patch, can you explain in which scenario fstack-check will break tboot? Thanks very much! -ning -Original Message- From: Jason Zaman [mailto:ja...@perfinion.com] Sent: Thursday, May 07, 2015 8:55 AM To: tboot-devel@lists.sourceforge.net Subject: [tboot-devel] [PATCH] Disable fstack-check during build fstack-check breaks tboot this disables it in CFLAGS. Signed-off-by: Jason Zaman ja...@perfinion.com -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
Re: [tboot-devel] [PATCH] Disable fstack-check during build
By default tboot does not enforce -fstack-check in Config.mk file, so mainstream linux distributions do not have the issue you encountered in Gentoo Linux. However for compatibility with more Linux distributions, we will accept your patch for tboot. You can get the latest tboot snapshot to test on your Gentoo Linux. Thanks very much! -ning -Original Message- From: Jason Zaman [mailto:ja...@perfinion.com] Sent: Thursday, May 07, 2015 11:21 AM To: Sun, Ning Cc: Wei, Gang; tboot-devel@lists.sourceforge.net Subject: Re: [tboot-devel] [PATCH] Disable fstack-check during build Hi Ning, I was packaging tboot for Gentoo Linux and it would never actually manage to load linux. It managed to SENTER fine but once it tried to jump to the linux entry point it would fail and reboot. Gentoo Hardened adds fstack-check by default (among other things) to the gcc specs. After a lot of trial and error disabling SSP with -fstack-check=no made it work. tboot already disables fstack-protector and fstack-protector-all which are similar so it makes sense that fstack-check must also be disabled. There is no comment explaining why fstack-protector is disabled in the makefile unfortunately. I do not have a very good way of debugging since it wouldnt work in an emulator so I do not know *exactly* where it broke but the assembly generated by my gcc and the objdump'd one from fedora were quite different at the last stages of tboot. I saw the jumping to Linux @0xxx message on the console and then it would reboot so it was very late in the initialization. I was using Gcc 4.8.4 from Gentoo Hardened[1]. If you are on a different distro, add -fstack-check to the CFLAGs and you will probably be able to replicate. Thanks, Jason [1]: https://wiki.gentoo.org/wiki/Hardened/Toolchain#Default_addition_of_the_Stack_Smashing_Protector_.28SSP.29 On Thu, May 07, 2015 at 05:51:53PM +, Sun, Ning wrote: Hi Zaman, Thanks for your patch, for us to better understand the purpose of your patch, can you explain in which scenario fstack-check will break tboot? Thanks very much! -ning -Original Message- From: Jason Zaman [mailto:ja...@perfinion.com] Sent: Thursday, May 07, 2015 8:55 AM To: tboot-devel@lists.sourceforge.net Subject: [tboot-devel] [PATCH] Disable fstack-check during build fstack-check breaks tboot this disables it in CFLAGS. Signed-off-by: Jason Zaman ja...@perfinion.com -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
[tboot-devel] [PATCH] Disable fstack-check during build
fstack-check breaks tboot this disables it in CFLAGS.
Signed-off-by: Jason Zaman ja...@perfinion.com
diff -ur tboot-1.8.2.orig/tboot/Config.mk tboot-1.8.2/tboot/Config.mk
--- tboot-1.8.2.orig/tboot/Config.mk 2014-07-28 12:24:21.0 +0400
+++ tboot-1.8.2/tboot/Config.mk 2015-05-05 02:14:26.333222301 +0400
@@ -30,6 +30,7 @@
CFLAGS += $(call cc-option,$(CC),-nopie,)
CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,)
CFLAGS += $(call cc-option,$(CC),-fno-stack-protector-all,)
+CFLAGS += $(call cc-option,$(CC),-fstack-check=no,)
# changeset variable for banner
CFLAGS += -DTBOOT_CHANGESET=\$(shell ((hg parents --template {isodate|isodate} {rev}:{node|short} /dev/null hg parents --template {isodate|isodate} {rev}:{node|short}) || echo 2014-07-28 12:00 +0800 1.8.2) 2/dev/null)\
--
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
