Re: [tboot-devel] [PATCH] Disable fstack-check during build
Hi Ning, I was packaging tboot for Gentoo Linux and it would never actually manage to load linux. It managed to SENTER fine but once it tried to jump to the linux entry point it would fail and reboot. Gentoo Hardened adds fstack-check by default (among other things) to the gcc specs. After a lot of trial and error disabling SSP with -fstack-check=no made it work. tboot already disables fstack-protector and fstack-protector-all which are similar so it makes sense that fstack-check must also be disabled. There is no comment explaining why fstack-protector is disabled in the makefile unfortunately. I do not have a very good way of debugging since it wouldnt work in an emulator so I do not know *exactly* where it broke but the assembly generated by my gcc and the objdump'd one from fedora were quite different at the last stages of tboot. I saw the jumping to Linux @0xxx message on the console and then it would reboot so it was very late in the initialization. I was using Gcc 4.8.4 from Gentoo Hardened[1]. If you are on a different distro, add -fstack-check to the CFLAGs and you will probably be able to replicate. Thanks, Jason [1]: https://wiki.gentoo.org/wiki/Hardened/Toolchain#Default_addition_of_the_Stack_Smashing_Protector_.28SSP.29 On Thu, May 07, 2015 at 05:51:53PM +, Sun, Ning wrote: Hi Zaman, Thanks for your patch, for us to better understand the purpose of your patch, can you explain in which scenario fstack-check will break tboot? Thanks very much! -ning -Original Message- From: Jason Zaman [mailto:ja...@perfinion.com] Sent: Thursday, May 07, 2015 8:55 AM To: tboot-devel@lists.sourceforge.net Subject: [tboot-devel] [PATCH] Disable fstack-check during build fstack-check breaks tboot this disables it in CFLAGS. Signed-off-by: Jason Zaman ja...@perfinion.com -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
Re: [tboot-devel] [PATCH] Disable fstack-check during build
By default tboot does not enforce -fstack-check in Config.mk file, so mainstream linux distributions do not have the issue you encountered in Gentoo Linux. However for compatibility with more Linux distributions, we will accept your patch for tboot. You can get the latest tboot snapshot to test on your Gentoo Linux. Thanks very much! -ning -Original Message- From: Jason Zaman [mailto:ja...@perfinion.com] Sent: Thursday, May 07, 2015 11:21 AM To: Sun, Ning Cc: Wei, Gang; tboot-devel@lists.sourceforge.net Subject: Re: [tboot-devel] [PATCH] Disable fstack-check during build Hi Ning, I was packaging tboot for Gentoo Linux and it would never actually manage to load linux. It managed to SENTER fine but once it tried to jump to the linux entry point it would fail and reboot. Gentoo Hardened adds fstack-check by default (among other things) to the gcc specs. After a lot of trial and error disabling SSP with -fstack-check=no made it work. tboot already disables fstack-protector and fstack-protector-all which are similar so it makes sense that fstack-check must also be disabled. There is no comment explaining why fstack-protector is disabled in the makefile unfortunately. I do not have a very good way of debugging since it wouldnt work in an emulator so I do not know *exactly* where it broke but the assembly generated by my gcc and the objdump'd one from fedora were quite different at the last stages of tboot. I saw the jumping to Linux @0xxx message on the console and then it would reboot so it was very late in the initialization. I was using Gcc 4.8.4 from Gentoo Hardened[1]. If you are on a different distro, add -fstack-check to the CFLAGs and you will probably be able to replicate. Thanks, Jason [1]: https://wiki.gentoo.org/wiki/Hardened/Toolchain#Default_addition_of_the_Stack_Smashing_Protector_.28SSP.29 On Thu, May 07, 2015 at 05:51:53PM +, Sun, Ning wrote: Hi Zaman, Thanks for your patch, for us to better understand the purpose of your patch, can you explain in which scenario fstack-check will break tboot? Thanks very much! -ning -Original Message- From: Jason Zaman [mailto:ja...@perfinion.com] Sent: Thursday, May 07, 2015 8:55 AM To: tboot-devel@lists.sourceforge.net Subject: [tboot-devel] [PATCH] Disable fstack-check during build fstack-check breaks tboot this disables it in CFLAGS. Signed-off-by: Jason Zaman ja...@perfinion.com -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
[tboot-devel] [PATCH] Disable fstack-check during build
fstack-check breaks tboot this disables it in CFLAGS. Signed-off-by: Jason Zaman ja...@perfinion.com diff -ur tboot-1.8.2.orig/tboot/Config.mk tboot-1.8.2/tboot/Config.mk --- tboot-1.8.2.orig/tboot/Config.mk 2014-07-28 12:24:21.0 +0400 +++ tboot-1.8.2/tboot/Config.mk 2015-05-05 02:14:26.333222301 +0400 @@ -30,6 +30,7 @@ CFLAGS += $(call cc-option,$(CC),-nopie,) CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,) CFLAGS += $(call cc-option,$(CC),-fno-stack-protector-all,) +CFLAGS += $(call cc-option,$(CC),-fstack-check=no,) # changeset variable for banner CFLAGS += -DTBOOT_CHANGESET=\$(shell ((hg parents --template {isodate|isodate} {rev}:{node|short} /dev/null hg parents --template {isodate|isodate} {rev}:{node|short}) || echo 2014-07-28 12:00 +0800 1.8.2) 2/dev/null)\ -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
[tboot-devel] tboot 1.8.3 released
This release is to add SGX support for Intel Skylake platform and verified launch control policy user guide, along with several significant bugs fix from 1.8.2, like using the primary object in NULL Hierarchy instead of Platform Hierarchy for seal/unseal usage for TPM 2.0, Optimizing tboot log processing flow to avoid log buffer overflow by adopting lz Compress/Uncompress algorithms etc.. Source package tboot-1.8.3.tar.gz can be downloaded from sourceforge.net. Major changes since 1.8.2 (20140728): Added verified launch control policy user guide Fixed a bug about var MTRR settings to follow the rule that each VAR MTRR base must be a multiple of that MTRR's size. Access tpm sts reg with 3-byte width in v1.2 case and 4-byte width in v2.0 case Bugfix: lcp2_mlehash get wrong hash if the cmdline string length 7 Optimized tboot log processing flow to avoid log buffer overflow by adopting lz Compress/Uncompress algorithms Added SGX support for Skylake platform tpm2: use the primary object in NULL Hierarchy instead of Platform Hierarchy for seal/unseal usage Fixed a bug for lcp2_mlehash tool Fixed system hang issue caused by TXT disable, TPM disable or SINIT ACM not correctly provided in EFI booting mode Fixed bug for wrong assumption on the way how GRUB2 load modules Fixed MB2 tags mess issue caused by moving shorter module cmdline to head Fixed compile issue when debug=y You are encouraged to install, run and test it, and enjoy it. Thanks, Ning Sun -- One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel