[Bug 1863260] [NEW] gcc-9 in Ubuntu generate unbootable xen hypervisor

Fri, 14 Feb 2020 06:55:49 -0800 

Public bug reported:

This problem was first observed in Ubuntu 19.10 (Eoan) but persists in
the current Focal development. The results are the same for the old Xen
version (4.9.2) and the fresh 4.11 merge. As a test I took the xen-
hypervisor binary from Debian Sid (which has been compiled with gcc-9 as
well) and that succeeds in booting Xen (libraries and dom0 kernel are
Ubuntu Focal).

There seems to be one major difference between build environments. The
Xen hypervisor build is done with an external retpoline mitigation:

# Compile with thunk-extern, indirect-branch-register if avaiable.
ifneq ($(call cc-option,$(CC),-mindirect-branch-register,n),n)
CFLAGS += -mindirect-branch=thunk-extern -mindirect-branch-register
CFLAGS += -DCONFIG_INDIRECT_THUNK
export CONFIG_INDIRECT_THUNK=y
endif

The use of -mindirect-branch is incompatible with -fcf-protection. To be
able to build the hypervisor in Ubuntu, I have to add the following
modifications to the make file:

--- xen.orig/xen/arch/x86/Rules.mk
+++ xen/xen/arch/x86/Rules.mk
@@ -42,6 +42,10 @@ endif
 
 # Compile with thunk-extern, indirect-branch-register if avaiable.
 ifneq ($(call cc-option,$(CC),-mindirect-branch-register,n),n)
+ifneq ($(call cc-option,$(CC),-fcf-protection,n),n)
+CFLAGS += -fcf-protection=none
+CXXFLAGS += -fcf-protection=none
+endif
 CFLAGS += -mindirect-branch=thunk-extern -mindirect-branch-register
 CFLAGS += -DCONFIG_INDIRECT_THUNK
 export CONFIG_INDIRECT_THUNK=y

I am wondering whether -fcf-protection=none is only partially effective
and causes the binary to be unbootable (basically it causes an immediate
reset when started).

** Affects: gcc-9 (Ubuntu)
     Importance: High
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1863260

Title:
  gcc-9 in Ubuntu generate unbootable xen hypervisor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-9/+bug/1863260/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to