[Bug 1863260] [NEW] gcc-9 in Ubuntu generate unbootable xen hypervisor

Stefan Bader stefan.bader at canonical.com
Fri Feb 14 14:45:33 UTC 2020 

Public bug reported:

This problem was first observed in Ubuntu 19.10 (Eoan) but persists in
the current Focal development. The results are the same for the old Xen
version (4.9.2) and the fresh 4.11 merge. As a test I took the xen-
hypervisor binary from Debian Sid (which has been compiled with gcc-9 as
well) and that succeeds in booting Xen (libraries and dom0 kernel are
Ubuntu Focal).

There seems to be one major difference between build environments. The
Xen hypervisor build is done with an external retpoline mitigation:

# Compile with thunk-extern, indirect-branch-register if avaiable.
ifneq ($(call cc-option,$(CC),-mindirect-branch-register,n),n)
CFLAGS += -mindirect-branch=thunk-extern -mindirect-branch-register
CFLAGS += -DCONFIG_INDIRECT_THUNK
export CONFIG_INDIRECT_THUNK=y
endif

The use of -mindirect-branch is incompatible with -fcf-protection. To be
able to build the hypervisor in Ubuntu, I have to add the following
modifications to the make file:

--- xen.orig/xen/arch/x86/Rules.mk
+++ xen/xen/arch/x86/Rules.mk
@@ -42,6 +42,10 @@ endif
 
 # Compile with thunk-extern, indirect-branch-register if avaiable.
 ifneq ($(call cc-option,$(CC),-mindirect-branch-register,n),n)
+ifneq ($(call cc-option,$(CC),-fcf-protection,n),n)
+CFLAGS += -fcf-protection=none
+CXXFLAGS += -fcf-protection=none
+endif
 CFLAGS += -mindirect-branch=thunk-extern -mindirect-branch-register
 CFLAGS += -DCONFIG_INDIRECT_THUNK
 export CONFIG_INDIRECT_THUNK=y

I am wondering whether -fcf-protection=none is only partially effective
and causes the binary to be unbootable (basically it causes an immediate
reset when started).

** Affects: gcc-9 (Ubuntu)
     Importance: High
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-9 in Ubuntu.
https://bugs.launchpad.net/bugs/1863260

Title:
  gcc-9 in Ubuntu generate unbootable xen hypervisor

Status in gcc-9 package in Ubuntu:
  New

Bug description:
  This problem was first observed in Ubuntu 19.10 (Eoan) but persists in
  the current Focal development. The results are the same for the old
  Xen version (4.9.2) and the fresh 4.11 merge. As a test I took the
  xen-hypervisor binary from Debian Sid (which has been compiled with
  gcc-9 as well) and that succeeds in booting Xen (libraries and dom0
  kernel are Ubuntu Focal).

  There seems to be one major difference between build environments. The
  Xen hypervisor build is done with an external retpoline mitigation:

  # Compile with thunk-extern, indirect-branch-register if avaiable.
  ifneq ($(call cc-option,$(CC),-mindirect-branch-register,n),n)
  CFLAGS += -mindirect-branch=thunk-extern -mindirect-branch-register
  CFLAGS += -DCONFIG_INDIRECT_THUNK
  export CONFIG_INDIRECT_THUNK=y
  endif

  The use of -mindirect-branch is incompatible with -fcf-protection. To
  be able to build the hypervisor in Ubuntu, I have to add the following
  modifications to the make file:

  --- xen.orig/xen/arch/x86/Rules.mk
  +++ xen/xen/arch/x86/Rules.mk
  @@ -42,6 +42,10 @@ endif
   
   # Compile with thunk-extern, indirect-branch-register if avaiable.
   ifneq ($(call cc-option,$(CC),-mindirect-branch-register,n),n)
  +ifneq ($(call cc-option,$(CC),-fcf-protection,n),n)
  +CFLAGS += -fcf-protection=none
  +CXXFLAGS += -fcf-protection=none
  +endif
   CFLAGS += -mindirect-branch=thunk-extern -mindirect-branch-register
   CFLAGS += -DCONFIG_INDIRECT_THUNK
   export CONFIG_INDIRECT_THUNK=y

  I am wondering whether -fcf-protection=none is only partially
  effective and causes the binary to be unbootable (basically it causes
  an immediate reset when started).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-9/+bug/1863260/+subscriptions

More information about the foundations-bugs mailing list