On 13.05.2020 15:55, Andrew Cooper wrote: > Xen doesn't support CET-IBT yet. At a minimum, logic is required to enable it > for supervisor use, but the livepatch functionality needs to learn not to > overwrite ENDBR64 instructions. > > Furthermore, Ubuntu enables -fcf-protection by default, along with a buggy > version of GCC-9 which objects to it in combination with > -mindirect-branch=thunk-extern (Fixed in GCC 10, 9.4). > > Various objects (Xen boot path, Rombios 32 stubs) require .text to be at the > beginning of the object. These paths explode when .note.gnu.properties gets > put ahead of .text and we end up executing the notes data. > > Disable -fcf-protection for all embedded objects. > > Reported-by: Jason Andryuk <[email protected]> > Signed-off-by: Andrew Cooper <[email protected]>
For the immediate purpose Reviewed-by: Jan Beulich <[email protected]> I wonder however ... > --- a/Config.mk > +++ b/Config.mk > @@ -205,6 +205,7 @@ APPEND_CFLAGS += $(foreach i, $(APPEND_INCLUDES), -I$(i)) > > EMBEDDED_EXTRA_CFLAGS := -nopie -fno-stack-protector -fno-stack-protector-all > EMBEDDED_EXTRA_CFLAGS += -fno-exceptions -fno-asynchronous-unwind-tables > +EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none ... whether this isn't going to bite us once some of the consumers of this variable want to enable some different mode. Jan
