[1/2] tools/firmware: fix setting of fcf-protection=none

Commit Message

Roger Pau Monne April 1, 2022, 2:37 p.m. UTC

Setting the fcf-protection=none option in EMBEDDED_EXTRA_CFLAGS in the
Makefile doesn't get it propagated to the subdirectories, so instead
set the flag in firmware/Rules.mk, like it's done for other compiler
flags.

Fixes: 3667f7f8f7 ('x86: Introduce support for CET-IBT')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
 tools/firmware/Makefile | 2 --
 tools/firmware/Rules.mk | 2 ++
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Andrew Cooper April 1, 2022, 2:48 p.m. UTC | #1

On 01/04/2022 15:37, Roger Pau Monne wrote:
> Setting the fcf-protection=none option in EMBEDDED_EXTRA_CFLAGS in the
> Makefile doesn't get it propagated to the subdirectories, so instead
> set the flag in firmware/Rules.mk, like it's done for other compiler
> flags.
>
> Fixes: 3667f7f8f7 ('x86: Introduce support for CET-IBT')
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>

Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

Anthony PERARD April 1, 2022, 2:50 p.m. UTC | #2

On Fri, Apr 01, 2022 at 04:37:18PM +0200, Roger Pau Monne wrote:
> Setting the fcf-protection=none option in EMBEDDED_EXTRA_CFLAGS in the
> Makefile doesn't get it propagated to the subdirectories, so instead
> set the flag in firmware/Rules.mk, like it's done for other compiler
> flags.
> 
> Fixes: 3667f7f8f7 ('x86: Introduce support for CET-IBT')
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> ---
>  tools/firmware/Makefile | 2 --
>  tools/firmware/Rules.mk | 2 ++
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/tools/firmware/Makefile b/tools/firmware/Makefile
> index 53ed4f161e..345037b93b 100644
> --- a/tools/firmware/Makefile
> +++ b/tools/firmware/Makefile
> @@ -6,8 +6,6 @@ TARGET      := hvmloader/hvmloader
>  INST_DIR := $(DESTDIR)$(XENFIRMWAREDIR)
>  DEBG_DIR := $(DESTDIR)$(DEBUG_DIR)$(XENFIRMWAREDIR)
>  
> -EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
> -
>  SUBDIRS-y :=
>  SUBDIRS-$(CONFIG_OVMF) += ovmf-dir
>  SUBDIRS-$(CONFIG_SEABIOS) += seabios-dir
> diff --git a/tools/firmware/Rules.mk b/tools/firmware/Rules.mk
> index 9f78a7dec9..efbbc73a45 100644
> --- a/tools/firmware/Rules.mk
> +++ b/tools/firmware/Rules.mk
> @@ -13,6 +13,8 @@ endif
>  
>  CFLAGS += -Werror
>  
> +EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
> +

I think making modification to $(EMBEDDED_EXTRA_CFLAGS) outside of
"Config.mk" is confusing and would be better be avoided.

Could you instead call $(cc-option-add ) just for that extra CFLAGS?

>  $(call cc-options-add,CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS))
>  
>  # Extra CFLAGS suitable for an embedded type of environment.

Thanks,

Andrew Cooper April 1, 2022, 3:04 p.m. UTC | #3

On 01/04/2022 15:50, Anthony PERARD wrote:
> On Fri, Apr 01, 2022 at 04:37:18PM +0200, Roger Pau Monne wrote:
>> Setting the fcf-protection=none option in EMBEDDED_EXTRA_CFLAGS in the
>> Makefile doesn't get it propagated to the subdirectories, so instead
>> set the flag in firmware/Rules.mk, like it's done for other compiler
>> flags.
>>
>> Fixes: 3667f7f8f7 ('x86: Introduce support for CET-IBT')
>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>> ---
>>  tools/firmware/Makefile | 2 --
>>  tools/firmware/Rules.mk | 2 ++
>>  2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/tools/firmware/Makefile b/tools/firmware/Makefile
>> index 53ed4f161e..345037b93b 100644
>> --- a/tools/firmware/Makefile
>> +++ b/tools/firmware/Makefile
>> @@ -6,8 +6,6 @@ TARGET      := hvmloader/hvmloader
>>  INST_DIR := $(DESTDIR)$(XENFIRMWAREDIR)
>>  DEBG_DIR := $(DESTDIR)$(DEBUG_DIR)$(XENFIRMWAREDIR)
>>  
>> -EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
>> -
>>  SUBDIRS-y :=
>>  SUBDIRS-$(CONFIG_OVMF) += ovmf-dir
>>  SUBDIRS-$(CONFIG_SEABIOS) += seabios-dir
>> diff --git a/tools/firmware/Rules.mk b/tools/firmware/Rules.mk
>> index 9f78a7dec9..efbbc73a45 100644
>> --- a/tools/firmware/Rules.mk
>> +++ b/tools/firmware/Rules.mk
>> @@ -13,6 +13,8 @@ endif
>>  
>>  CFLAGS += -Werror
>>  
>> +EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
>> +
> I think making modification to $(EMBEDDED_EXTRA_CFLAGS) outside of
> "Config.mk" is confusing and would be better be avoided.

EMBEDDED_EXTRA_CFLAGS in the root Config.mk is conceptually broken and
needs deleting.

Yes, xen/ and tools/firmware/ are freestanding from C's point of view,
and embedded from many peoples points of view, but this doesn't mean
they have shared build requirements.

-nopie isn't even a CFLAG.  It's spelt -no-pie and is an LDFLAG.  This
bug is hidden by everything being cc-option'd behind the scenes.

Stack protector we'd absolutely have in Xen if it weren't for a quirk of
supporting PV guests.

-fno-exceptions is C++ only so not relevant for anything in xen.git

~Andrew

Andrew Cooper April 1, 2022, 3:05 p.m. UTC | #4

On 01/04/2022 15:48, Andrew Cooper wrote:
> On 01/04/2022 15:37, Roger Pau Monne wrote:
>> Setting the fcf-protection=none option in EMBEDDED_EXTRA_CFLAGS in the
>> Makefile doesn't get it propagated to the subdirectories, so instead
>> set the flag in firmware/Rules.mk, like it's done for other compiler
>> flags.
>>
>> Fixes: 3667f7f8f7 ('x86: Introduce support for CET-IBT')
>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

This also needs backporting with the XSA-398 CET-IBT fixes.

~Andrew

Anthony PERARD April 1, 2022, 3:21 p.m. UTC | #5

On Fri, Apr 01, 2022 at 03:04:44PM +0000, Andrew Cooper wrote:
> On 01/04/2022 15:50, Anthony PERARD wrote:
> > On Fri, Apr 01, 2022 at 04:37:18PM +0200, Roger Pau Monne wrote:
> >> +EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
> >> +
> > I think making modification to $(EMBEDDED_EXTRA_CFLAGS) outside of
> > "Config.mk" is confusing and would be better be avoided.
> 
> EMBEDDED_EXTRA_CFLAGS in the root Config.mk is conceptually broken and
> needs deleting.

I'm asking to remove "-fcf-protection=none" from the broken variable
EMBEDDED_EXTRA_CFLAGS, and instead only modify the CFLAGS variable of
"tools/firmware/".

As this patch show, making modification to EMBEDDED_EXTRA_CFLAGS outside
of Config.mk doesn't work because changes doesn't propagate.

So the modification I've ask for the patch goes toward deleting
EMBEDDED_EXTRA_CFLAGS, like you want.

Cheers,

Jan Beulich April 5, 2022, 10:18 a.m. UTC | #6

On 01.04.2022 17:05, Andrew Cooper wrote:
> On 01/04/2022 15:48, Andrew Cooper wrote:
>> On 01/04/2022 15:37, Roger Pau Monne wrote:
>>> Setting the fcf-protection=none option in EMBEDDED_EXTRA_CFLAGS in the
>>> Makefile doesn't get it propagated to the subdirectories, so instead
>>> set the flag in firmware/Rules.mk, like it's done for other compiler
>>> flags.
>>>
>>> Fixes: 3667f7f8f7 ('x86: Introduce support for CET-IBT')
>>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 
> This also needs backporting with the XSA-398 CET-IBT fixes.

I don't think so - the backports of the original commit didn't include
what this patch fixes. I have queued patch 2 of this series though.

Jan

Andrew Cooper April 5, 2022, 10:58 a.m. UTC | #7

On 05/04/2022 11:18, Jan Beulich wrote:
> On 01.04.2022 17:05, Andrew Cooper wrote:
>> On 01/04/2022 15:48, Andrew Cooper wrote:
>>> On 01/04/2022 15:37, Roger Pau Monne wrote:
>>>> Setting the fcf-protection=none option in EMBEDDED_EXTRA_CFLAGS in the
>>>> Makefile doesn't get it propagated to the subdirectories, so instead
>>>> set the flag in firmware/Rules.mk, like it's done for other compiler
>>>> flags.
>>>>
>>>> Fixes: 3667f7f8f7 ('x86: Introduce support for CET-IBT')
>>>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>>> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> This also needs backporting with the XSA-398 CET-IBT fixes.
> I don't think so - the backports of the original commit didn't include
> what this patch fixes. I have queued patch 2 of this series though.

In which case I screwed up the backport.  (I remember spotting this bug
and thought I'd corrected it, but clearly not.)  tools/firmware really
does need to be -fcf-protection=none to counteract the defaults in
Ubuntu/etc.

~Andrew

Jan Beulich April 5, 2022, 11:04 a.m. UTC | #8

On 05.04.2022 12:58, Andrew Cooper wrote:
> On 05/04/2022 11:18, Jan Beulich wrote:
>> On 01.04.2022 17:05, Andrew Cooper wrote:
>>> On 01/04/2022 15:48, Andrew Cooper wrote:
>>>> On 01/04/2022 15:37, Roger Pau Monne wrote:
>>>>> Setting the fcf-protection=none option in EMBEDDED_EXTRA_CFLAGS in the
>>>>> Makefile doesn't get it propagated to the subdirectories, so instead
>>>>> set the flag in firmware/Rules.mk, like it's done for other compiler
>>>>> flags.
>>>>>
>>>>> Fixes: 3667f7f8f7 ('x86: Introduce support for CET-IBT')
>>>>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>>>> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>> This also needs backporting with the XSA-398 CET-IBT fixes.
>> I don't think so - the backports of the original commit didn't include
>> what this patch fixes. I have queued patch 2 of this series though.
> 
> In which case I screwed up the backport.  (I remember spotting this bug
> and thought I'd corrected it, but clearly not.)  tools/firmware really
> does need to be -fcf-protection=none to counteract the defaults in
> Ubuntu/etc.

Okay, I'll adjust title and description some then while doing the backport.

Jan

Andrew Cooper April 5, 2022, 11:09 a.m. UTC | #9

On 05/04/2022 12:04, Jan Beulich wrote:
> On 05.04.2022 12:58, Andrew Cooper wrote:
>> On 05/04/2022 11:18, Jan Beulich wrote:
>>> On 01.04.2022 17:05, Andrew Cooper wrote:
>>>> On 01/04/2022 15:48, Andrew Cooper wrote:
>>>>> On 01/04/2022 15:37, Roger Pau Monne wrote:
>>>>>> Setting the fcf-protection=none option in EMBEDDED_EXTRA_CFLAGS in the
>>>>>> Makefile doesn't get it propagated to the subdirectories, so instead
>>>>>> set the flag in firmware/Rules.mk, like it's done for other compiler
>>>>>> flags.
>>>>>>
>>>>>> Fixes: 3667f7f8f7 ('x86: Introduce support for CET-IBT')
>>>>>> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
>>>>> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
>>>> This also needs backporting with the XSA-398 CET-IBT fixes.
>>> I don't think so - the backports of the original commit didn't include
>>> what this patch fixes. I have queued patch 2 of this series though.
>> In which case I screwed up the backport.  (I remember spotting this bug
>> and thought I'd corrected it, but clearly not.)  tools/firmware really
>> does need to be -fcf-protection=none to counteract the defaults in
>> Ubuntu/etc.
> Okay, I'll adjust title and description some then while doing the backport.

Thanks, and sorry for this mess.

~Andrew

Patch

diff --git a/tools/firmware/Makefile b/tools/firmware/Makefile
index 53ed4f161e..345037b93b 100644
--- a/tools/firmware/Makefile
+++ b/tools/firmware/Makefile
@@ -6,8 +6,6 @@  TARGET      := hvmloader/hvmloader
 INST_DIR := $(DESTDIR)$(XENFIRMWAREDIR)
 DEBG_DIR := $(DESTDIR)$(DEBUG_DIR)$(XENFIRMWAREDIR)
 
-EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
-
 SUBDIRS-y :=
 SUBDIRS-$(CONFIG_OVMF) += ovmf-dir
 SUBDIRS-$(CONFIG_SEABIOS) += seabios-dir
diff --git a/tools/firmware/Rules.mk b/tools/firmware/Rules.mk
index 9f78a7dec9..efbbc73a45 100644
--- a/tools/firmware/Rules.mk
+++ b/tools/firmware/Rules.mk
@@ -13,6 +13,8 @@  endif
 
 CFLAGS += -Werror
 
+EMBEDDED_EXTRA_CFLAGS += -fcf-protection=none
+
 $(call cc-options-add,CFLAGS,CC,$(EMBEDDED_EXTRA_CFLAGS))
 
 # Extra CFLAGS suitable for an embedded type of environment.