Bug 245189
| Summary: | Building world WITH_BEARSSL=1 and WITH_PIE=1 is currently broken | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Gordon Bergling <gbe> |
| Component: | kern | Assignee: | Simon J. Gerraty <sjg> |
| Status: | Closed FIXED | ||
| Severity: | Affects Many People | CC: | brooks, emaste, markj, sjg |
| Priority: | --- | Flags: | markj:
mfc-stable12+
|
| Version: | CURRENT | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Gordon Bergling
2020-03-30 15:24:05 UTC
I prodded this a little and I think the logic for when to build _pie.a libraries may be wrong. Right now it only happens when:
.if defined(INTERNALLIB) && ${MK_PIE} != "no"
PIEOBJS+= ${OBJS:.o=.pieo}
...
_LIBS+= lib${LIB_PRIVATE}${LIB}_pie.a
The problem is that veriexec is NO_SHARED= which means it wants to link to the PIE archives that don't exist.
There are a bunch of options here:
* have NO_SHARED imply MK_PIE=no (or just set it in sbin/veriexec/Makefile)
* always build _pie.a archives when PIE is enabled.
* add some sort of PIELIB= to enable the _pie.a archive in select libraries
* make these libraries into INTENRALLIBS
I've got a build in progress testing adding MK_PIE=no to sbin/veriexec/Makefile
This at least allows veriexec to build.
diff --git a/sbin/veriexec/Makefile b/sbin/veriexec/Makefile
index 8039a8295ccd..8aebfd8d9732 100644
--- a/sbin/veriexec/Makefile
+++ b/sbin/veriexec/Makefile
@@ -9,6 +9,7 @@ SRCS= \
LIBADD+= veriexec secureboot bearssl
+MK_PIE=no
NO_SHARED=
.include <bsd.prog.mk>
I'm then getting other issues, but the are unrelated.
ld: error: can't create dynamic relocation R_X86_64_32 against local symbol in r
eadonly segment; recompile object files with -fPIC or pass '-Wl,-z,notext' to al
low text relocations in the output
>>> defined in pmc.o
>>> referenced by pmc.c:91 (/home/bed22/git/freebsd/usr.sbin/pmc/pmc.c:91)
>>> pmc.o:(main)
@Brooks, thanks for your investigation on this topic. I applied MK_PIE=no to /sbin/veriexec/Makefile and usr.sbin/pmc/Makefile and the build successful. Is there any change that this could be committed? A commit references this bug: Author: sjg Date: Wed Apr 1 05:45:13 UTC 2020 New revision: 359502 URL: https://svnweb.freebsd.org/changeset/base/359502 Log: Do not claim libbearssl et al are INTERNALLIB If INTERNALLIB is defined we need PIE and bsd.incs.mk is not included. PR: 245189 Reviewed by: emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org//D24233 Changes: head/lib/libveriexec/Makefile head/share/mk/src.libnames.mk Thanks for the bugfix for BearSSL. Is it also possible to add MK_PIE=no to the Makefile of usr.sbin/pmc since it is still broken when building world with WITH_PIE=1? A commit references this bug: Author: brooks Date: Fri Apr 3 16:10:42 UTC 2020 New revision: 359601 URL: https://svnweb.freebsd.org/changeset/base/359601 Log: pmc: diable position-independent builds, they fail to link on amd64 PR: 245189 Reported by: Gordon Bergling Sponsored by: DARPA Changes: head/usr.sbin/pmc/Makefile A commit references this bug: Author: sjg Date: Tue Apr 14 01:07:59 UTC 2020 New revision: 359913 URL: https://svnweb.freebsd.org/changeset/base/359913 Log: Do not claim libbearssl et al are INTERNALLIB If INTERNALLIB is defined we need PIE and bsd.incs.mk is not included. MFC of r359502 PR: 245189 Reviewed by: emaste Differential Revision: https://reviews.freebsd.org//D24233 Changes: stable/12/lib/libveriexec/Makefile stable/12/share/mk/src.libnames.mk It would be nice, if r359601 could also be MFC'ed for consistency. I just did a full build world on 12-STABLE and it succeed with WITH_PIE=1 and WITH_RETPOLINE=1 within the /etc/src.conf, but you never know. A commit references this bug: Author: markj Date: Mon Jun 8 15:27:45 UTC 2020 New revision: 361929 URL: https://svnweb.freebsd.org/changeset/base/361929 Log: MFC r359601 (by brooks): pmc: diable position-independent builds, they fail to link on amd64 PR: 245189 Changes: _U stable/12/ stable/12/usr.sbin/pmc/Makefile |