245189 – Building world WITH_BEARSSL=1 and WITH_PIE=1 is currently broken

Bug 245189 - Building world WITH_BEARSSL=1 and WITH_PIE=1 is currently broken

Summary: Building world WITH_BEARSSL=1 and WITH_PIE=1 is currently broken

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Simon J. Gerraty

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-03-30 15:24 UTC by Gordon Bergling
Modified:	2020-06-08 15:28 UTC (History)
CC List:	4 users (show)

See Also:

Flags:	markj: mfc-stable12+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gordon Bergling freebsd_committer

2020-03-30 15:24:05 UTC

Using the following src.conf and trying to build world with build option WITH_PIE=1 applied is currently broken.

WITH_EXTRA_TCP_STACKS=1
WITH_BEARSSL=1
WITH_PIE=1
WITH_RETPOLINE=1

The error messages are the following.


===> sbin/veriexec (all)
ld: error: unable to find library -lveriexec_pie
ld: error: unable to find library -lsecureboot_pie
ld: error: unable to find library -lbearssl_pie
cc: error: linker command failed with exit code 1 (use -v to see invocation)
--- veriexec.full ---
*** [veriexec.full] Error code 1

make[4]: stopped in /boiler/nfs/src/sbin/veriexec
1 error

make[4]: stopped in /boiler/nfs/src/sbin/veriexec

Comment 1 Brooks Davis freebsd_committer

2020-03-31 16:41:35 UTC

I prodded this a little and I think the logic for when to build _pie.a libraries may be wrong.  Right now it only happens when:

.if defined(INTERNALLIB) && ${MK_PIE} != "no"
PIEOBJS+=       ${OBJS:.o=.pieo}
...
_LIBS+=         lib${LIB_PRIVATE}${LIB}_pie.a


The problem is that veriexec is NO_SHARED= which means it wants to link to the PIE archives that don't exist.

There are a bunch of options here:
 * have NO_SHARED imply MK_PIE=no (or just set it in sbin/veriexec/Makefile)
 * always build _pie.a archives when PIE is enabled.
 * add some sort of PIELIB= to enable the _pie.a archive in select libraries
 * make these libraries into INTENRALLIBS

I've got a build in progress testing adding MK_PIE=no to sbin/veriexec/Makefile

Comment 2 Brooks Davis freebsd_committer

2020-03-31 17:26:52 UTC

This at least allows veriexec to build.  

diff --git a/sbin/veriexec/Makefile b/sbin/veriexec/Makefile
index 8039a8295ccd..8aebfd8d9732 100644
--- a/sbin/veriexec/Makefile
+++ b/sbin/veriexec/Makefile
@@ -9,6 +9,7 @@ SRCS= \
 
 LIBADD+= veriexec secureboot bearssl
 
+MK_PIE=no
 NO_SHARED=
 
 .include <bsd.prog.mk>


I'm then getting other issues, but the are unrelated.
ld: error: can't create dynamic relocation R_X86_64_32 against local symbol in r
eadonly segment; recompile object files with -fPIC or pass '-Wl,-z,notext' to al
low text relocations in the output                                              
>>> defined in pmc.o                                                            
>>> referenced by pmc.c:91 (/home/bed22/git/freebsd/usr.sbin/pmc/pmc.c:91)      
>>>               pmc.o:(main)

Comment 3 Gordon Bergling freebsd_committer

2020-04-01 05:23:56 UTC

@Brooks, thanks for your investigation on this topic. I applied
MK_PIE=no
to /sbin/veriexec/Makefile and usr.sbin/pmc/Makefile and the build successful.

Is there any change that this could be committed?

Comment 4 commit-hook freebsd_committer

2020-04-01 05:46:00 UTC

A commit references this bug:

Author: sjg
Date: Wed Apr  1 05:45:13 UTC 2020
New revision: 359502
URL: https://svnweb.freebsd.org/changeset/base/359502

Log:
  Do not claim libbearssl et al are INTERNALLIB

  If INTERNALLIB is defined we need PIE and bsd.incs.mk is
  not included.

  PR:		245189
  Reviewed by:	emaste
  MFC after:	1 week
  Differential Revision: https://reviews.freebsd.org//D24233

Changes:
  head/lib/libveriexec/Makefile
  head/share/mk/src.libnames.mk

Comment 5 Gordon Bergling freebsd_committer

2020-04-03 08:50:54 UTC

Thanks for the bugfix for BearSSL. Is it also possible to add MK_PIE=no to the Makefile of usr.sbin/pmc since it is still broken when building world with WITH_PIE=1?

Comment 6 commit-hook freebsd_committer

2020-04-03 16:11:33 UTC

A commit references this bug:

Author: brooks
Date: Fri Apr  3 16:10:42 UTC 2020
New revision: 359601
URL: https://svnweb.freebsd.org/changeset/base/359601

Log:
  pmc: diable position-independent builds, they fail to link on amd64

  PR:		245189
  Reported by:	Gordon Bergling
  Sponsored by:	DARPA

Changes:
  head/usr.sbin/pmc/Makefile

Comment 7 commit-hook freebsd_committer

2020-04-14 01:08:41 UTC

A commit references this bug:

Author: sjg
Date: Tue Apr 14 01:07:59 UTC 2020
New revision: 359913
URL: https://svnweb.freebsd.org/changeset/base/359913

Log:
  Do not claim libbearssl et al are INTERNALLIB

  If INTERNALLIB is defined we need PIE and bsd.incs.mk is
  not included.

  MFC of r359502

  PR:		245189
  Reviewed by:	emaste
  Differential Revision: https://reviews.freebsd.org//D24233

Changes:
  stable/12/lib/libveriexec/Makefile
  stable/12/share/mk/src.libnames.mk

Comment 8 Gordon Bergling freebsd_committer

2020-04-16 16:27:37 UTC

It would be nice, if r359601 could also be MFC'ed for consistency. I just did a full build world on 12-STABLE and it succeed with WITH_PIE=1 and WITH_RETPOLINE=1 within the /etc/src.conf, but you never know.

Comment 9 commit-hook freebsd_committer

2020-06-08 15:28:45 UTC

A commit references this bug:

Author: markj
Date: Mon Jun  8 15:27:45 UTC 2020
New revision: 361929
URL: https://svnweb.freebsd.org/changeset/base/361929

Log:
  MFC r359601 (by brooks):
  pmc: diable position-independent builds, they fail to link on amd64

  PR:	245189

Changes:
_U  stable/12/
  stable/12/usr.sbin/pmc/Makefile