Bug 245189 - Building world WITH_BEARSSL=1 and WITH_PIE=1 is currently broken
Summary: Building world WITH_BEARSSL=1 and WITH_PIE=1 is currently broken
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-30 15:24 UTC by Gordon Bergling
Modified: 2020-04-16 16:27 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gordon Bergling 2020-03-30 15:24:05 UTC
Using the following src.conf and trying to build world with build option WITH_PIE=1 applied is currently broken.

WITH_EXTRA_TCP_STACKS=1
WITH_BEARSSL=1
WITH_PIE=1
WITH_RETPOLINE=1

The error messages are the following.


===> sbin/veriexec (all)
ld: error: unable to find library -lveriexec_pie
ld: error: unable to find library -lsecureboot_pie
ld: error: unable to find library -lbearssl_pie
cc: error: linker command failed with exit code 1 (use -v to see invocation)
--- veriexec.full ---
*** [veriexec.full] Error code 1

make[4]: stopped in /boiler/nfs/src/sbin/veriexec
1 error

make[4]: stopped in /boiler/nfs/src/sbin/veriexec
Comment 1 Brooks Davis freebsd_committer 2020-03-31 16:41:35 UTC
I prodded this a little and I think the logic for when to build _pie.a libraries may be wrong.  Right now it only happens when:

.if defined(INTERNALLIB) && ${MK_PIE} != "no"
PIEOBJS+=       ${OBJS:.o=.pieo}
...
_LIBS+=         lib${LIB_PRIVATE}${LIB}_pie.a


The problem is that veriexec is NO_SHARED= which means it wants to link to the PIE archives that don't exist.

There are a bunch of options here:
 * have NO_SHARED imply MK_PIE=no (or just set it in sbin/veriexec/Makefile)
 * always build _pie.a archives when PIE is enabled.
 * add some sort of PIELIB= to enable the _pie.a archive in select libraries
 * make these libraries into INTENRALLIBS

I've got a build in progress testing adding MK_PIE=no to sbin/veriexec/Makefile
Comment 2 Brooks Davis freebsd_committer 2020-03-31 17:26:52 UTC
This at least allows veriexec to build.  

diff --git a/sbin/veriexec/Makefile b/sbin/veriexec/Makefile
index 8039a8295ccd..8aebfd8d9732 100644
--- a/sbin/veriexec/Makefile
+++ b/sbin/veriexec/Makefile
@@ -9,6 +9,7 @@ SRCS= \
 
 LIBADD+= veriexec secureboot bearssl
 
+MK_PIE=no
 NO_SHARED=
 
 .include <bsd.prog.mk>


I'm then getting other issues, but the are unrelated.
ld: error: can't create dynamic relocation R_X86_64_32 against local symbol in r
eadonly segment; recompile object files with -fPIC or pass '-Wl,-z,notext' to al
low text relocations in the output                                              
>>> defined in pmc.o                                                            
>>> referenced by pmc.c:91 (/home/bed22/git/freebsd/usr.sbin/pmc/pmc.c:91)      
>>>               pmc.o:(main)
Comment 3 Gordon Bergling 2020-04-01 05:23:56 UTC
@Brooks, thanks for your investigation on this topic. I applied
MK_PIE=no
to /sbin/veriexec/Makefile and usr.sbin/pmc/Makefile and the build successful.

Is there any change that this could be committed?
Comment 4 commit-hook freebsd_committer 2020-04-01 05:46:00 UTC
A commit references this bug:

Author: sjg
Date: Wed Apr  1 05:45:13 UTC 2020
New revision: 359502
URL: https://svnweb.freebsd.org/changeset/base/359502

Log:
  Do not claim libbearssl et al are INTERNALLIB

  If INTERNALLIB is defined we need PIE and bsd.incs.mk is
  not included.

  PR:		245189
  Reviewed by:	emaste
  MFC after:	1 week
  Differential Revision: https://reviews.freebsd.org//D24233

Changes:
  head/lib/libveriexec/Makefile
  head/share/mk/src.libnames.mk
Comment 5 Gordon Bergling 2020-04-03 08:50:54 UTC
Thanks for the bugfix for BearSSL. Is it also possible to add MK_PIE=no to the Makefile of usr.sbin/pmc since it is still broken when building world with WITH_PIE=1?
Comment 6 commit-hook freebsd_committer 2020-04-03 16:11:33 UTC
A commit references this bug:

Author: brooks
Date: Fri Apr  3 16:10:42 UTC 2020
New revision: 359601
URL: https://svnweb.freebsd.org/changeset/base/359601

Log:
  pmc: diable position-independent builds, they fail to link on amd64

  PR:		245189
  Reported by:	Gordon Bergling
  Sponsored by:	DARPA

Changes:
  head/usr.sbin/pmc/Makefile
Comment 7 commit-hook freebsd_committer 2020-04-14 01:08:41 UTC
A commit references this bug:

Author: sjg
Date: Tue Apr 14 01:07:59 UTC 2020
New revision: 359913
URL: https://svnweb.freebsd.org/changeset/base/359913

Log:
  Do not claim libbearssl et al are INTERNALLIB

  If INTERNALLIB is defined we need PIE and bsd.incs.mk is
  not included.

  MFC of r359502

  PR:		245189
  Reviewed by:	emaste
  Differential Revision: https://reviews.freebsd.org//D24233

Changes:
  stable/12/lib/libveriexec/Makefile
  stable/12/share/mk/src.libnames.mk
Comment 8 Gordon Bergling 2020-04-16 16:27:37 UTC
It would be nice, if r359601 could also be MFC'ed for consistency. I just did a full build world on 12-STABLE and it succeed with WITH_PIE=1 and WITH_RETPOLINE=1 within the /etc/src.conf, but you never know.