HAS_CC_CET_IBT misdetected

HAS_CC_CET_IBT misdetected

[Olaf Hering]

[-- Attachment #1: Type: text/plain, Size: 373 bytes --]

The next push to xen.git#staging will trigger a build failure in the refreshed Leap docker image.

For some reason HAS_CC_CET_IBT will evaluate to true. I think the significant change is the binutils upgrade from 2.37 to 2.39 in November 2022.

The comment indicates the combination of gcc7 and binutils 2.39 is supposed to evaluate HAS_CC_CET_IBT to false.


Olaf

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: HAS_CC_CET_IBT misdetected

[Jan Beulich]

On 02.05.2023 07:48, Olaf Hering wrote:
> The next push to xen.git#staging will trigger a build failure in the refreshed Leap docker image.
> 
> For some reason HAS_CC_CET_IBT will evaluate to true. I think the significant change is the binutils upgrade from 2.37 to 2.39 in November 2022.
> 
> The comment indicates the combination of gcc7 and binutils 2.39 is supposed to evaluate HAS_CC_CET_IBT to false.

How does 2.37 vs 2.39 matter? CET-IBT support is present in gas as of 2.29.
IOW I think it all ought to be tied to gcc being 7.x when 9.x is the
supposed minimum. Did you / could you check which of the three options
(-fcf-protection=branch -mmanual-endbr -mindirect-branch=thunk-extern)
is/are possibly recognized by the (likely also updated) gcc7 there? That
may provide a hint at what's going wrong ...

Jan

Re: HAS_CC_CET_IBT misdetected

[Jan Beulich]

On 02.05.2023 09:31, Jan Beulich wrote:
> On 02.05.2023 07:48, Olaf Hering wrote:
>> The next push to xen.git#staging will trigger a build failure in the refreshed Leap docker image.
>>
>> For some reason HAS_CC_CET_IBT will evaluate to true. I think the significant change is the binutils upgrade from 2.37 to 2.39 in November 2022.
>>
>> The comment indicates the combination of gcc7 and binutils 2.39 is supposed to evaluate HAS_CC_CET_IBT to false.
> 
> How does 2.37 vs 2.39 matter? CET-IBT support is present in gas as of 2.29.
> IOW I think it all ought to be tied to gcc being 7.x when 9.x is the
> supposed minimum. Did you / could you check which of the three options
> (-fcf-protection=branch -mmanual-endbr -mindirect-branch=thunk-extern)
> is/are possibly recognized by the (likely also updated) gcc7 there? That
> may provide a hint at what's going wrong ...

Oh, it might further be relevant that Kconfig's cc-option passes -E to the
compiler, yet none of the options actually affect pre-processing (and hence
might not tried to be evaluated with -E).

Jan

Re: HAS_CC_CET_IBT misdetected

[Olaf Hering]

[-- Attachment #1: Type: text/plain, Size: 869 bytes --]

Tue, 2 May 2023 09:31:56 +0200 Jan Beulich <jbeulich@suse.com>:

> How does 2.37 vs 2.39 matter? CET-IBT support is present in gas as of 2.29.

I have no idea. It turned out, the previous Leap image was based on 15.3, while the current one will be 15.4.

If I run this manually, it appears the error is produced properly:

gcc -Wall -fcf-protection=branch -mmanual-endbr -mindirect-branch=thunk-extern -c -x assembler -o /dev/null - ; echo $?
gcc: error: unrecognized command line option ‘-fcf-protection=branch’; did you mean ‘-fno-protect-parens’?
gcc: error: unrecognized command line option ‘-mmanual-endbr’
1

An for some reason there is no failure with the refreshed image on gitlab:

https://gitlab.com/xen-project/xen/-/jobs/4210269545/artifacts/external_file/build.log

I will investigate why it failed to build for me.


Olaf

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: HAS_CC_CET_IBT misdetected

[Andrew Cooper]

On 02/05/2023 12:33 pm, Olaf Hering wrote:
> Tue, 2 May 2023 09:31:56 +0200 Jan Beulich <jbeulich@suse.com>:
>
>> How does 2.37 vs 2.39 matter? CET-IBT support is present in gas as of 2.29.
> I have no idea. It turned out, the previous Leap image was based on 15.3, while the current one will be 15.4.
>
> If I run this manually, it appears the error is produced properly:
>
> gcc -Wall -fcf-protection=branch -mmanual-endbr -mindirect-branch=thunk-extern -c -x assembler -o /dev/null - ; echo $?
> gcc: error: unrecognized command line option ‘-fcf-protection=branch’; did you mean ‘-fno-protect-parens’?
> gcc: error: unrecognized command line option ‘-mmanual-endbr’
> 1
>
> An for some reason there is no failure with the refreshed image on gitlab:
>
> https://gitlab.com/xen-project/xen/-/jobs/4210269545/artifacts/external_file/build.log
>
> I will investigate why it failed to build for me.

CET-IBT is far more dependent on the compiler, than it is on binutils.

The minimum version of GCC necessary is 9, but if you've backported the
requisite options then an older GCC will work too.

~Andrew

Re: HAS_CC_CET_IBT misdetected

[Olaf Hering]

[-- Attachment #1: Type: text/plain, Size: 338 bytes --]

Tue, 2 May 2023 13:33:13 +0200 Olaf Hering <olaf@aepfle.de>:

> I will investigate why it failed to build for me.

This happens if one builds first with the Tumbleweed container, and later with the Leap container, without a 'git clean -dffx' in between.

Is there a way to invalidate everything if the toolchain changes?


Olaf

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: HAS_CC_CET_IBT misdetected

[Jan Beulich]

On 02.05.2023 14:04, Olaf Hering wrote:
> Tue, 2 May 2023 13:33:13 +0200 Olaf Hering <olaf@aepfle.de>:
> 
>> I will investigate why it failed to build for me.
> 
> This happens if one builds first with the Tumbleweed container, and later with the Leap container, without a 'git clean -dffx' in between.
> 
> Is there a way to invalidate everything if the toolchain changes?

Getting this to work automatically is a continued subject of discussion.
Touching xen/.config before starting the build ought to work, though.

Jan

Re: HAS_CC_CET_IBT misdetected

[Olaf Hering]

[-- Attachment #1: Type: text/plain, Size: 304 bytes --]

Tue, 2 May 2023 15:29:19 +0200 Jan Beulich <jbeulich@suse.com>:

> Getting this to work automatically is a continued subject of discussion.

I think the only real solution is an out-of-tree build. Essentially every single component needs to detect a toolchain change. This is unrealistic.


Olaf

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: HAS_CC_CET_IBT misdetected

[Andrew Cooper]

On 02/05/2023 1:04 pm, Olaf Hering wrote:
> Tue, 2 May 2023 13:33:13 +0200 Olaf Hering <olaf@aepfle.de>:
>
>> I will investigate why it failed to build for me.
> This happens if one builds first with the Tumbleweed container, and later with the Leap container, without a 'git clean -dffx' in between.
>
> Is there a way to invalidate everything if the toolchain changes?

I thought we had a fix for this.  But it turns out it's still on the list.

https://lore.kernel.org/xen-devel/20230320152836.43205-1-anthony.perard@citrix.com/

Does this improve things for you?

~Andrew

Re: HAS_CC_CET_IBT misdetected

[Jan Beulich]

On 02.05.2023 15:36, Olaf Hering wrote:
> Tue, 2 May 2023 15:29:19 +0200 Jan Beulich <jbeulich@suse.com>:
> 
>> Getting this to work automatically is a continued subject of discussion.
> 
> I think the only real solution is an out-of-tree build. Essentially every single component needs to detect a toolchain change. This is unrealistic.

How would an out-of-tree build help (which for the hypervisor we now
have support for)? An incremental build there will hit exactly the same
issue afaict.

Jan

Re: HAS_CC_CET_IBT misdetected

[Olaf Hering]

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]

Tue, 2 May 2023 15:44:41 +0200 Jan Beulich <jbeulich@suse.com>:

> How would an out-of-tree build help (which for the hypervisor we now
> have support for)? An incremental build there will hit exactly the same
> issue afaict.

Each container target will use a separate output directory. The Leap container will only see Leap things, the Tumbleweed container will only see Tumbleweed things.

A toolchain update within a container will be no different than it is today. But there will be no unexpected jumps anymore.


Olaf

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: HAS_CC_CET_IBT misdetected

[Olaf Hering]

[-- Attachment #1: Type: text/plain, Size: 348 bytes --]

Tue, 2 May 2023 14:41:25 +0100 Andrew Cooper <andrew.cooper3@citrix.com>:

> Does this improve things for you?

./checker: /lib64/libc.so.6: version `GLIBC_2.34' not found (required by ./checker)
make[2]: *** [Makefile:24: check-headers] Error 1

I think as soon as tools/ or stubdom/ is built, more issues like that will appear.


Olaf

[-- Attachment #2: Digitale Signatur von OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]