Re: [PATCH v8] xen: Strip xen.efi by default

[Oleksii Kurochko <oleksii.kurochko@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 7992 bytes --]


On 11/13/25 4:43 PM, Frediano Ziglio wrote:
> From: Frediano Ziglio<frediano.ziglio@cloud.com>
>
> For xen.gz file we strip all symbols and have an additional
> xen-syms.efi file version with all symbols.
> Make xen.efi more coherent stripping all symbols too.
> xen-syms.efi can be used for debugging.
>
> Signed-off-by: Frediano Ziglio<frediano.ziglio@cloud.com>

Release-Acked-By: Oleksii Kurochko<oleksii.kurochko@gmail.com>

Thanks.

~ Oleksii

> ---
> Changes since v1:
> - avoid leaving target if some command fails.
>
> Changes since v2:
> - do not convert type but retain PE format;
> - use xen-syms.efi for new file name, more consistent with ELF.
>
> Changes since v3:
> - update documentation;
> - do not remove xen.efi.elf;
> - check endbr instruction before generating final target.
>
> Changes since v4:
> - simplify condition check;
> - avoid reuse of $@.tmp file.
>
> Changes since v5:
> - avoid creation of temporary file.
>
> Changes since v6:
> - install xen-syms.efi;
> - always strip xen.efi;
> - restore EFI_LDFLAGS check during rule execution;
> - update CHANGELOG.md;
> - added xen-syms.efi to .gitignore.
>
> Changes since v7:
> - move and improve CHANGELOG.md changes.
> ---
>   .gitignore            |  1 +
>   CHANGELOG.md          |  3 +++
>   docs/misc/efi.pandoc  |  8 +-------
>   xen/Kconfig.debug     |  9 ++-------
>   xen/Makefile          | 25 +++----------------------
>   xen/arch/x86/Makefile | 11 ++++++++---
>   6 files changed, 18 insertions(+), 39 deletions(-)
>
> diff --git a/.gitignore b/.gitignore
> index d83427aba8..213972b65c 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -222,6 +222,7 @@ tools/flask/policy/xenpolicy-*
>   xen/xen
>   xen/suppression-list.txt
>   xen/xen-syms
> +xen/xen-syms.efi
>   xen/xen-syms.map
>   xen/xen.*
>   
> diff --git a/CHANGELOG.md b/CHANGELOG.md
> index c9932a2af0..bc16e316e7 100644
> --- a/CHANGELOG.md
> +++ b/CHANGELOG.md
> @@ -34,6 +34,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
>        BAR for HVM guests, to improve performance of guests using it to map the
>        grant table or foreign memory.
>      - Allow configuring the number of altp2m tables per domain via vm.cfg.
> +   - The install-time environment variable INSTALL_EFI_STRIP no longer exists.
> +     xen.efi is always stripped, while the symbols remain available in
> +     xen-syms.efi.
>   
>   ### Added
>    - Introduce new PDX compression algorithm to cope with Intel Sierra Forest and
> diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc
> index 11c1ac3346..c66b18a66b 100644
> --- a/docs/misc/efi.pandoc
> +++ b/docs/misc/efi.pandoc
> @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot modules are found.
>   Once built, `make install-xen` will place the resulting binary directly into
>   the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and
>   `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` not
> -match your system). When built with debug info, the binary can be quite large.
> -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped
> -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be set
> -to any combination of options suitable to pass to `strip`, in case the default
> -ones don't do. The xen.efi binary will also be installed in `/usr/lib64/efi/`,
> -unless `EFI_DIR` is set in the environment to override this default. This
> -binary will not be stripped in the process.
> +match your system).
>   
>   The binary itself will require a configuration file (names with the `.efi`
>   extension of the binary's name replaced by `.cfg`, and - until an existing
> diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug
> index d900d926c5..1a8e0c6ec3 100644
> --- a/xen/Kconfig.debug
> +++ b/xen/Kconfig.debug
> @@ -147,12 +147,7 @@ config DEBUG_INFO
>   	  Say Y here if you want to build Xen with debug information. This
>   	  information is needed e.g. for doing crash dump analysis of the
>   	  hypervisor via the "crash" tool.
> -	  Saying Y will increase the size of the xen-syms and xen.efi
> -	  binaries. In case the space on the EFI boot partition is rather
> -	  limited, you may want to install a stripped variant of xen.efi in
> -	  the EFI boot partition (look for "INSTALL_EFI_STRIP" in
> -	  docs/misc/efi.pandoc for more information - when not using
> -	  "make install-xen" for installing xen.efi, stripping needs to be
> -	  done outside the Xen build environment).
> +	  Saying Y will increase the size of the xen-syms, xen-syms.efi and
> +	  xen.efi.elf binaries.
>   
>   endmenu
> diff --git a/xen/Makefile b/xen/Makefile
> index fc9244420e..5ed029fed1 100644
> --- a/xen/Makefile
> +++ b/xen/Makefile
> @@ -493,22 +493,6 @@ endif
>   .PHONY: _build
>   _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX)
>   
> -# Strip
> -#
> -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it
> -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below
> -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the
> -# option(s) to the strip command.
> -ifdef INSTALL_EFI_STRIP
> -
> -ifeq ($(INSTALL_EFI_STRIP),1)
> -efi-strip-opt := --strip-debug --keep-file-symbols
> -else
> -efi-strip-opt := $(INSTALL_EFI_STRIP)
> -endif
> -
> -endif
> -
>   .PHONY: _install
>   _install: D=$(DESTDIR)
>   _install: T=$(notdir $(TARGET))
> @@ -526,18 +510,15 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX)
>   	if [ -r $(TARGET).efi -a -n '$(EFI_DIR)' ]; then \
>   		[ -d $(D)$(EFI_DIR) ] || $(INSTALL_DIR) $(D)$(EFI_DIR); \
>   		$(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_DIR)/$(T)-$(XEN_FULLVERSION).efi; \
> -		for x in map elf; do \
> -			if [ -e $(TARGET).efi.$$x ]; then \
> -				$(INSTALL_DATA) $(TARGET).efi.$$x $(D)$(DEBUG_DIR)/$(T)-$(XEN_FULLVERSION).efi.$$x; \
> +		for x in .efi.map .efi.elf -syms.efi; do \
> +			if [ -e $(TARGET)$$x ]; then \
> +				$(INSTALL_DATA) $(TARGET)$$x $(D)$(DEBUG_DIR)/$(T)-$(XEN_FULLVERSION)$$x; \
>   			fi; \
>   		done; \
>   		ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).$(XEN_SUBVERSION).efi; \
>   		ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \
>   		ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \
>   		if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \
> -			$(if $(efi-strip-opt), \
> -			     $(STRIP) $(efi-strip-opt) -p -o $(TARGET).efi.stripped $(TARGET).efi && \
> -			     $(INSTALL_DATA) $(TARGET).efi.stripped $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \
>   			$(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \
>   		elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \
>   			echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \
> diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile
> index 407571c510..a154ffe6b2 100644
> --- a/xen/arch/x86/Makefile
> +++ b/xen/arch/x86/Makefile
> @@ -228,12 +228,17 @@ endif
>   	$(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o
>   	$(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \
>   	      $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \
> -	      $(note_file_option) -o $@
> -	$(NM) -pa --format=sysv $@ \
> +	      $(note_file_option) -o $(TARGET)-syms.efi
> +	$(NM) -pa --format=sysv $(TARGET)-syms.efi \
>   		| $(objtree)/tools/symbols --all-symbols --xensyms --sysv --sort \
>   		> $@.map
>   ifeq ($(CONFIG_DEBUG_INFO),y)
> -	$(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@ $@.elf
> +	$(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) \
> +		-O elf64-x86-64 $(TARGET)-syms.efi $@.elf
> +endif
> +	$(STRIP) $(TARGET)-syms.efi -o $@
> +ifneq ($(CONFIG_DEBUG_INFO),y)
> +	rm -f $(TARGET)-syms.efi
>   endif
>   	rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]*
>   ifeq ($(CONFIG_XEN_IBT),y)

[-- Attachment #2: Type: text/html, Size: 8492 bytes --]