* [PATCH v2] xen: Strip xen.efi by default @ 2025-06-12 10:07 Frediano Ziglio 2025-06-25 11:49 ` Frediano Ziglio 2025-10-02 13:05 ` Andrew Cooper 0 siblings, 2 replies; 16+ messages in thread From: Frediano Ziglio @ 2025-06-12 10:07 UTC (permalink / raw) To: xen-devel Cc: Frediano Ziglio, Andrew Cooper, Anthony PERARD, Michal Orzel, Jan Beulich, Julien Grall, Roger Pau Monné, Stefano Stabellini For xen.gz file we strip all symbols and have an additional xen-syms file version with all symbols. Make xen.efi more coherent stripping all symbols too. xen.efi.elf can be used for debugging. Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> --- Changes since v1: - avoid leaving target if some command fails --- docs/misc/efi.pandoc | 8 +------- xen/Kconfig.debug | 9 ++------- xen/Makefile | 19 ------------------- xen/arch/x86/Makefile | 8 +++++--- 4 files changed, 8 insertions(+), 36 deletions(-) diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc index 11c1ac3346..c66b18a66b 100644 --- a/docs/misc/efi.pandoc +++ b/docs/misc/efi.pandoc @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot modules are found. Once built, `make install-xen` will place the resulting binary directly into the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` not -match your system). When built with debug info, the binary can be quite large. -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be set -to any combination of options suitable to pass to `strip`, in case the default -ones don't do. The xen.efi binary will also be installed in `/usr/lib64/efi/`, -unless `EFI_DIR` is set in the environment to override this default. This -binary will not be stripped in the process. +match your system). The binary itself will require a configuration file (names with the `.efi` extension of the binary's name replaced by `.cfg`, and - until an existing diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug index d14093017e..cafbb1236c 100644 --- a/xen/Kconfig.debug +++ b/xen/Kconfig.debug @@ -147,12 +147,7 @@ config DEBUG_INFO Say Y here if you want to build Xen with debug information. This information is needed e.g. for doing crash dump analysis of the hypervisor via the "crash" tool. - Saying Y will increase the size of the xen-syms and xen.efi - binaries. In case the space on the EFI boot partition is rather - limited, you may want to install a stripped variant of xen.efi in - the EFI boot partition (look for "INSTALL_EFI_STRIP" in - docs/misc/efi.pandoc for more information - when not using - "make install-xen" for installing xen.efi, stripping needs to be - done outside the Xen build environment). + Saying Y will increase the size of the xen-syms and xen.efi.elf + binaries. endmenu diff --git a/xen/Makefile b/xen/Makefile index 8fc4e042ff..664c4ea7b8 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -488,22 +488,6 @@ endif .PHONY: _build _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) -# Strip -# -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the -# option(s) to the strip command. -ifdef INSTALL_EFI_STRIP - -ifeq ($(INSTALL_EFI_STRIP),1) -efi-strip-opt := --strip-debug --keep-file-symbols -else -efi-strip-opt := $(INSTALL_EFI_STRIP) -endif - -endif - .PHONY: _install _install: D=$(DESTDIR) _install: T=$(notdir $(TARGET)) @@ -530,9 +514,6 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ - $(if $(efi-strip-opt), \ - $(STRIP) $(efi-strip-opt) -p -o $(TARGET).efi.stripped $(TARGET).efi && \ - $(INSTALL_DATA) $(TARGET).efi.stripped $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \ $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile index ce724a9daa..e0ebc8c73e 100644 --- a/xen/arch/x86/Makefile +++ b/xen/arch/x86/Makefile @@ -232,14 +232,16 @@ endif $(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \ - $(note_file_option) -o $@ - $(NM) -pa --format=sysv $@ \ + $(note_file_option) -o $@.tmp + $(NM) -pa --format=sysv $@.tmp \ | $(objtree)/tools/symbols --all-symbols --xensyms --sysv --sort \ > $@.map ifeq ($(CONFIG_DEBUG_INFO),y) - $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@ $@.elf + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@.tmp $@.elf + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(STRIP) $@.tmp endif rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]* + mv -f $@.tmp $@ ifeq ($(CONFIG_XEN_IBT),y) $(SHELL) $(srctree)/tools/check-endbr.sh $@ endif -- 2.43.0 ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-06-12 10:07 [PATCH v2] xen: Strip xen.efi by default Frediano Ziglio @ 2025-06-25 11:49 ` Frediano Ziglio 2025-07-28 10:34 ` Frediano Ziglio 2025-10-02 13:05 ` Andrew Cooper 1 sibling, 1 reply; 16+ messages in thread From: Frediano Ziglio @ 2025-06-25 11:49 UTC (permalink / raw) To: xen-devel Cc: Andrew Cooper, Anthony PERARD, Michal Orzel, Jan Beulich, Julien Grall, Roger Pau Monné, Stefano Stabellini On Thu, Jun 12, 2025 at 11:07 AM Frediano Ziglio <frediano.ziglio@cloud.com> wrote: > > For xen.gz file we strip all symbols and have an additional > xen-syms file version with all symbols. > Make xen.efi more coherent stripping all symbols too. > xen.efi.elf can be used for debugging. > > Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> > --- > Changes since v1: > - avoid leaving target if some command fails > --- > docs/misc/efi.pandoc | 8 +------- > xen/Kconfig.debug | 9 ++------- > xen/Makefile | 19 ------------------- > xen/arch/x86/Makefile | 8 +++++--- > 4 files changed, 8 insertions(+), 36 deletions(-) > > diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc > index 11c1ac3346..c66b18a66b 100644 > --- a/docs/misc/efi.pandoc > +++ b/docs/misc/efi.pandoc > @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot modules are found. > Once built, `make install-xen` will place the resulting binary directly into > the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and > `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` not > -match your system). When built with debug info, the binary can be quite large. > -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped > -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be set > -to any combination of options suitable to pass to `strip`, in case the default > -ones don't do. The xen.efi binary will also be installed in `/usr/lib64/efi/`, > -unless `EFI_DIR` is set in the environment to override this default. This > -binary will not be stripped in the process. > +match your system). > > The binary itself will require a configuration file (names with the `.efi` > extension of the binary's name replaced by `.cfg`, and - until an existing > diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug > index d14093017e..cafbb1236c 100644 > --- a/xen/Kconfig.debug > +++ b/xen/Kconfig.debug > @@ -147,12 +147,7 @@ config DEBUG_INFO > Say Y here if you want to build Xen with debug information. This > information is needed e.g. for doing crash dump analysis of the > hypervisor via the "crash" tool. > - Saying Y will increase the size of the xen-syms and xen.efi > - binaries. In case the space on the EFI boot partition is rather > - limited, you may want to install a stripped variant of xen.efi in > - the EFI boot partition (look for "INSTALL_EFI_STRIP" in > - docs/misc/efi.pandoc for more information - when not using > - "make install-xen" for installing xen.efi, stripping needs to be > - done outside the Xen build environment). > + Saying Y will increase the size of the xen-syms and xen.efi.elf > + binaries. > > endmenu > diff --git a/xen/Makefile b/xen/Makefile > index 8fc4e042ff..664c4ea7b8 100644 > --- a/xen/Makefile > +++ b/xen/Makefile > @@ -488,22 +488,6 @@ endif > .PHONY: _build > _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > -# Strip > -# > -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it > -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below > -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the > -# option(s) to the strip command. > -ifdef INSTALL_EFI_STRIP > - > -ifeq ($(INSTALL_EFI_STRIP),1) > -efi-strip-opt := --strip-debug --keep-file-symbols > -else > -efi-strip-opt := $(INSTALL_EFI_STRIP) > -endif > - > -endif > - > .PHONY: _install > _install: D=$(DESTDIR) > _install: T=$(notdir $(TARGET)) > @@ -530,9 +514,6 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ > if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ > - $(if $(efi-strip-opt), \ > - $(STRIP) $(efi-strip-opt) -p -o $(TARGET).efi.stripped $(TARGET).efi && \ > - $(INSTALL_DATA) $(TARGET).efi.stripped $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \ > $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ > elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ > echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ > diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile > index ce724a9daa..e0ebc8c73e 100644 > --- a/xen/arch/x86/Makefile > +++ b/xen/arch/x86/Makefile > @@ -232,14 +232,16 @@ endif > $(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o > $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ > $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \ > - $(note_file_option) -o $@ > - $(NM) -pa --format=sysv $@ \ > + $(note_file_option) -o $@.tmp > + $(NM) -pa --format=sysv $@.tmp \ > | $(objtree)/tools/symbols --all-symbols --xensyms --sysv --sort \ > > $@.map > ifeq ($(CONFIG_DEBUG_INFO),y) > - $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@ $@.elf > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@.tmp $@.elf > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(STRIP) $@.tmp > endif > rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]* > + mv -f $@.tmp $@ > ifeq ($(CONFIG_XEN_IBT),y) > $(SHELL) $(srctree)/tools/check-endbr.sh $@ > endif Any comments on this version? Frediano ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-06-25 11:49 ` Frediano Ziglio @ 2025-07-28 10:34 ` Frediano Ziglio 2025-08-15 10:33 ` Frediano Ziglio 0 siblings, 1 reply; 16+ messages in thread From: Frediano Ziglio @ 2025-07-28 10:34 UTC (permalink / raw) To: xen-devel Cc: Andrew Cooper, Anthony PERARD, Michal Orzel, Jan Beulich, Julien Grall, Roger Pau Monné, Stefano Stabellini ping On Wed, Jun 25, 2025 at 12:49 PM Frediano Ziglio <frediano.ziglio@cloud.com> wrote: > > On Thu, Jun 12, 2025 at 11:07 AM Frediano Ziglio > <frediano.ziglio@cloud.com> wrote: > > > > For xen.gz file we strip all symbols and have an additional > > xen-syms file version with all symbols. > > Make xen.efi more coherent stripping all symbols too. > > xen.efi.elf can be used for debugging. > > > > Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> > > --- > > Changes since v1: > > - avoid leaving target if some command fails > > --- > > docs/misc/efi.pandoc | 8 +------- > > xen/Kconfig.debug | 9 ++------- > > xen/Makefile | 19 ------------------- > > xen/arch/x86/Makefile | 8 +++++--- > > 4 files changed, 8 insertions(+), 36 deletions(-) > > > > diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc > > index 11c1ac3346..c66b18a66b 100644 > > --- a/docs/misc/efi.pandoc > > +++ b/docs/misc/efi.pandoc > > @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot modules are found. > > Once built, `make install-xen` will place the resulting binary directly into > > the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and > > `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` not > > -match your system). When built with debug info, the binary can be quite large. > > -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped > > -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be set > > -to any combination of options suitable to pass to `strip`, in case the default > > -ones don't do. The xen.efi binary will also be installed in `/usr/lib64/efi/`, > > -unless `EFI_DIR` is set in the environment to override this default. This > > -binary will not be stripped in the process. > > +match your system). > > > > The binary itself will require a configuration file (names with the `.efi` > > extension of the binary's name replaced by `.cfg`, and - until an existing > > diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug > > index d14093017e..cafbb1236c 100644 > > --- a/xen/Kconfig.debug > > +++ b/xen/Kconfig.debug > > @@ -147,12 +147,7 @@ config DEBUG_INFO > > Say Y here if you want to build Xen with debug information. This > > information is needed e.g. for doing crash dump analysis of the > > hypervisor via the "crash" tool. > > - Saying Y will increase the size of the xen-syms and xen.efi > > - binaries. In case the space on the EFI boot partition is rather > > - limited, you may want to install a stripped variant of xen.efi in > > - the EFI boot partition (look for "INSTALL_EFI_STRIP" in > > - docs/misc/efi.pandoc for more information - when not using > > - "make install-xen" for installing xen.efi, stripping needs to be > > - done outside the Xen build environment). > > + Saying Y will increase the size of the xen-syms and xen.efi.elf > > + binaries. > > > > endmenu > > diff --git a/xen/Makefile b/xen/Makefile > > index 8fc4e042ff..664c4ea7b8 100644 > > --- a/xen/Makefile > > +++ b/xen/Makefile > > @@ -488,22 +488,6 @@ endif > > .PHONY: _build > > _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > > > -# Strip > > -# > > -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it > > -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below > > -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the > > -# option(s) to the strip command. > > -ifdef INSTALL_EFI_STRIP > > - > > -ifeq ($(INSTALL_EFI_STRIP),1) > > -efi-strip-opt := --strip-debug --keep-file-symbols > > -else > > -efi-strip-opt := $(INSTALL_EFI_STRIP) > > -endif > > - > > -endif > > - > > .PHONY: _install > > _install: D=$(DESTDIR) > > _install: T=$(notdir $(TARGET)) > > @@ -530,9 +514,6 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ > > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ > > if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ > > - $(if $(efi-strip-opt), \ > > - $(STRIP) $(efi-strip-opt) -p -o $(TARGET).efi.stripped $(TARGET).efi && \ > > - $(INSTALL_DATA) $(TARGET).efi.stripped $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \ > > $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ > > elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ > > echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ > > diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile > > index ce724a9daa..e0ebc8c73e 100644 > > --- a/xen/arch/x86/Makefile > > +++ b/xen/arch/x86/Makefile > > @@ -232,14 +232,16 @@ endif > > $(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o > > $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ > > $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \ > > - $(note_file_option) -o $@ > > - $(NM) -pa --format=sysv $@ \ > > + $(note_file_option) -o $@.tmp > > + $(NM) -pa --format=sysv $@.tmp \ > > | $(objtree)/tools/symbols --all-symbols --xensyms --sysv --sort \ > > > $@.map > > ifeq ($(CONFIG_DEBUG_INFO),y) > > - $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@ $@.elf > > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@.tmp $@.elf > > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(STRIP) $@.tmp > > endif > > rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]* > > + mv -f $@.tmp $@ > > ifeq ($(CONFIG_XEN_IBT),y) > > $(SHELL) $(srctree)/tools/check-endbr.sh $@ > > endif > > Any comments on this version? > > Frediano ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-07-28 10:34 ` Frediano Ziglio @ 2025-08-15 10:33 ` Frediano Ziglio 2025-10-02 12:25 ` Frediano Ziglio 0 siblings, 1 reply; 16+ messages in thread From: Frediano Ziglio @ 2025-08-15 10:33 UTC (permalink / raw) To: xen-devel Cc: Andrew Cooper, Anthony PERARD, Michal Orzel, Jan Beulich, Julien Grall, Roger Pau Monné, Stefano Stabellini ping On Mon, Jul 28, 2025 at 11:34 AM Frediano Ziglio <frediano.ziglio@cloud.com> wrote: > > ping > > On Wed, Jun 25, 2025 at 12:49 PM Frediano Ziglio > <frediano.ziglio@cloud.com> wrote: > > > > On Thu, Jun 12, 2025 at 11:07 AM Frediano Ziglio > > <frediano.ziglio@cloud.com> wrote: > > > > > > For xen.gz file we strip all symbols and have an additional > > > xen-syms file version with all symbols. > > > Make xen.efi more coherent stripping all symbols too. > > > xen.efi.elf can be used for debugging. > > > > > > Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> > > > --- > > > Changes since v1: > > > - avoid leaving target if some command fails > > > --- > > > docs/misc/efi.pandoc | 8 +------- > > > xen/Kconfig.debug | 9 ++------- > > > xen/Makefile | 19 ------------------- > > > xen/arch/x86/Makefile | 8 +++++--- > > > 4 files changed, 8 insertions(+), 36 deletions(-) > > > > > > diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc > > > index 11c1ac3346..c66b18a66b 100644 > > > --- a/docs/misc/efi.pandoc > > > +++ b/docs/misc/efi.pandoc > > > @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot modules are found. > > > Once built, `make install-xen` will place the resulting binary directly into > > > the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and > > > `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` not > > > -match your system). When built with debug info, the binary can be quite large. > > > -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped > > > -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be set > > > -to any combination of options suitable to pass to `strip`, in case the default > > > -ones don't do. The xen.efi binary will also be installed in `/usr/lib64/efi/`, > > > -unless `EFI_DIR` is set in the environment to override this default. This > > > -binary will not be stripped in the process. > > > +match your system). > > > > > > The binary itself will require a configuration file (names with the `.efi` > > > extension of the binary's name replaced by `.cfg`, and - until an existing > > > diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug > > > index d14093017e..cafbb1236c 100644 > > > --- a/xen/Kconfig.debug > > > +++ b/xen/Kconfig.debug > > > @@ -147,12 +147,7 @@ config DEBUG_INFO > > > Say Y here if you want to build Xen with debug information. This > > > information is needed e.g. for doing crash dump analysis of the > > > hypervisor via the "crash" tool. > > > - Saying Y will increase the size of the xen-syms and xen.efi > > > - binaries. In case the space on the EFI boot partition is rather > > > - limited, you may want to install a stripped variant of xen.efi in > > > - the EFI boot partition (look for "INSTALL_EFI_STRIP" in > > > - docs/misc/efi.pandoc for more information - when not using > > > - "make install-xen" for installing xen.efi, stripping needs to be > > > - done outside the Xen build environment). > > > + Saying Y will increase the size of the xen-syms and xen.efi.elf > > > + binaries. > > > > > > endmenu > > > diff --git a/xen/Makefile b/xen/Makefile > > > index 8fc4e042ff..664c4ea7b8 100644 > > > --- a/xen/Makefile > > > +++ b/xen/Makefile > > > @@ -488,22 +488,6 @@ endif > > > .PHONY: _build > > > _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > > > > > -# Strip > > > -# > > > -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it > > > -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below > > > -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the > > > -# option(s) to the strip command. > > > -ifdef INSTALL_EFI_STRIP > > > - > > > -ifeq ($(INSTALL_EFI_STRIP),1) > > > -efi-strip-opt := --strip-debug --keep-file-symbols > > > -else > > > -efi-strip-opt := $(INSTALL_EFI_STRIP) > > > -endif > > > - > > > -endif > > > - > > > .PHONY: _install > > > _install: D=$(DESTDIR) > > > _install: T=$(notdir $(TARGET)) > > > @@ -530,9 +514,6 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ > > > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ > > > if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ > > > - $(if $(efi-strip-opt), \ > > > - $(STRIP) $(efi-strip-opt) -p -o $(TARGET).efi.stripped $(TARGET).efi && \ > > > - $(INSTALL_DATA) $(TARGET).efi.stripped $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \ > > > $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ > > > elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ > > > echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ > > > diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile > > > index ce724a9daa..e0ebc8c73e 100644 > > > --- a/xen/arch/x86/Makefile > > > +++ b/xen/arch/x86/Makefile > > > @@ -232,14 +232,16 @@ endif > > > $(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o > > > $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ > > > $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \ > > > - $(note_file_option) -o $@ > > > - $(NM) -pa --format=sysv $@ \ > > > + $(note_file_option) -o $@.tmp > > > + $(NM) -pa --format=sysv $@.tmp \ > > > | $(objtree)/tools/symbols --all-symbols --xensyms --sysv --sort \ > > > > $@.map > > > ifeq ($(CONFIG_DEBUG_INFO),y) > > > - $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@ $@.elf > > > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@.tmp $@.elf > > > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(STRIP) $@.tmp > > > endif > > > rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]* > > > + mv -f $@.tmp $@ > > > ifeq ($(CONFIG_XEN_IBT),y) > > > $(SHELL) $(srctree)/tools/check-endbr.sh $@ > > > endif > > > > Any comments on this version? > > > > Frediano ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-08-15 10:33 ` Frediano Ziglio @ 2025-10-02 12:25 ` Frediano Ziglio 0 siblings, 0 replies; 16+ messages in thread From: Frediano Ziglio @ 2025-10-02 12:25 UTC (permalink / raw) To: Frediano Ziglio, xen-devel@lists.xenproject.org Cc: Andrew Cooper, Anthony PERARD, Michal Orzel, Jan Beulich, Julien Grall, Roger Pau Monne, Stefano Stabellini [-- Attachment #1: Type: text/plain, Size: 7140 bytes --] ping ________________________________ From: Frediano Ziglio <frediano.ziglio@cloud.com> Sent: 15 August 2025 11:33 To: xen-devel@lists.xenproject.org <xen-devel@lists.xenproject.org> Cc: Andrew Cooper <andrew.cooper3@citrix.com>; Anthony PERARD <anthony.perard@vates.tech>; Michal Orzel <michal.orzel@amd.com>; Jan Beulich <jbeulich@suse.com>; Julien Grall <julien@xen.org>; Roger Pau Monné <roger.pau@citrix.com>; Stefano Stabellini <sstabellini@kernel.org> Subject: Re: [PATCH v2] xen: Strip xen.efi by default ping On Mon, Jul 28, 2025 at 11:34 AM Frediano Ziglio <frediano.ziglio@cloud.com> wrote: > > ping > > On Wed, Jun 25, 2025 at 12:49 PM Frediano Ziglio > <frediano.ziglio@cloud.com> wrote: > > > > On Thu, Jun 12, 2025 at 11:07 AM Frediano Ziglio > > <frediano.ziglio@cloud.com> wrote: > > > > > > For xen.gz file we strip all symbols and have an additional > > > xen-syms file version with all symbols. > > > Make xen.efi more coherent stripping all symbols too. > > > xen.efi.elf can be used for debugging. > > > > > > Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> > > > --- > > > Changes since v1: > > > - avoid leaving target if some command fails > > > --- > > > docs/misc/efi.pandoc | 8 +------- > > > xen/Kconfig.debug | 9 ++------- > > > xen/Makefile | 19 ------------------- > > > xen/arch/x86/Makefile | 8 +++++--- > > > 4 files changed, 8 insertions(+), 36 deletions(-) > > > > > > diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc > > > index 11c1ac3346..c66b18a66b 100644 > > > --- a/docs/misc/efi.pandoc > > > +++ b/docs/misc/efi.pandoc > > > @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot modules are found. > > > Once built, `make install-xen` will place the resulting binary directly into > > > the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and > > > `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` not > > > -match your system). When built with debug info, the binary can be quite large. > > > -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped > > > -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be set > > > -to any combination of options suitable to pass to `strip`, in case the default > > > -ones don't do. The xen.efi binary will also be installed in `/usr/lib64/efi/`, > > > -unless `EFI_DIR` is set in the environment to override this default. This > > > -binary will not be stripped in the process. > > > +match your system). > > > > > > The binary itself will require a configuration file (names with the `.efi` > > > extension of the binary's name replaced by `.cfg`, and - until an existing > > > diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug > > > index d14093017e..cafbb1236c 100644 > > > --- a/xen/Kconfig.debug > > > +++ b/xen/Kconfig.debug > > > @@ -147,12 +147,7 @@ config DEBUG_INFO > > > Say Y here if you want to build Xen with debug information. This > > > information is needed e.g. for doing crash dump analysis of the > > > hypervisor via the "crash" tool. > > > - Saying Y will increase the size of the xen-syms and xen.efi > > > - binaries. In case the space on the EFI boot partition is rather > > > - limited, you may want to install a stripped variant of xen.efi in > > > - the EFI boot partition (look for "INSTALL_EFI_STRIP" in > > > - docs/misc/efi.pandoc for more information - when not using > > > - "make install-xen" for installing xen.efi, stripping needs to be > > > - done outside the Xen build environment). > > > + Saying Y will increase the size of the xen-syms and xen.efi.elf > > > + binaries. > > > > > > endmenu > > > diff --git a/xen/Makefile b/xen/Makefile > > > index 8fc4e042ff..664c4ea7b8 100644 > > > --- a/xen/Makefile > > > +++ b/xen/Makefile > > > @@ -488,22 +488,6 @@ endif > > > .PHONY: _build > > > _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > > > > > -# Strip > > > -# > > > -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it > > > -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below > > > -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the > > > -# option(s) to the strip command. > > > -ifdef INSTALL_EFI_STRIP > > > - > > > -ifeq ($(INSTALL_EFI_STRIP),1) > > > -efi-strip-opt := --strip-debug --keep-file-symbols > > > -else > > > -efi-strip-opt := $(INSTALL_EFI_STRIP) > > > -endif > > > - > > > -endif > > > - > > > .PHONY: _install > > > _install: D=$(DESTDIR) > > > _install: T=$(notdir $(TARGET)) > > > @@ -530,9 +514,6 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ > > > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ > > > if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ > > > - $(if $(efi-strip-opt), \ > > > - $(STRIP) $(efi-strip-opt) -p -o $(TARGET).efi.stripped $(TARGET).efi && \ > > > - $(INSTALL_DATA) $(TARGET).efi.stripped $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \ > > > $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ > > > elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ > > > echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ > > > diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile > > > index ce724a9daa..e0ebc8c73e 100644 > > > --- a/xen/arch/x86/Makefile > > > +++ b/xen/arch/x86/Makefile > > > @@ -232,14 +232,16 @@ endif > > > $(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o > > > $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ > > > $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \ > > > - $(note_file_option) -o $@ > > > - $(NM) -pa --format=sysv $@ \ > > > + $(note_file_option) -o $@.tmp > > > + $(NM) -pa --format=sysv $@.tmp \ > > > | $(objtree)/tools/symbols --all-symbols --xensyms --sysv --sort \ > > > > $@.map > > > ifeq ($(CONFIG_DEBUG_INFO),y) > > > - $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@ $@.elf > > > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@.tmp $@.elf > > > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(STRIP) $@.tmp > > > endif > > > rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]* > > > + mv -f $@.tmp $@ > > > ifeq ($(CONFIG_XEN_IBT),y) > > > $(SHELL) $(srctree)/tools/check-endbr.sh $@ > > > endif > > > > Any comments on this version? > > > > Frediano [-- Attachment #2: Type: text/html, Size: 12167 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-06-12 10:07 [PATCH v2] xen: Strip xen.efi by default Frediano Ziglio 2025-06-25 11:49 ` Frediano Ziglio @ 2025-10-02 13:05 ` Andrew Cooper 2025-10-02 14:10 ` Marek Marczykowski-Górecki 2025-10-07 14:07 ` Jan Beulich 1 sibling, 2 replies; 16+ messages in thread From: Andrew Cooper @ 2025-10-02 13:05 UTC (permalink / raw) To: Frediano Ziglio, xen-devel Cc: Andrew Cooper, Anthony PERARD, Michal Orzel, Jan Beulich, Julien Grall, Roger Pau Monné, Stefano Stabellini, Marek Marczykowski-Górecki, Daniel Smith, michal.zygowski@3mdeb.com, Oleksii Kurochko On 12/06/2025 11:07 am, Frediano Ziglio wrote: > For xen.gz file we strip all symbols and have an additional > xen-syms file version with all symbols. > Make xen.efi more coherent stripping all symbols too. > xen.efi.elf can be used for debugging. > > Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> > --- > Changes since v1: > - avoid leaving target if some command fails CC-ing the EFI maintainers, as this is an EFI change. At the recent QubesOS hackathon, Michał Żygowski (3mdeb) found that stripping Xen was the difference between the system booting and not. With debugging symbols, xen.efi was ~32M and is placed above the 4G boundary by the EFI loader, hitting Xen's sanity check that it's below 4G. Xen does still have a requirement to live below the 4G boundary. At a minimum, idle_pg_table needs to be addressable with a 32bit %cr3, but I bet that isn't the only restriction we have. So, either we find a way of telling the EFI loader (using PE+ headers only) that we require to be below 4G (I have no idea if this is possible), or we strip xen.efi by default. I don't think making Xen.efi safe to operate above the 4G boundary is a viable option at this point. As Xen's defaults are broken on modern systems, this is also a bugfix candidate for 4.21, so CC Oleksii. ~Andrew (Retaining full patch for those CC'd into the thread) > --- > docs/misc/efi.pandoc | 8 +------- > xen/Kconfig.debug | 9 ++------- > xen/Makefile | 19 ------------------- > xen/arch/x86/Makefile | 8 +++++--- > 4 files changed, 8 insertions(+), 36 deletions(-) > > diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc > index 11c1ac3346..c66b18a66b 100644 > --- a/docs/misc/efi.pandoc > +++ b/docs/misc/efi.pandoc > @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot modules are found. > Once built, `make install-xen` will place the resulting binary directly into > the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and > `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` not > -match your system). When built with debug info, the binary can be quite large. > -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped > -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be set > -to any combination of options suitable to pass to `strip`, in case the default > -ones don't do. The xen.efi binary will also be installed in `/usr/lib64/efi/`, > -unless `EFI_DIR` is set in the environment to override this default. This > -binary will not be stripped in the process. > +match your system). > > The binary itself will require a configuration file (names with the `.efi` > extension of the binary's name replaced by `.cfg`, and - until an existing > diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug > index d14093017e..cafbb1236c 100644 > --- a/xen/Kconfig.debug > +++ b/xen/Kconfig.debug > @@ -147,12 +147,7 @@ config DEBUG_INFO > Say Y here if you want to build Xen with debug information. This > information is needed e.g. for doing crash dump analysis of the > hypervisor via the "crash" tool. > - Saying Y will increase the size of the xen-syms and xen.efi > - binaries. In case the space on the EFI boot partition is rather > - limited, you may want to install a stripped variant of xen.efi in > - the EFI boot partition (look for "INSTALL_EFI_STRIP" in > - docs/misc/efi.pandoc for more information - when not using > - "make install-xen" for installing xen.efi, stripping needs to be > - done outside the Xen build environment). > + Saying Y will increase the size of the xen-syms and xen.efi.elf > + binaries. > > endmenu > diff --git a/xen/Makefile b/xen/Makefile > index 8fc4e042ff..664c4ea7b8 100644 > --- a/xen/Makefile > +++ b/xen/Makefile > @@ -488,22 +488,6 @@ endif > .PHONY: _build > _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > -# Strip > -# > -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it > -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below > -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the > -# option(s) to the strip command. > -ifdef INSTALL_EFI_STRIP > - > -ifeq ($(INSTALL_EFI_STRIP),1) > -efi-strip-opt := --strip-debug --keep-file-symbols > -else > -efi-strip-opt := $(INSTALL_EFI_STRIP) > -endif > - > -endif > - > .PHONY: _install > _install: D=$(DESTDIR) > _install: T=$(notdir $(TARGET)) > @@ -530,9 +514,6 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ > if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ > - $(if $(efi-strip-opt), \ > - $(STRIP) $(efi-strip-opt) -p -o $(TARGET).efi.stripped $(TARGET).efi && \ > - $(INSTALL_DATA) $(TARGET).efi.stripped $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \ > $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ > elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ > echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ > diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile > index ce724a9daa..e0ebc8c73e 100644 > --- a/xen/arch/x86/Makefile > +++ b/xen/arch/x86/Makefile > @@ -232,14 +232,16 @@ endif > $(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o > $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ > $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \ > - $(note_file_option) -o $@ > - $(NM) -pa --format=sysv $@ \ > + $(note_file_option) -o $@.tmp > + $(NM) -pa --format=sysv $@.tmp \ > | $(objtree)/tools/symbols --all-symbols --xensyms --sysv --sort \ > > $@.map > ifeq ($(CONFIG_DEBUG_INFO),y) > - $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@ $@.elf > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@.tmp $@.elf > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(STRIP) $@.tmp > endif > rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]* > + mv -f $@.tmp $@ > ifeq ($(CONFIG_XEN_IBT),y) > $(SHELL) $(srctree)/tools/check-endbr.sh $@ > endif ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-10-02 13:05 ` Andrew Cooper @ 2025-10-02 14:10 ` Marek Marczykowski-Górecki 2025-10-03 8:26 ` Oleksii Kurochko 2025-10-07 14:12 ` Jan Beulich 2025-10-07 14:07 ` Jan Beulich 1 sibling, 2 replies; 16+ messages in thread From: Marek Marczykowski-Górecki @ 2025-10-02 14:10 UTC (permalink / raw) To: Andrew Cooper Cc: Frediano Ziglio, xen-devel, Anthony PERARD, Michal Orzel, Jan Beulich, Julien Grall, Roger Pau Monné, Stefano Stabellini, Daniel Smith, michal.zygowski@3mdeb.com, Oleksii Kurochko [-- Attachment #1: Type: text/plain, Size: 7367 bytes --] On Thu, Oct 02, 2025 at 02:05:56PM +0100, Andrew Cooper wrote: > On 12/06/2025 11:07 am, Frediano Ziglio wrote: > > For xen.gz file we strip all symbols and have an additional > > xen-syms file version with all symbols. > > Make xen.efi more coherent stripping all symbols too. > > xen.efi.elf can be used for debugging. > > > > Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Generally, Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> But this may want a line in CHANGELOG.md, just for a little more visibility for people packaging Xen, as it may affect what should be included in debuginfo sub-package. > > --- > > Changes since v1: > > - avoid leaving target if some command fails > > CC-ing the EFI maintainers, as this is an EFI change. Thanks. I did noticed the patch independently, but only a few minutes earlier due to missing CC... > At the recent QubesOS hackathon, Michał Żygowski (3mdeb) found that > stripping Xen was the difference between the system booting and not. > > With debugging symbols, xen.efi was ~32M and is placed above the 4G > boundary by the EFI loader, hitting Xen's sanity check that it's below 4G. > > Xen does still have a requirement to live below the 4G boundary. At a > minimum, idle_pg_table needs to be addressable with a 32bit %cr3, but I > bet that isn't the only restriction we have. > > So, either we find a way of telling the EFI loader (using PE+ headers > only) that we require to be below 4G (I have no idea if this is > possible), or we strip xen.efi by default. > > I don't think making Xen.efi safe to operate above the 4G boundary is a > viable option at this point. > > As Xen's defaults are broken on modern systems, this is also a bugfix > candidate for 4.21, so CC Oleksii. I agree with this wanting to be considered for 4.21. > ~Andrew > > (Retaining full patch for those CC'd into the thread) > > > --- > > docs/misc/efi.pandoc | 8 +------- > > xen/Kconfig.debug | 9 ++------- > > xen/Makefile | 19 ------------------- > > xen/arch/x86/Makefile | 8 +++++--- > > 4 files changed, 8 insertions(+), 36 deletions(-) > > > > diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc > > index 11c1ac3346..c66b18a66b 100644 > > --- a/docs/misc/efi.pandoc > > +++ b/docs/misc/efi.pandoc > > @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot modules are found. > > Once built, `make install-xen` will place the resulting binary directly into > > the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and > > `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` not > > -match your system). When built with debug info, the binary can be quite large. > > -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped > > -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be set > > -to any combination of options suitable to pass to `strip`, in case the default > > -ones don't do. The xen.efi binary will also be installed in `/usr/lib64/efi/`, > > -unless `EFI_DIR` is set in the environment to override this default. This > > -binary will not be stripped in the process. > > +match your system). > > > > The binary itself will require a configuration file (names with the `.efi` > > extension of the binary's name replaced by `.cfg`, and - until an existing > > diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug > > index d14093017e..cafbb1236c 100644 > > --- a/xen/Kconfig.debug > > +++ b/xen/Kconfig.debug > > @@ -147,12 +147,7 @@ config DEBUG_INFO > > Say Y here if you want to build Xen with debug information. This > > information is needed e.g. for doing crash dump analysis of the > > hypervisor via the "crash" tool. > > - Saying Y will increase the size of the xen-syms and xen.efi > > - binaries. In case the space on the EFI boot partition is rather > > - limited, you may want to install a stripped variant of xen.efi in > > - the EFI boot partition (look for "INSTALL_EFI_STRIP" in > > - docs/misc/efi.pandoc for more information - when not using > > - "make install-xen" for installing xen.efi, stripping needs to be > > - done outside the Xen build environment). > > + Saying Y will increase the size of the xen-syms and xen.efi.elf > > + binaries. > > > > endmenu > > diff --git a/xen/Makefile b/xen/Makefile > > index 8fc4e042ff..664c4ea7b8 100644 > > --- a/xen/Makefile > > +++ b/xen/Makefile > > @@ -488,22 +488,6 @@ endif > > .PHONY: _build > > _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > > > -# Strip > > -# > > -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it > > -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below > > -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the > > -# option(s) to the strip command. > > -ifdef INSTALL_EFI_STRIP > > - > > -ifeq ($(INSTALL_EFI_STRIP),1) > > -efi-strip-opt := --strip-debug --keep-file-symbols > > -else > > -efi-strip-opt := $(INSTALL_EFI_STRIP) > > -endif > > - > > -endif > > - > > .PHONY: _install > > _install: D=$(DESTDIR) > > _install: T=$(notdir $(TARGET)) > > @@ -530,9 +514,6 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ > > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ > > if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ > > - $(if $(efi-strip-opt), \ > > - $(STRIP) $(efi-strip-opt) -p -o $(TARGET).efi.stripped $(TARGET).efi && \ > > - $(INSTALL_DATA) $(TARGET).efi.stripped $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \ > > $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ > > elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ > > echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ > > diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile > > index ce724a9daa..e0ebc8c73e 100644 > > --- a/xen/arch/x86/Makefile > > +++ b/xen/arch/x86/Makefile > > @@ -232,14 +232,16 @@ endif > > $(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o > > $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ > > $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \ > > - $(note_file_option) -o $@ > > - $(NM) -pa --format=sysv $@ \ > > + $(note_file_option) -o $@.tmp > > + $(NM) -pa --format=sysv $@.tmp \ > > | $(objtree)/tools/symbols --all-symbols --xensyms --sysv --sort \ > > > $@.map > > ifeq ($(CONFIG_DEBUG_INFO),y) > > - $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@ $@.elf > > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@.tmp $@.elf > > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(STRIP) $@.tmp > > endif > > rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]* > > + mv -f $@.tmp $@ > > ifeq ($(CONFIG_XEN_IBT),y) > > $(SHELL) $(srctree)/tools/check-endbr.sh $@ > > endif > -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-10-02 14:10 ` Marek Marczykowski-Górecki @ 2025-10-03 8:26 ` Oleksii Kurochko 2025-10-07 14:12 ` Jan Beulich 1 sibling, 0 replies; 16+ messages in thread From: Oleksii Kurochko @ 2025-10-03 8:26 UTC (permalink / raw) To: Marek Marczykowski-Górecki, Andrew Cooper, Frediano Ziglio Cc: xen-devel, Anthony PERARD, Michal Orzel, Jan Beulich, Julien Grall, Roger Pau Monné, Stefano Stabellini, Daniel Smith, michal.zygowski@3mdeb.com [-- Attachment #1: Type: text/plain, Size: 7847 bytes --] On 10/2/25 4:10 PM, Marek Marczykowski-Górecki wrote: > On Thu, Oct 02, 2025 at 02:05:56PM +0100, Andrew Cooper wrote: >> On 12/06/2025 11:07 am, Frediano Ziglio wrote: >>> For xen.gz file we strip all symbols and have an additional >>> xen-syms file version with all symbols. >>> Make xen.efi more coherent stripping all symbols too. >>> xen.efi.elf can be used for debugging. >>> >>> Signed-off-by: Frediano Ziglio<frediano.ziglio@cloud.com> > Generally, > Reviewed-by: Marek Marczykowski-Górecki<marmarek@invisiblethingslab.com> > > But this may want a line in CHANGELOG.md, just for a little more > visibility for people packaging Xen, as it may affect what should be > included in debuginfo sub-package. Good point. I can add a line in CHANGELOG.md if a new version of "[PATCH v2] CHANGELOG.md: Update for 4.21 release cycle" will be needed. > >>> --- >>> Changes since v1: >>> - avoid leaving target if some command fails >> CC-ing the EFI maintainers, as this is an EFI change. > Thanks. I did noticed the patch independently, but only a few minutes > earlier due to missing CC... > >> At the recent QubesOS hackathon, Michał Żygowski (3mdeb) found that >> stripping Xen was the difference between the system booting and not. >> >> With debugging symbols, xen.efi was ~32M and is placed above the 4G >> boundary by the EFI loader, hitting Xen's sanity check that it's below 4G. >> >> Xen does still have a requirement to live below the 4G boundary. At a >> minimum, idle_pg_table needs to be addressable with a 32bit %cr3, but I >> bet that isn't the only restriction we have. I think the last two paragraphs should be part of the commit message, as they clarify why these changes started to be needed in the first place. >> >> So, either we find a way of telling the EFI loader (using PE+ headers >> only) that we require to be below 4G (I have no idea if this is >> possible), or we strip xen.efi by default. IMO, it should be preferable solution then stripping ... >> >> I don't think making Xen.efi safe to operate above the 4G boundary is a >> viable option at this point. >> >> As Xen's defaults are broken on modern systems, this is also a bugfix >> candidate for 4.21, so CC Oleksii. > I agree with this wanting to be considered for 4.21. ... but if it is not clear at the moment how to instruct the EFI loader to load below 4G, then I am okay with this solution and it should be part of 4.21: Release-Acked-By: Oleksii Kurochko<oleksii.kurochko@gmail.com> Thanks. ~ Oleksii > >> ~Andrew >> >> (Retaining full patch for those CC'd into the thread) >> >>> --- >>> docs/misc/efi.pandoc | 8 +------- >>> xen/Kconfig.debug | 9 ++------- >>> xen/Makefile | 19 ------------------- >>> xen/arch/x86/Makefile | 8 +++++--- >>> 4 files changed, 8 insertions(+), 36 deletions(-) >>> >>> diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc >>> index 11c1ac3346..c66b18a66b 100644 >>> --- a/docs/misc/efi.pandoc >>> +++ b/docs/misc/efi.pandoc >>> @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot modules are found. >>> Once built, `make install-xen` will place the resulting binary directly into >>> the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and >>> `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` not >>> -match your system). When built with debug info, the binary can be quite large. >>> -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped >>> -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be set >>> -to any combination of options suitable to pass to `strip`, in case the default >>> -ones don't do. The xen.efi binary will also be installed in `/usr/lib64/efi/`, >>> -unless `EFI_DIR` is set in the environment to override this default. This >>> -binary will not be stripped in the process. >>> +match your system). >>> >>> The binary itself will require a configuration file (names with the `.efi` >>> extension of the binary's name replaced by `.cfg`, and - until an existing >>> diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug >>> index d14093017e..cafbb1236c 100644 >>> --- a/xen/Kconfig.debug >>> +++ b/xen/Kconfig.debug >>> @@ -147,12 +147,7 @@ config DEBUG_INFO >>> Say Y here if you want to build Xen with debug information. This >>> information is needed e.g. for doing crash dump analysis of the >>> hypervisor via the "crash" tool. >>> - Saying Y will increase the size of the xen-syms and xen.efi >>> - binaries. In case the space on the EFI boot partition is rather >>> - limited, you may want to install a stripped variant of xen.efi in >>> - the EFI boot partition (look for "INSTALL_EFI_STRIP" in >>> - docs/misc/efi.pandoc for more information - when not using >>> - "make install-xen" for installing xen.efi, stripping needs to be >>> - done outside the Xen build environment). >>> + Saying Y will increase the size of the xen-syms and xen.efi.elf >>> + binaries. >>> >>> endmenu >>> diff --git a/xen/Makefile b/xen/Makefile >>> index 8fc4e042ff..664c4ea7b8 100644 >>> --- a/xen/Makefile >>> +++ b/xen/Makefile >>> @@ -488,22 +488,6 @@ endif >>> .PHONY: _build >>> _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) >>> >>> -# Strip >>> -# >>> -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it >>> -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below >>> -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the >>> -# option(s) to the strip command. >>> -ifdef INSTALL_EFI_STRIP >>> - >>> -ifeq ($(INSTALL_EFI_STRIP),1) >>> -efi-strip-opt := --strip-debug --keep-file-symbols >>> -else >>> -efi-strip-opt := $(INSTALL_EFI_STRIP) >>> -endif >>> - >>> -endif >>> - >>> .PHONY: _install >>> _install: D=$(DESTDIR) >>> _install: T=$(notdir $(TARGET)) >>> @@ -530,9 +514,6 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) >>> ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ >>> ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ >>> if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ >>> - $(if $(efi-strip-opt), \ >>> - $(STRIP) $(efi-strip-opt) -p -o $(TARGET).efi.stripped $(TARGET).efi && \ >>> - $(INSTALL_DATA) $(TARGET).efi.stripped $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \ >>> $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ >>> elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ >>> echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ >>> diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile >>> index ce724a9daa..e0ebc8c73e 100644 >>> --- a/xen/arch/x86/Makefile >>> +++ b/xen/arch/x86/Makefile >>> @@ -232,14 +232,16 @@ endif >>> $(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o >>> $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ >>> $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \ >>> - $(note_file_option) -o $@ >>> - $(NM) -pa --format=sysv $@ \ >>> + $(note_file_option) -o $@.tmp >>> + $(NM) -pa --format=sysv $@.tmp \ >>> | $(objtree)/tools/symbols --all-symbols --xensyms --sysv --sort \ >>> > $@.map >>> ifeq ($(CONFIG_DEBUG_INFO),y) >>> - $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@ $@.elf >>> + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@.tmp $@.elf >>> + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(STRIP) $@.tmp >>> endif >>> rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]* >>> + mv -f $@.tmp $@ >>> ifeq ($(CONFIG_XEN_IBT),y) >>> $(SHELL) $(srctree)/tools/check-endbr.sh $@ >>> endif [-- Attachment #2: Type: text/html, Size: 9561 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-10-02 14:10 ` Marek Marczykowski-Górecki 2025-10-03 8:26 ` Oleksii Kurochko @ 2025-10-07 14:12 ` Jan Beulich 2025-10-07 14:23 ` Marek Marczykowski-Górecki 1 sibling, 1 reply; 16+ messages in thread From: Jan Beulich @ 2025-10-07 14:12 UTC (permalink / raw) To: Marek Marczykowski-Górecki Cc: Frediano Ziglio, xen-devel, Anthony PERARD, Michal Orzel, Julien Grall, Roger Pau Monné, Stefano Stabellini, Daniel Smith, michal.zygowski@3mdeb.com, Oleksii Kurochko, Andrew Cooper On 02.10.2025 16:10, Marek Marczykowski-Górecki wrote: > On Thu, Oct 02, 2025 at 02:05:56PM +0100, Andrew Cooper wrote: >> On 12/06/2025 11:07 am, Frediano Ziglio wrote: >>> For xen.gz file we strip all symbols and have an additional >>> xen-syms file version with all symbols. >>> Make xen.efi more coherent stripping all symbols too. >>> xen.efi.elf can be used for debugging. >>> >>> Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> > > Generally, > Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Just to double check: You offer this after having read (and discarded) my comments on v1, which v2 left largely unaddressed? IOW I continue to consider this a wrong move, and Andrew's remark towards "bootable vs not bootable" isn't quite relevant, seeing that prior to this patch we already had a way to strip the binary put onto the EFI partition (i.e. the one to be used for actual booting). Jan ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-10-07 14:12 ` Jan Beulich @ 2025-10-07 14:23 ` Marek Marczykowski-Górecki 2025-10-07 14:46 ` Jan Beulich 0 siblings, 1 reply; 16+ messages in thread From: Marek Marczykowski-Górecki @ 2025-10-07 14:23 UTC (permalink / raw) To: Jan Beulich Cc: Frediano Ziglio, xen-devel, Anthony PERARD, Michal Orzel, Julien Grall, Roger Pau Monné, Stefano Stabellini, Daniel Smith, michal.zygowski@3mdeb.com, Oleksii Kurochko, Andrew Cooper [-- Attachment #1: Type: text/plain, Size: 1594 bytes --] On Tue, Oct 07, 2025 at 04:12:13PM +0200, Jan Beulich wrote: > On 02.10.2025 16:10, Marek Marczykowski-Górecki wrote: > > On Thu, Oct 02, 2025 at 02:05:56PM +0100, Andrew Cooper wrote: > >> On 12/06/2025 11:07 am, Frediano Ziglio wrote: > >>> For xen.gz file we strip all symbols and have an additional > >>> xen-syms file version with all symbols. > >>> Make xen.efi more coherent stripping all symbols too. > >>> xen.efi.elf can be used for debugging. > >>> > >>> Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> > > > > Generally, > > Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> > > Just to double check: You offer this after having read (and discarded) my > comments on v1, which v2 left largely unaddressed? You mean the one about objcopy result used for debugging? I didn't see that before, since I wasn't in cc on v1... Anyway, are you aware of some specific objcopy issue. Or in other words: would xen.efi.elf _currently_ be broken (as in - unusable for debugging/disassembly)? If not, then I take that relevant part of your objection is mostly about inconsistent naming (xen.gz -> xen-syms, vs xen.efi -> xen.efi.elf). Would xen-syms.efi.elf be better? > IOW I continue to > consider this a wrong move, and Andrew's remark towards "bootable vs not > bootable" isn't quite relevant, seeing that prior to this patch we already > had a way to strip the binary put onto the EFI partition (i.e. the one to > be used for actual booting). -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-10-07 14:23 ` Marek Marczykowski-Górecki @ 2025-10-07 14:46 ` Jan Beulich 2025-10-09 11:36 ` Marek Marczykowski-Górecki 0 siblings, 1 reply; 16+ messages in thread From: Jan Beulich @ 2025-10-07 14:46 UTC (permalink / raw) To: Marek Marczykowski-Górecki Cc: Frediano Ziglio, xen-devel, Anthony PERARD, Michal Orzel, Julien Grall, Roger Pau Monné, Stefano Stabellini, Daniel Smith, michal.zygowski@3mdeb.com, Oleksii Kurochko, Andrew Cooper On 07.10.2025 16:23, Marek Marczykowski-Górecki wrote: > On Tue, Oct 07, 2025 at 04:12:13PM +0200, Jan Beulich wrote: >> On 02.10.2025 16:10, Marek Marczykowski-Górecki wrote: >>> On Thu, Oct 02, 2025 at 02:05:56PM +0100, Andrew Cooper wrote: >>>> On 12/06/2025 11:07 am, Frediano Ziglio wrote: >>>>> For xen.gz file we strip all symbols and have an additional >>>>> xen-syms file version with all symbols. >>>>> Make xen.efi more coherent stripping all symbols too. >>>>> xen.efi.elf can be used for debugging. >>>>> >>>>> Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> >>> >>> Generally, >>> Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> >> >> Just to double check: You offer this after having read (and discarded) my >> comments on v1, which v2 left largely unaddressed? > > You mean the one about objcopy result used for debugging? I didn't see > that before, since I wasn't in cc on v1... > > Anyway, are you aware of some specific objcopy issue. Or in other words: > would xen.efi.elf _currently_ be broken (as in - unusable for > debugging/disassembly)? I can't tell. I've seen fair parts of the code in the course of addressing various issues, and I would be very surprised if all of that was working correctly. > If not, then I take that relevant part of your > objection is mostly about inconsistent naming (xen.gz -> xen-syms, vs > xen.efi -> xen.efi.elf). Would xen-syms.efi.elf be better? Plus the one asking to strip only debug info, but not the symbol table. (And no, none of the suggested names look really nice to me.) Plus the one indicating that the change better wouldn't be made in the first place. As said, to deal with size issues we already have machinery in place. Not very nice machinery, but it's apparently functioning. For context, and to avoid the argument that GNU objcopy and strip are built from the same source file: The objcopy invocation here is to alter the format, whereas the strip invocation is merely to remove data without changing the format. The weakness in binutils, to a fair part due to a lack of routine testing, is with format conversions. (And yes, routine testing, as nice as it would be to have such, doesn't fit very well with how testing overall works, as commonly only the default format of a particular target would be tested.) Jan ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-10-07 14:46 ` Jan Beulich @ 2025-10-09 11:36 ` Marek Marczykowski-Górecki 2025-10-09 11:48 ` Jan Beulich 2025-10-10 9:10 ` Frediano Ziglio 0 siblings, 2 replies; 16+ messages in thread From: Marek Marczykowski-Górecki @ 2025-10-09 11:36 UTC (permalink / raw) To: Jan Beulich Cc: Frediano Ziglio, xen-devel, Anthony PERARD, Michal Orzel, Julien Grall, Roger Pau Monné, Stefano Stabellini, Daniel Smith, michal.zygowski@3mdeb.com, Oleksii Kurochko, Andrew Cooper [-- Attachment #1: Type: text/plain, Size: 3275 bytes --] On Tue, Oct 07, 2025 at 04:46:17PM +0200, Jan Beulich wrote: > On 07.10.2025 16:23, Marek Marczykowski-Górecki wrote: > > On Tue, Oct 07, 2025 at 04:12:13PM +0200, Jan Beulich wrote: > >> On 02.10.2025 16:10, Marek Marczykowski-Górecki wrote: > >>> On Thu, Oct 02, 2025 at 02:05:56PM +0100, Andrew Cooper wrote: > >>>> On 12/06/2025 11:07 am, Frediano Ziglio wrote: > >>>>> For xen.gz file we strip all symbols and have an additional > >>>>> xen-syms file version with all symbols. > >>>>> Make xen.efi more coherent stripping all symbols too. > >>>>> xen.efi.elf can be used for debugging. > >>>>> > >>>>> Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> > >>> > >>> Generally, > >>> Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> > >> > >> Just to double check: You offer this after having read (and discarded) my > >> comments on v1, which v2 left largely unaddressed? > > > > You mean the one about objcopy result used for debugging? I didn't see > > that before, since I wasn't in cc on v1... > > > > Anyway, are you aware of some specific objcopy issue. Or in other words: > > would xen.efi.elf _currently_ be broken (as in - unusable for > > debugging/disassembly)? > > I can't tell. I've seen fair parts of the code in the course of addressing > various issues, and I would be very surprised if all of that was working > correctly. > > > If not, then I take that relevant part of your > > objection is mostly about inconsistent naming (xen.gz -> xen-syms, vs > > xen.efi -> xen.efi.elf). Would xen-syms.efi.elf be better? > > Plus the one asking to strip only debug info, but not the symbol table. > (And no, none of the suggested names look really nice to me.) > > Plus the one indicating that the change better wouldn't be made in the > first place. As said, to deal with size issues we already have machinery > in place. Not very nice machinery, but it's apparently functioning. I'm of the opinion that defaults matter. Just having ability to build a binary that works on more systems is not sufficient, if you'd need to spend a day (or more...) on debugging obscure error message to figure out which hidden option to use to get there. And while one could argue that CONFIG_DEBUG=y builds are only for people familiar with details to deal with such issues, IMO just CONFIG_DEBUG_INFO=y shouldn't need arcane knowledge to get it working... And since that's a common option to enable in distribution packages, person hitting the issue might not even be the one doing the build (and thus controlling the build options). As for the details how to get there, I'm more flexible. Based on earlier comments, it seems that (not stripped) xen.efi isn't very useful for debugging directly, an ELF version of it is. So IMO it makes sense to have the debug binary already converted. But if you say you have use for xen.efi with all debug info too, I'm okay with keeping it too, maybe as xen-syms.efi. It's a bit of more space (to have both efi and elf version with debug info), but since it doesn't apply to the installed version, only the one kept in the build directory, not a big issue IMO. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-10-09 11:36 ` Marek Marczykowski-Górecki @ 2025-10-09 11:48 ` Jan Beulich 2025-11-05 8:55 ` Roger Pau Monné 2025-10-10 9:10 ` Frediano Ziglio 1 sibling, 1 reply; 16+ messages in thread From: Jan Beulich @ 2025-10-09 11:48 UTC (permalink / raw) To: Marek Marczykowski-Górecki Cc: Frediano Ziglio, xen-devel, Anthony PERARD, Michal Orzel, Julien Grall, Roger Pau Monné, Stefano Stabellini, Daniel Smith, michal.zygowski@3mdeb.com, Oleksii Kurochko, Andrew Cooper On 09.10.2025 13:36, Marek Marczykowski-Górecki wrote: > On Tue, Oct 07, 2025 at 04:46:17PM +0200, Jan Beulich wrote: >> On 07.10.2025 16:23, Marek Marczykowski-Górecki wrote: >>> On Tue, Oct 07, 2025 at 04:12:13PM +0200, Jan Beulich wrote: >>>> On 02.10.2025 16:10, Marek Marczykowski-Górecki wrote: >>>>> On Thu, Oct 02, 2025 at 02:05:56PM +0100, Andrew Cooper wrote: >>>>>> On 12/06/2025 11:07 am, Frediano Ziglio wrote: >>>>>>> For xen.gz file we strip all symbols and have an additional >>>>>>> xen-syms file version with all symbols. >>>>>>> Make xen.efi more coherent stripping all symbols too. >>>>>>> xen.efi.elf can be used for debugging. >>>>>>> >>>>>>> Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> >>>>> >>>>> Generally, >>>>> Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> >>>> >>>> Just to double check: You offer this after having read (and discarded) my >>>> comments on v1, which v2 left largely unaddressed? >>> >>> You mean the one about objcopy result used for debugging? I didn't see >>> that before, since I wasn't in cc on v1... >>> >>> Anyway, are you aware of some specific objcopy issue. Or in other words: >>> would xen.efi.elf _currently_ be broken (as in - unusable for >>> debugging/disassembly)? >> >> I can't tell. I've seen fair parts of the code in the course of addressing >> various issues, and I would be very surprised if all of that was working >> correctly. >> >>> If not, then I take that relevant part of your >>> objection is mostly about inconsistent naming (xen.gz -> xen-syms, vs >>> xen.efi -> xen.efi.elf). Would xen-syms.efi.elf be better? >> >> Plus the one asking to strip only debug info, but not the symbol table. >> (And no, none of the suggested names look really nice to me.) >> >> Plus the one indicating that the change better wouldn't be made in the >> first place. As said, to deal with size issues we already have machinery >> in place. Not very nice machinery, but it's apparently functioning. > > I'm of the opinion that defaults matter. Just having ability to build a > binary that works on more systems is not sufficient, if you'd need to > spend a day (or more...) on debugging obscure error message to figure > out which hidden option to use to get there. And while one could argue > that CONFIG_DEBUG=y builds are only for people familiar with details to > deal with such issues, IMO just CONFIG_DEBUG_INFO=y shouldn't need > arcane knowledge to get it working... And since that's a common option > to enable in distribution packages, person hitting the issue might not > even be the one doing the build (and thus controlling the build > options). > > As for the details how to get there, I'm more flexible. Based on earlier > comments, it seems that (not stripped) xen.efi isn't very useful for > debugging directly, an ELF version of it is. So IMO it makes sense to > have the debug binary already converted. But if you say you have use for > xen.efi with all debug info too, I'm okay with keeping it too, maybe as > xen-syms.efi. It's a bit of more space (to have both efi and elf version > with debug info), but since it doesn't apply to the installed version, > only the one kept in the build directory, not a big issue IMO. Hmm, yes, having xen-syms.efi (unstripped) plus xen.efi (with debug info stripped but symbol table retained, including file symbols) might indeed be a reasonable approach. (And then no xen-syms.efi at all when we pass --strip-debug to the linker anyway. For this to result in somewhat manageable Makefile logic, we may need to first split the linking rule into multiple steps, as iirc has been the plan for quite some time.) Jan ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-10-09 11:48 ` Jan Beulich @ 2025-11-05 8:55 ` Roger Pau Monné 0 siblings, 0 replies; 16+ messages in thread From: Roger Pau Monné @ 2025-11-05 8:55 UTC (permalink / raw) To: Jan Beulich, Frediano Ziglio, Marek Marczykowski-Górecki Cc: xen-devel, Anthony PERARD, Michal Orzel, Julien Grall, Stefano Stabellini, Daniel Smith, michal.zygowski@3mdeb.com, Oleksii Kurochko, Andrew Cooper On Thu, Oct 09, 2025 at 01:48:01PM +0200, Jan Beulich wrote: > On 09.10.2025 13:36, Marek Marczykowski-Górecki wrote: > > On Tue, Oct 07, 2025 at 04:46:17PM +0200, Jan Beulich wrote: > >> On 07.10.2025 16:23, Marek Marczykowski-Górecki wrote: > >>> On Tue, Oct 07, 2025 at 04:12:13PM +0200, Jan Beulich wrote: > >>>> On 02.10.2025 16:10, Marek Marczykowski-Górecki wrote: > >>>>> On Thu, Oct 02, 2025 at 02:05:56PM +0100, Andrew Cooper wrote: > >>>>>> On 12/06/2025 11:07 am, Frediano Ziglio wrote: > >>>>>>> For xen.gz file we strip all symbols and have an additional > >>>>>>> xen-syms file version with all symbols. > >>>>>>> Make xen.efi more coherent stripping all symbols too. > >>>>>>> xen.efi.elf can be used for debugging. > >>>>>>> > >>>>>>> Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> > >>>>> > >>>>> Generally, > >>>>> Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> > >>>> > >>>> Just to double check: You offer this after having read (and discarded) my > >>>> comments on v1, which v2 left largely unaddressed? > >>> > >>> You mean the one about objcopy result used for debugging? I didn't see > >>> that before, since I wasn't in cc on v1... > >>> > >>> Anyway, are you aware of some specific objcopy issue. Or in other words: > >>> would xen.efi.elf _currently_ be broken (as in - unusable for > >>> debugging/disassembly)? > >> > >> I can't tell. I've seen fair parts of the code in the course of addressing > >> various issues, and I would be very surprised if all of that was working > >> correctly. > >> > >>> If not, then I take that relevant part of your > >>> objection is mostly about inconsistent naming (xen.gz -> xen-syms, vs > >>> xen.efi -> xen.efi.elf). Would xen-syms.efi.elf be better? > >> > >> Plus the one asking to strip only debug info, but not the symbol table. > >> (And no, none of the suggested names look really nice to me.) > >> > >> Plus the one indicating that the change better wouldn't be made in the > >> first place. As said, to deal with size issues we already have machinery > >> in place. Not very nice machinery, but it's apparently functioning. > > > > I'm of the opinion that defaults matter. Just having ability to build a > > binary that works on more systems is not sufficient, if you'd need to > > spend a day (or more...) on debugging obscure error message to figure > > out which hidden option to use to get there. And while one could argue > > that CONFIG_DEBUG=y builds are only for people familiar with details to > > deal with such issues, IMO just CONFIG_DEBUG_INFO=y shouldn't need > > arcane knowledge to get it working... And since that's a common option > > to enable in distribution packages, person hitting the issue might not > > even be the one doing the build (and thus controlling the build > > options). > > > > As for the details how to get there, I'm more flexible. Based on earlier > > comments, it seems that (not stripped) xen.efi isn't very useful for > > debugging directly, an ELF version of it is. So IMO it makes sense to > > have the debug binary already converted. But if you say you have use for > > xen.efi with all debug info too, I'm okay with keeping it too, maybe as > > xen-syms.efi. It's a bit of more space (to have both efi and elf version > > with debug info), but since it doesn't apply to the installed version, > > only the one kept in the build directory, not a big issue IMO. > > Hmm, yes, having xen-syms.efi (unstripped) plus xen.efi (with debug info > stripped but symbol table retained, including file symbols) might indeed > be a reasonable approach. (And then no xen-syms.efi at all when we pass > --strip-debug to the linker anyway. For this to result in somewhat > manageable Makefile logic, we may need to first split the linking rule > into multiple steps, as iirc has been the plan for quite some time.) It's my understanding that there's consensus now between Marek and Jan about how to progress this forward, and it will require some changes to the original patch posted by Frediano. This has been marked as a blocker for 4.21, and hence needs to be progressed quickly or else it will miss the release. Thanks, Roger. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-10-09 11:36 ` Marek Marczykowski-Górecki 2025-10-09 11:48 ` Jan Beulich @ 2025-10-10 9:10 ` Frediano Ziglio 1 sibling, 0 replies; 16+ messages in thread From: Frediano Ziglio @ 2025-10-10 9:10 UTC (permalink / raw) To: Marek Marczykowski-Górecki Cc: Jan Beulich, Frediano Ziglio, xen-devel, Anthony PERARD, Michal Orzel, Julien Grall, Roger Pau Monné, Stefano Stabellini, Daniel Smith, michal.zygowski@3mdeb.com, Oleksii Kurochko, Andrew Cooper On Thu, Oct 9, 2025 at 12:56 PM Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> wrote: > > On Tue, Oct 07, 2025 at 04:46:17PM +0200, Jan Beulich wrote: > > On 07.10.2025 16:23, Marek Marczykowski-Górecki wrote: > > > On Tue, Oct 07, 2025 at 04:12:13PM +0200, Jan Beulich wrote: > > >> On 02.10.2025 16:10, Marek Marczykowski-Górecki wrote: > > >>> On Thu, Oct 02, 2025 at 02:05:56PM +0100, Andrew Cooper wrote: > > >>>> On 12/06/2025 11:07 am, Frediano Ziglio wrote: > > >>>>> For xen.gz file we strip all symbols and have an additional > > >>>>> xen-syms file version with all symbols. > > >>>>> Make xen.efi more coherent stripping all symbols too. > > >>>>> xen.efi.elf can be used for debugging. > > >>>>> > > >>>>> Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> > > >>> > > >>> Generally, > > >>> Reviewed-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> > > >> > > >> Just to double check: You offer this after having read (and discarded) my > > >> comments on v1, which v2 left largely unaddressed? > > > > > > You mean the one about objcopy result used for debugging? I didn't see > > > that before, since I wasn't in cc on v1... > > > > > > Anyway, are you aware of some specific objcopy issue. Or in other words: > > > would xen.efi.elf _currently_ be broken (as in - unusable for > > > debugging/disassembly)? > > > > I can't tell. I've seen fair parts of the code in the course of addressing > > various issues, and I would be very surprised if all of that was working > > correctly. > > Yes, sorry about not replying to this part. At the time I was testing the various usages we do with that file before replying. Beside debugging we use it for automatic crash dump analysis and live patching. Unfortunately live patching was not working for reasons not bound to this change and it tooks a while to fix it. Once fixed live patching all our use cases of the ELF-translated file are working perfectly confirming that the file works correctly. > > > If not, then I take that relevant part of your > > > objection is mostly about inconsistent naming (xen.gz -> xen-syms, vs > > > xen.efi -> xen.efi.elf). Would xen-syms.efi.elf be better? > > > > Plus the one asking to strip only debug info, but not the symbol table. > > (And no, none of the suggested names look really nice to me.) > > > > Plus the one indicating that the change better wouldn't be made in the > > first place. As said, to deal with size issues we already have machinery > > in place. Not very nice machinery, but it's apparently functioning. > > I'm of the opinion that defaults matter. Just having ability to build a > binary that works on more systems is not sufficient, if you'd need to > spend a day (or more...) on debugging obscure error message to figure > out which hidden option to use to get there. And while one could argue > that CONFIG_DEBUG=y builds are only for people familiar with details to > deal with such issues, IMO just CONFIG_DEBUG_INFO=y shouldn't need > arcane knowledge to get it working... And since that's a common option > to enable in distribution packages, person hitting the issue might not > even be the one doing the build (and thus controlling the build > options). > > As for the details how to get there, I'm more flexible. Based on earlier > comments, it seems that (not stripped) xen.efi isn't very useful for > debugging directly, an ELF version of it is. So IMO it makes sense to > have the debug binary already converted. But if you say you have use for > xen.efi with all debug info too, I'm okay with keeping it too, maybe as > xen-syms.efi. It's a bit of more space (to have both efi and elf version > with debug info), but since it doesn't apply to the installed version, > only the one kept in the build directory, not a big issue IMO. > Frediano ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH v2] xen: Strip xen.efi by default 2025-10-02 13:05 ` Andrew Cooper 2025-10-02 14:10 ` Marek Marczykowski-Górecki @ 2025-10-07 14:07 ` Jan Beulich 1 sibling, 0 replies; 16+ messages in thread From: Jan Beulich @ 2025-10-07 14:07 UTC (permalink / raw) To: Andrew Cooper Cc: Anthony PERARD, Michal Orzel, Julien Grall, Roger Pau Monné, Stefano Stabellini, Marek Marczykowski-Górecki, Daniel Smith, michal.zygowski@3mdeb.com, Oleksii Kurochko, Frediano Ziglio, xen-devel On 02.10.2025 15:05, Andrew Cooper wrote: > On 12/06/2025 11:07 am, Frediano Ziglio wrote: >> For xen.gz file we strip all symbols and have an additional >> xen-syms file version with all symbols. >> Make xen.efi more coherent stripping all symbols too. >> xen.efi.elf can be used for debugging. >> >> Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> >> --- >> Changes since v1: >> - avoid leaving target if some command fails > > CC-ing the EFI maintainers, as this is an EFI change. > > At the recent QubesOS hackathon, Michał Żygowski (3mdeb) found that > stripping Xen was the difference between the system booting and not. > > With debugging symbols, xen.efi was ~32M and is placed above the 4G > boundary by the EFI loader, hitting Xen's sanity check that it's below 4G. > > Xen does still have a requirement to live below the 4G boundary. At a > minimum, idle_pg_table needs to be addressable with a 32bit %cr3, but I > bet that isn't the only restriction we have. > > So, either we find a way of telling the EFI loader (using PE+ headers > only) that we require to be below 4G (I have no idea if this is > possible), or we strip xen.efi by default. In principle not setting the large-address-aware flag ought to have such an effect, except that (a) I'm in doubt as to EFI loaders actually looking at the flag and (b) having this flag clear in an image with an image base address far beyond the 4Gb boundary is likely at least contradictory. Jan ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2025-11-05 8:56 UTC | newest] Thread overview: 16+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-06-12 10:07 [PATCH v2] xen: Strip xen.efi by default Frediano Ziglio 2025-06-25 11:49 ` Frediano Ziglio 2025-07-28 10:34 ` Frediano Ziglio 2025-08-15 10:33 ` Frediano Ziglio 2025-10-02 12:25 ` Frediano Ziglio 2025-10-02 13:05 ` Andrew Cooper 2025-10-02 14:10 ` Marek Marczykowski-Górecki 2025-10-03 8:26 ` Oleksii Kurochko 2025-10-07 14:12 ` Jan Beulich 2025-10-07 14:23 ` Marek Marczykowski-Górecki 2025-10-07 14:46 ` Jan Beulich 2025-10-09 11:36 ` Marek Marczykowski-Górecki 2025-10-09 11:48 ` Jan Beulich 2025-11-05 8:55 ` Roger Pau Monné 2025-10-10 9:10 ` Frediano Ziglio 2025-10-07 14:07 ` Jan Beulich
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.