packaging: Configure QEMU with --enable-pie

We explicitely set the Postion Independant Executlable (PIE) options in the extra CFLAGS and LDFLAGS that are passed to the QEMU configure script for all archs. This means that these options are used pretty much everywhere, including when building the sample plugins under the test directory. These cannot be linked with -pie and break the build, as experienced recently on ARM (see PR #2732). This only broke on ARM because other archs are configured with --disable-tcg : this disables plugins which are built by default otherwise. The --enable-pie option is all that is needed. The QEMU build system knows which binaries should be created as PIE, e.g. the important bits like QEMU and virtiofsd, and which ones should not, e.g. the sample plugins that aren't used in production. Rely on --enable-pie only, for all archs. This allows to drop the workaround that was put in place in PR #2732. Fixes: #2757 Signed-off-by: Greg Kurz <groug@kaod.org>
2025-05-01 05:04:26 +00:00 · 2021-09-28 15:52:30 +02:00 · 2021-09-28 15:52:30 +02:00 · cd1064b16f
commit cd1064b16f
parent b57613f53e
1 changed files with 4 additions and 26 deletions
--- a/tools/packaging/scripts/configure-hypervisor.sh
+++ b/tools/packaging/scripts/configure-hypervisor.sh
@ -434,12 +434,10 @@ generate_qemu_options() {
 		qemu_options+=(arch:"--target-list=${arch}-softmmu")
 	fi

-	# aarch64 need to explictly set --enable-pie
-	if [ -z "${static}" ] && [ "${arch}" = "aarch64" ]; then
-		qemu_options+=(arch:"--enable-pie")
-		# pie is conflict with plugins build for qemu 6.1.0
-		[ "${qemu_version}" == "6.1.0" ] && qemu_options+=(arch:"--disable-plugins")
-	fi
+	# SECURITY: Create binary as a Position Independant Executable,
+	# and take advantage of ASLR, making ROP attacks much harder to perform.
+	# (https://wiki.debian.org/Hardening)
+	[ -z "${static}" ] && qemu_options+=(arch:"--enable-pie")

 	_qemu_cflags=""

@ -465,16 +463,6 @@ generate_qemu_options() {
 	# (such as argument and buffer overflows checks).
 	_qemu_cflags+=" -D_FORTIFY_SOURCE=2"

-	# SECURITY: Create binary as a Position Independant Executable,
-	# and take advantage of ASLR, making ROP attacks much harder to perform.
-	# (https://wiki.debian.org/Hardening)
-	case "$arch" in
-	aarch64) _qemu_cflags+=" -fPIE" ;;
-	x86_64) _qemu_cflags+=" -fPIE" ;;
-	ppc64le) _qemu_cflags+=" -fPIE" ;;
-	s390x) _qemu_cflags+=" -fPIE" ;;
-	esac
-
 	# Set compile options
 	qemu_options+=(functionality,security,speed,size:"--extra-cflags=\"${_qemu_cflags}\"")

@ -482,16 +470,6 @@ generate_qemu_options() {

 	_qemu_ldflags=""

-	# SECURITY: Link binary as a Position Independant Executable,
-	# and take advantage of ASLR, making ROP attacks much harder to perform.
-	# (https://wiki.debian.org/Hardening)
-	case "$arch" in
-	aarch64) [ -z "${static}" ] && _qemu_ldflags+=" -pie" ;;
-	x86_64) [ -z "${static}" ] && _qemu_ldflags+=" -pie" ;;
-	ppc64le) [ -z "${static}" ] && _qemu_ldflags+=" -pie" ;;
-	s390x) [ -z "${static}" ] && _qemu_ldflags+=" -pie" ;;
-	esac
-
 	# SECURITY: Disallow executing code on the stack.
 	_qemu_ldflags+=" -z noexecstack"