Nixpkgs: kernel build error: "code model kernel does not support PIC mode"

Created on 23 Sep 2016  Â·  12Comments  Â·  Source: NixOS/nixpkgs

Issue description

In NixOS 16.03, plain GCC can be used to _manually_ build a kernel:

$ wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.4.21.tar.xz
$ tar xvf linux-4.4.21.tar.xz
$ cd linux-*
$ export NIX_PATH=nixpkgs=/path/to/nixpkgs-16.03
$ nix-shell -p pkgconfig flex bison which ncurses lzop bc gcc --run "make defconfig"
$ nix-shell -p pkgconfig flex bison which ncurses lzop bc gcc --run "make"
[...]
Kernel: arch/x86/boot/bzImage is ready  (#1)
  Building modules, stage 2.
  MODPOST 18 modules

But now in NixOS 16.09:

[...]
$ export NIX_PATH=nixpkgs=/path/to/nixpkgs-16.09
$ nix-shell -p pkgconfig flex bison which ncurses lzop bc gcc --run "make"
[...]
  CHK     include/generated/utsrelease.h
  CC      kernel/bounds.s
kernel/bounds.c:1:0: error: code model kernel does not support PIC mode
 /*
 ^
make[1]: *** [Kbuild:46: kernel/bounds.s] Error 1

Is this due to the recent hardening flags change? Or?

Technical details

  • System: NixOS 16.09
bug regression
Source
picture bjornfor

Most helpful comment

Workaround should be to export hardeningDisable=pic

picture globin on 23 Sep 2016
👍2 😄1

All 12 comments

Yes, all kernel stuff needs to at least hardeningDisable = [ "pic" ]; If the implementation had been based on gcc spec files instead this might have been somewhat smoother.

joachifm picture joachifm on 23 Sep 2016

So we broke use of GCC outside of Nix? Not good.

bjornfor picture bjornfor on 23 Sep 2016

cc @fpletz.

bjornfor picture bjornfor on 23 Sep 2016

cc @globin.

bjornfor picture bjornfor on 23 Sep 2016

Agreed. Looking at the cc-wrapper now, hardening flags are added unconditionally to the command line. Might be more appropriate to guard that logic somehow, like we do with filtering out march=native.

joachifm picture joachifm on 23 Sep 2016

I'd be grateful for a fix :-)

bjornfor picture bjornfor on 23 Sep 2016

Workaround should be to export hardeningDisable=pic

globin picture globin on 23 Sep 2016
👍2 😄1

With export hardeningDisable=pic I get a bit further, but not to the finish:

  CC      arch/x86/kernel/e820.o
arch/x86/kernel/e820.c: In function ‘early_panic’:
arch/x86/kernel/e820.c:807:2: error: format not a string literal and no format arguments [-Werror=format-security]
  early_printk(msg);
(BUILD ABORTS)

Is that also due to hardening flags? Or is it an upstream change? (GCC 5.3 -> 5.4 in NixOS 16.09.)

bjornfor picture bjornfor on 24 Sep 2016

hardeningDisable='pic format' then, see the docs for more information

globin picture globin on 24 Sep 2016
👍1

@joachifm Sadly, I found about gcc spec files only recently and nobody brought it up in the review. I will eventually work on cleaning up the cc-wrapper with gcc spec files so we can enable PIE by default for executables but this unfortunately won't work for clang on Darwin. The big problem here is that changing the cc-wrapper requires a full rebuild. I doubt that we can get that into 16.09.

fpletz picture fpletz on 24 Sep 2016

I think this is basically a more specific instance of https://github.com/NixOS/nixpkgs/issues/18995, perhaps we shall move discussion there?

joachifm picture joachifm on 30 Sep 2016

Sure.

bjornfor picture bjornfor on 30 Sep 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tomberek picture tomberek  Â·  3Comments
yawnt picture yawnt  Â·  3Comments
ob7 picture ob7  Â·  3Comments
ghost picture ghost  Â·  3Comments
rzetterberg picture rzetterberg  Â·  3Comments