Ubuntu
xen package

Merge ~smb/ubuntu/+source/xen:wip/focal-devel into ubuntu/+source/xen:ubuntu/focal-devel

  1. Git
  2. lp:~smb/ubuntu/+source/xen
  3. wip/focal-devel
  4. Merge into ubuntu/focal-devel
Proposed by Stefan Bader
Status: Merged
Merged at revision: 7a82bea4ac38289069bbe6cdd022dc510dcd64e9
Proposed branch: ~smb/ubuntu/+source/xen:wip/focal-devel
Merge into: ubuntu/+source/xen:ubuntu/focal-devel
Diff against target: 63 lines (+29/-2)
4 files modified
debian/changelog (+7/-0)
debian/patches/1000-flags-fcs-protect-none.patch (+20/-0)
debian/scripts/xen-init-list (+1/-1)
debian/scripts/xen-init-name (+1/-1)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Review via email: mp+380471@code.launchpad.net

Description of the change

Beside of updating the patch for handling the hypervisor build with cf-protection turned on by default in the compiler, I also added a small change to xen-init-list and xen-init-name. Both get installed on the host and currently have python as the requested interpreter. This gets changed to python2.

To post a comment you must log in.
Revision history for this message
Stefan Bader (smb) wrote :

A test build was done in ppa:smb/focal

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

ack on Select python2 for xen-init-* scripts
ack on changelog
ack on the extension of 1000-flags-fcs-protect-none.patch

As I said before I'd have done it with DEB_*_APPEND in d/rules but I can follow your argument that you want to disable it in as few places as possible to keep as much protection as you can get.
Therefore +1 to this MP - thanks for working this out.

Note: we are past FF, but IMHO this isn't a feature it is a bug fix, so feel free to go on uploading.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 16ae97d..e335912 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+xen (4.11.3+24-g14b62ab3e5-1ubuntu2) focal; urgency=medium
7+
8+ * Update: Building hypervisor with cf-protection enabled
9+ * Set python2 for xen-init-name and xen-init-list scripts
10+
11+ -- Stefan Bader <stefan.bader@canonical.com> Mon, 09 Mar 2020 16:17:56 +0100
12+
13 xen (4.11.3+24-g14b62ab3e5-1ubuntu1) focal; urgency=medium
14
15 * Merge from Debian/Sid. Remaining changes:
16diff --git a/debian/patches/1000-flags-fcs-protect-none.patch b/debian/patches/1000-flags-fcs-protect-none.patch
17index 9f3a9a9..987cf3b 100644
18--- a/debian/patches/1000-flags-fcs-protect-none.patch
19+++ b/debian/patches/1000-flags-fcs-protect-none.patch
20@@ -21,3 +21,23 @@ Index: xen/xen/arch/x86/Rules.mk
21 CFLAGS += -mindirect-branch=thunk-extern -mindirect-branch-register
22 CFLAGS += -DCONFIG_INDIRECT_THUNK
23 export CONFIG_INDIRECT_THUNK=y
24+Index: xen/xen/arch/x86/boot/build32.mk
25+===================================================================
26+--- xen.orig/xen/arch/x86/boot/build32.mk
27++++ xen/xen/arch/x86/boot/build32.mk
28+@@ -6,6 +6,15 @@ $(call cc-options-add,CFLAGS,CC,$(EMBEDD
29+
30+ CFLAGS += -Werror -fno-asynchronous-unwind-tables -fno-builtin -g0 -msoft-float
31+ CFLAGS += -I$(XEN_ROOT)/xen/include
32++# The other hypervisor code is compiled with -mindirect-branch=thunk-extern
33++# and for that reason has to disable cf-protection. Not quite sure whether
34++# it has to be disabled here for that reason or because the boot code can
35++# not use it for other reasons. Either way since enabling full cf-protection
36++# by default it *MUST* be turned off here otherwise the hypervisor crashes
37++# on boot!
38++ifneq ($(call cc-option,$(CC),-fcf-protection,n),n)
39++CFLAGS += -fcf-protection=none
40++endif
41+ CFLAGS := $(filter-out -flto,$(CFLAGS))
42+
43+ # NB. awk invocation is a portable alternative to 'head -n -1'
44diff --git a/debian/scripts/xen-init-list b/debian/scripts/xen-init-list
45index 99646ce..9220df7 100755
46--- a/debian/scripts/xen-init-list
47+++ b/debian/scripts/xen-init-list
48@@ -1,4 +1,4 @@
49-#!/usr/bin/python
50+#!/usr/bin/python2
51
52 import json
53 import re
54diff --git a/debian/scripts/xen-init-name b/debian/scripts/xen-init-name
55index 21aad6f..cf28ba7 100755
56--- a/debian/scripts/xen-init-name
57+++ b/debian/scripts/xen-init-name
58@@ -1,4 +1,4 @@
59-#!/usr/bin/python
60+#!/usr/bin/python2
61
62 import json
63 import re

Subscribers

People subscribed via source and target branches