kernel build error: "code model kernel does not support PIC mode"

[bjornfor]

Issue description

In NixOS 16.03, plain GCC can be used to manually build a kernel:

$ wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.4.21.tar.xz
$ tar xvf linux-4.4.21.tar.xz
$ cd linux-*
$ export NIX_PATH=nixpkgs=/path/to/nixpkgs-16.03
$ nix-shell -p pkgconfig flex bison which ncurses lzop bc gcc --run "make defconfig"
$ nix-shell -p pkgconfig flex bison which ncurses lzop bc gcc --run "make"
[...]
Kernel: arch/x86/boot/bzImage is ready  (#1)
  Building modules, stage 2.
  MODPOST 18 modules

But now in NixOS 16.09:

[...]
$ export NIX_PATH=nixpkgs=/path/to/nixpkgs-16.09
$ nix-shell -p pkgconfig flex bison which ncurses lzop bc gcc --run "make"
[...]
  CHK     include/generated/utsrelease.h
  CC      kernel/bounds.s
kernel/bounds.c:1:0: error: code model kernel does not support PIC mode
 /*
 ^
make[1]: *** [Kbuild:46: kernel/bounds.s] Error 1

Is this due to the recent hardening flags change? Or?

Technical details

• System: NixOS 16.09

[joachifm]

Yes, all kernel stuff needs to at least hardeningDisable = [ "pic" ]; If the implementation had been based on gcc spec files instead this might have been somewhat smoother.

[bjornfor]

So we broke use of GCC outside of Nix? Not good.

[bjornfor]

cc @fpletz.

[bjornfor]

cc @globin.

[joachifm]

Agreed. Looking at the cc-wrapper now, hardening flags are added unconditionally to the command line. Might be more appropriate to guard that logic somehow, like we do with filtering out march=native.

[bjornfor]

I'd be grateful for a fix :-)

[globin]

Workaround should be to export hardeningDisable=pic

[bjornfor]

With export hardeningDisable=pic I get a bit further, but not to the finish:

  CC      arch/x86/kernel/e820.o
arch/x86/kernel/e820.c: In function ‘early_panic’:
arch/x86/kernel/e820.c:807:2: error: format not a string literal and no format arguments [-Werror=format-security]
  early_printk(msg);
(BUILD ABORTS)

Is that also due to hardening flags? Or is it an upstream change? (GCC 5.3 -> 5.4 in NixOS 16.09.)

[globin]

hardeningDisable='pic format' then, see the docs for more information

[fpletz]

@joachifm Sadly, I found about gcc spec files only recently and nobody brought it up in the review. I will eventually work on cleaning up the cc-wrapper with gcc spec files so we can enable PIE by default for executables but this unfortunately won't work for clang on Darwin. The big problem here is that changing the cc-wrapper requires a full rebuild. I doubt that we can get that into 16.09.

[joachifm]

I think this is basically a more specific instance of #18995, perhaps we shall move discussion there?

[bjornfor]

Sure.