[vbox-dev] Virtualbox compiled as PIE/PIC
Klaus.Espenlaub at Sun.COM
Mon Feb 22 02:43:19 PST 2010
Dariem Pérez Herrera wrote:
> El 21/02/10 14:05, Knut St. Osmundsen escribió:
>> On Feb 21, 2010, at 2:52 AM, Dariem Pérez Herrera wrote:
>>> This is a patch I made trying to solve an issue presented in Gentoo
>>> Hardened project. VirtualBox doesn't compile with gcc if PIC/PIE
>>> related options are activated. The problem is related to inline asm
>>> code trying to use ebx register for passing arguments, but PIC/PIE
>>> systems reserve this register for specific functions, so special
>>> treatment is required when PIC/PIE is defined (gcc refuses to compile
>>> such a code if you don't do it). This may need extensive testing, but
>>> it seems to work fine. Please, let me know any problem you encounter.
>>> The patch is under MIT license.
>> Since etherboot ROM code that belongs to the guest side of the
>> operation, I don't think it should be necessary to make it build in
>> PIC or PIE mode. A better fix would be to disable the PIC/PIE options
>> in the makefile.
> But... what if someone consider important to have VirtualBox compiled
> with PIE/PIC? What if someone doesn't want his/her network capable
> virtual machine (with its vboxnetflt.ko inserted into the kernel) be
> without this mitigation technique activated? Would you take away from
> him/her this possibility? I'm just asking...
Apparently this is a big misunderstanding. Etherboot is compiled as a
part of VirtualBox so that there is _guest_ BIOS support for booting
from PXE servers. This code never gets executed directly on the host,
and especially never becomes part of any kernel module. It is part of a
ROM which provides an optional service to the guest.
I don't understand either why you really want to force this code to be
built as PIC/PIE. It just causes bigger code size, and will not privide
any benefit. As Knut wrote, the better solution would be to disable
those options. Note that you'd need to test whether PXE booting inside a
VM still works...
More information about the vbox-dev