From 878a223827e92d29265fd0c68bb0c2ad3e86a3a0 Mon Sep 17 00:00:00 2001 From: Jia He Date: Thu, 9 Jan 2020 16:47:43 +0800 Subject: [PATCH 1/5] scripts: Disable xen when builing qemu on generic architectures Previously, it misses to add the --disable-xen for reducing qemu size on aarch64. This patch add disable-xen on all arches, hence the case switch is removed. Fixes #926 Signed-off-by: Jia He --- scripts/configure-hypervisor.sh | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/scripts/configure-hypervisor.sh b/scripts/configure-hypervisor.sh index a5bac6fbe..d5f49e94d 100755 --- a/scripts/configure-hypervisor.sh +++ b/scripts/configure-hypervisor.sh @@ -317,12 +317,7 @@ generate_qemu_options() { qemu_options+=(size:--disable-tools) # Disable XEN driver - case "$arch" in - aarch64) ;; - x86_64) qemu_options+=(size:--disable-xen) ;; - ppc64le) qemu_options+=(size:--disable-xen) ;; - s390x) qemu_options+=(size:--disable-xen) ;; - esac + qemu_options+=(size:--disable-xen) # FIXME: why is this disabled? # (for reference, it's explicitly enabled in Ubuntu 17.10 and From 0871391efa35e26d4ba7178bebc29707049d4a85 Mon Sep 17 00:00:00 2001 From: Jia He Date: Thu, 9 Jan 2020 16:51:22 +0800 Subject: [PATCH 2/5] scripts: Remove obsoleted --disable-uuid Qemu commit 315d318 uses built-in UUID implementation, hence we can't disable uuid. This option is for generic arch, not only for aarch64. Otherwise there is a warning during configure: configure: --disable-uuid is obsolete, UUID support is always built Fixes #926 Signed-off-by: Jia He --- scripts/configure-hypervisor.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scripts/configure-hypervisor.sh b/scripts/configure-hypervisor.sh index d5f49e94d..05e485efc 100755 --- a/scripts/configure-hypervisor.sh +++ b/scripts/configure-hypervisor.sh @@ -283,13 +283,11 @@ generate_qemu_options() { qemu_options+=(misc:--static) fi - # Disable debug and "-uuid ..." is always passed to the qemu binary so not required. + # Disable debug is always passed to the qemu binary so not required. case "$arch" in aarch64) - qemu_options+=(size:--disable-uuid) ;; x86_64) - qemu_options+=(size:--disable-uuid) qemu_options+=(size:--disable-debug-tcg) qemu_options+=(size:--disable-tcg-interpreter) ;; @@ -298,7 +296,6 @@ generate_qemu_options() { qemu_options+=(size:--disable-tcg-interpreter) ;; s390x) - qemu_options+=(size:--disable-uuid) qemu_options+=(size:--disable-debug-tcg) qemu_options+=(size:--disable-tcg-interpreter) ;; From 7cdf113cf0847571dbffb1ff7fa189a1f973e9d4 Mon Sep 17 00:00:00 2001 From: Jia He Date: Fri, 6 Mar 2020 13:52:31 +0800 Subject: [PATCH 3/5] scripts: Relax the version limitation for qemu Currently arm64 kata uses 3.0 qemu version. Hence aarch64 can't use some --disable configure options between [3.1, 4.0]. Besides, due to upstream qemu bug about --disable-replication, still enable the replication on aarch64 for qemu 3.0. Please refer to the commit 3ebb9c4f52 ("migration/colo.c: Fix compilation issue when disable replication") Fixes #926 Signed-off-by: Jia He --- scripts/configure-hypervisor.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/configure-hypervisor.sh b/scripts/configure-hypervisor.sh index 05e485efc..056602f61 100755 --- a/scripts/configure-hypervisor.sh +++ b/scripts/configure-hypervisor.sh @@ -321,12 +321,15 @@ generate_qemu_options() { # implicitly enabled in Fedora 27). qemu_options+=(size:--disable-linux-aio) - if [[ "${qemu_version_major}" -ge 4 || ( "${qemu_version_major}" -eq 3 && "${qemu_version_minor}" -ge 1 ) ]]; then + if [[ "${qemu_version_major}" -ge 3 ]]; then # Disable graphics qemu_options+=(size:--disable-virglrenderer) - # Disable block replication - qemu_options+=(size:--disable-replication) + # Due to qemu commit 3ebb9c4f52, we can't disable replication in v3.0 + if [[ "${qemu_version_major}" -ge 4 || ( "${qemu_version_major}" -eq 3 && "${qemu_version_minor}" -ge 1 ) ]]; then + # Disable block replication + qemu_options+=(size:--disable-replication) + fi # Disable USB smart card reader qemu_options+=(size:--disable-smartcard) From 711eae642cd318065f14b9f1fd94f0eb4b3b08fc Mon Sep 17 00:00:00 2001 From: Jia He Date: Thu, 9 Jan 2020 17:26:40 +0800 Subject: [PATCH 4/5] scripts: Set --enable-pie on aarch64 arch PIE (position-independent executables) does good to security. For some historical reason(compliation failure), it was disabled. But it can be supported now on aarch64. Fixes #926 Signed-off-by: Jia He --- scripts/configure-hypervisor.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/scripts/configure-hypervisor.sh b/scripts/configure-hypervisor.sh index 056602f61..1d61b1001 100755 --- a/scripts/configure-hypervisor.sh +++ b/scripts/configure-hypervisor.sh @@ -404,6 +404,11 @@ generate_qemu_options() { qemu_options+=(arch:"--target-list=${arch}-softmmu") fi + # aarch64 need to explictly set --enable-pie + if [ "${arch}" = "aarch64" ]; then + qemu_options+=(arch:"--enable-pie") + fi + _qemu_cflags="" # compile with high level of optimisation @@ -427,7 +432,7 @@ generate_qemu_options() { # and take advantage of ASLR, making ROP attacks much harder to perform. # (https://wiki.debian.org/Hardening) case "$arch" in - aarch64) _qemu_cflags+=" -fPIC" ;; + aarch64) _qemu_cflags+=" -fPIE" ;; x86_64) _qemu_cflags+=" -fPIE" ;; ppc64le) _qemu_cflags+=" -fPIE" ;; s390x) _qemu_cflags+=" -fPIE" ;; @@ -444,7 +449,7 @@ generate_qemu_options() { # and take advantage of ASLR, making ROP attacks much harder to perform. # (https://wiki.debian.org/Hardening) case "$arch" in - aarch64) ;; + aarch64) [ -z "${static}" ] && _qemu_ldflags+=" -pie" ;; x86_64) [ -z "${static}" ] && _qemu_ldflags+=" -pie" ;; ppc64le) [ -z "${static}" ] && _qemu_ldflags+=" -pie" ;; s390x) [ -z "${static}" ] && _qemu_ldflags+=" -pie" ;; From 36700743927cdc1e7167e154b8a75bdf6623e7ef Mon Sep 17 00:00:00 2001 From: Jia He Date: Thu, 9 Jan 2020 17:53:22 +0800 Subject: [PATCH 5/5] scripts: Disable a few options to reduce qemu binary size on generic architectures This disables a few configure options on generic arches to reduce qemu binary size. Fixes #926 Signed-off-by: Jia He --- scripts/configure-hypervisor.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/scripts/configure-hypervisor.sh b/scripts/configure-hypervisor.sh index 1d61b1001..8aa266580 100755 --- a/scripts/configure-hypervisor.sh +++ b/scripts/configure-hypervisor.sh @@ -313,6 +313,21 @@ generate_qemu_options() { # Don't build the qemu-io, qemu-nbd and qemu-image tools qemu_options+=(size:--disable-tools) + # Don't build linux-user bsd-user + qemu_options+=(size:--disable-bsd-user) + qemu_options+=(size:--disable-linux-user) + + # Don't build sparse check tool + qemu_options+=(size:--disable-sparse) + + # Don't build VDE networking backend + qemu_options+=(size:--disable-vde) + + # Don't build other options which can't be depent on build server. + qemu_options+=(size:--disable-xfsctl) + qemu_options+=(size:--disable-libxml2) + qemu_options+=(size:--disable-nettle) + # Disable XEN driver qemu_options+=(size:--disable-xen)