Xen project Mailing List

Re: [PATCH v3] xen: Strip xen.efi by default

To: Frediano Ziglio <frediano.ziglio@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: Demi Marie Obenour <demiobenour@xxxxxxxxx>

Date: Wed, 5 Nov 2025 15:31:21 -0500

Autocrypt: addr=demiobenour@xxxxxxxxx; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT

Cc: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Frediano Ziglio <freddy77@xxxxxxxxx>

Delivery-date: Wed, 05 Nov 2025 20:32:07 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 11/5/25 10:38, Frediano Ziglio wrote: > From: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> > > For xen.gz file we strip all symbols and have an additional > xen-syms file version with all symbols. > Make xen.efi more coherent stripping all symbols too. > xen-syms.efi can be used for debugging. > > Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> > --- > Changes since v1: > - avoid leaving target if some command fails. > > Changes since v2: > - do not convert type but retain PE format; > = use xen-syms.efi for new file name, more consistent with ELF. > --- > docs/misc/efi.pandoc | 8 +------- > xen/Kconfig.debug | 9 ++------- > xen/Makefile | 19 ------------------- > xen/arch/x86/Makefile | 9 ++++++--- > 4 files changed, 9 insertions(+), 36 deletions(-) > > diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc > index 11c1ac3346..c66b18a66b 100644 > --- a/docs/misc/efi.pandoc > +++ b/docs/misc/efi.pandoc > @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot > modules are found. > Once built, `make install-xen` will place the resulting binary directly into > the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and > `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` > not > -match your system). When built with debug info, the binary can be quite > large. > -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped > -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be > set > -to any combination of options suitable to pass to `strip`, in case the > default > -ones don't do. The xen.efi binary will also be installed in > `/usr/lib64/efi/`, > -unless `EFI_DIR` is set in the environment to override this default. This > -binary will not be stripped in the process. > +match your system). > > The binary itself will require a configuration file (names with the `.efi` > extension of the binary's name replaced by `.cfg`, and - until an existing > diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug > index d900d926c5..58ee10ee3e 100644 > --- a/xen/Kconfig.debug > +++ b/xen/Kconfig.debug > @@ -147,12 +147,7 @@ config DEBUG_INFO > Say Y here if you want to build Xen with debug information. This > information is needed e.g. for doing crash dump analysis of the > hypervisor via the "crash" tool. > - Saying Y will increase the size of the xen-syms and xen.efi > - binaries. In case the space on the EFI boot partition is rather > - limited, you may want to install a stripped variant of xen.efi in > - the EFI boot partition (look for "INSTALL_EFI_STRIP" in > - docs/misc/efi.pandoc for more information - when not using > - "make install-xen" for installing xen.efi, stripping needs to be > - done outside the Xen build environment). > + Saying Y will increase the size of the xen-syms and xen.efi.elf > + binaries. > > endmenu > diff --git a/xen/Makefile b/xen/Makefile > index ddcee8835c..605a26c181 100644 > --- a/xen/Makefile > +++ b/xen/Makefile > @@ -493,22 +493,6 @@ endif > .PHONY: _build > _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > > -# Strip > -# > -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it > -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below > -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the > -# option(s) to the strip command. > -ifdef INSTALL_EFI_STRIP > - > -ifeq ($(INSTALL_EFI_STRIP),1) > -efi-strip-opt := --strip-debug --keep-file-symbols > -else > -efi-strip-opt := $(INSTALL_EFI_STRIP) > -endif > - > -endif > - > .PHONY: _install > _install: D=$(DESTDIR) > _install: T=$(notdir $(TARGET)) > @@ -535,9 +519,6 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) > ln -sf $(T)-$(XEN_FULLVERSION).efi > $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ > ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ > if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ > - $(if $(efi-strip-opt), \ > - $(STRIP) $(efi-strip-opt) -p -o > $(TARGET).efi.stripped $(TARGET).efi && \ > - $(INSTALL_DATA) $(TARGET).efi.stripped > $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \ > $(INSTALL_DATA) $(TARGET).efi > $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ > elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && > pwd)/%,%,$(D))" ]; then \ > echo 'EFI installation only partially done (EFI_VENDOR > not set)' >&2; \ > diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile > index 407571c510..c118ab7b7d 100644 > --- a/xen/arch/x86/Makefile > +++ b/xen/arch/x86/Makefile > @@ -228,14 +228,17 @@ endif > $(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o > $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ > $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \ > - $(note_file_option) -o $@ > - $(NM) -pa --format=sysv $@ \ > + $(note_file_option) -o $@.tmp > + $(NM) -pa --format=sysv $@.tmp \ > | $(objtree)/tools/symbols --all-symbols --xensyms --sysv > --sort \ > > $@.map > ifeq ($(CONFIG_DEBUG_INFO),y) > - $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O > elf64-x86-64 $@ $@.elf > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))cp -f \ > + $@.tmp $(TARGET)-syms.efi > + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(STRIP) $@.tmp > endif > rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]* > + mv -f $@.tmp $@ > ifeq ($(CONFIG_XEN_IBT),y) > $(SHELL) $(srctree)/tools/check-endbr.sh $@ > endif Does this also strip the string table from xen.efi? I'm concerned that signing xen.efi for secure boot won't work if there is a string table. In particular, it appears that EDK2 will miscalculate the file hash if the string table is before the signature. Moving the string table after the signature invalidates the pointer to it. The only exception is if the string table is itself in a section, but I don't know if that is the case. -- Sincerely, Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.