Xen project Mailing List

[PATCH v7] xen: Strip xen.efi by default

From: Frediano Ziglio <frediano.ziglio@xxxxxxxxxx>

Date: Thu, 13 Nov 2025 12:49:45 +0000

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IfIFTluCdP1M3whKEs02d0wg3bEeRU13xFCW3SUGTgA=; b=YpwwEYwh3LgqUTzVHfM1e0ClEp1pfRRGpJj/YNSdNrZNiZ244HG4FwVPYDQ8XGb+NlA+L6niEEZPyMOz3QD3tyktUEeQdEROkcr0Lb4x58N/WiwR5Bt8Ql6vP3ZLTGeFMZ7MiAPssjOkPcb4w+ooEWfiEV85PkdQ+osk2JCUD01ab8AoI+YWlfX2BQHQqgwToVwxD9h6gQCFkq0MnvrpGXbaiwLn9cBrJ9ItWiXt9d3XczFQAbY4IntiuP09AiPQa6MGnQghiHE0gwdcy/XQu3sK4UhuzpHSjgfHfDfnJ7e75L/ubVWCChhRPj0U+XQWBlQ2gIDm1PGS8++4WVBbgw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=fJkvZMWuZWCn3C1D/tuqlxIHAaXS6AzWqbRjRddx2ojIJQEZw6XsF3i15pJ7ReJjvv5GmQQSHLXz6bu6rXpbe9y3NMHCCaFJADqPleYJsAOlOZyO1cYejR5ln+/ltldKpS7lfkcKM005mrBcTw9HBSVkgzx72j/000Bdh9eR4LfB7izmt1M+0cm6bUfDchC3roEp2XwaH7FR+zElWY6zgwDa61wEjyW7eb/IqXPcQo5mwqNNT71eitVFAToHTLP2aVah6I2zLWlmizZJfNgofNJUqALiwz6fANwIgkR/RytmrgHIR5OvN7QEvz/D80JZ3VUQ8taM2fFKBOW9mm1XaQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Frediano Ziglio <freddy77@xxxxxxxxx>, Demi Marie Obenour <demiobenour@xxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Stewart Hildebrand <stewart.hildebrand@xxxxxxx>

Delivery-date: Thu, 13 Nov 2025 12:50:00 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

From: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> For xen.gz file we strip all symbols and have an additional xen-syms.efi file version with all symbols. Make xen.efi more coherent stripping all symbols too. xen-syms.efi can be used for debugging. Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> --- Changes since v1: - avoid leaving target if some command fails. Changes since v2: - do not convert type but retain PE format; - use xen-syms.efi for new file name, more consistent with ELF. Changes since v3: - update documentation; - do not remove xen.efi.elf; - check endbr instruction before generating final target. Changes since v4: - simplify condition check; - avoid reuse of $@.tmp file. Changes since v5: - avoid creation of temporary file. Changes since v6: - install xen-syms.efi; - always strip xen.efi; - restore EFI_LDFLAGS check during rule execution; - update CHANGELOG.md; - added xen-syms.efi to .gitignore. --- .gitignore | 1 + CHANGELOG.md | 3 +++ docs/misc/efi.pandoc | 8 +------- xen/Kconfig.debug | 9 ++------- xen/Makefile | 25 +++---------------------- xen/arch/x86/Makefile | 11 ++++++++--- 6 files changed, 18 insertions(+), 39 deletions(-) diff --git a/.gitignore b/.gitignore index d83427aba8..213972b65c 100644 --- a/.gitignore +++ b/.gitignore @@ -222,6 +222,7 @@ tools/flask/policy/xenpolicy-* xen/xen xen/suppression-list.txt xen/xen-syms +xen/xen-syms.efi xen/xen-syms.map xen/xen.* diff --git a/CHANGELOG.md b/CHANGELOG.md index c9932a2af0..3bdcc3b47a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -65,6 +65,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) for hypervisor mode. ### Removed + - The install-time environment variable INSTALL_EFI_STRIP is no longer + supported, xen.efi will is now always being stripped. + - On x86: - GNTTABOP_cache_flush: it's unused on x86 and the implementation is broken. diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc index 11c1ac3346..c66b18a66b 100644 --- a/docs/misc/efi.pandoc +++ b/docs/misc/efi.pandoc @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot modules are found. Once built, `make install-xen` will place the resulting binary directly into the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` not -match your system). When built with debug info, the binary can be quite large. -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be set -to any combination of options suitable to pass to `strip`, in case the default -ones don't do. The xen.efi binary will also be installed in `/usr/lib64/efi/`, -unless `EFI_DIR` is set in the environment to override this default. This -binary will not be stripped in the process. +match your system). The binary itself will require a configuration file (names with the `.efi` extension of the binary's name replaced by `.cfg`, and - until an existing diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug index d900d926c5..1a8e0c6ec3 100644 --- a/xen/Kconfig.debug +++ b/xen/Kconfig.debug @@ -147,12 +147,7 @@ config DEBUG_INFO Say Y here if you want to build Xen with debug information. This information is needed e.g. for doing crash dump analysis of the hypervisor via the "crash" tool. - Saying Y will increase the size of the xen-syms and xen.efi - binaries. In case the space on the EFI boot partition is rather - limited, you may want to install a stripped variant of xen.efi in - the EFI boot partition (look for "INSTALL_EFI_STRIP" in - docs/misc/efi.pandoc for more information - when not using - "make install-xen" for installing xen.efi, stripping needs to be - done outside the Xen build environment). + Saying Y will increase the size of the xen-syms, xen-syms.efi and + xen.efi.elf binaries. endmenu diff --git a/xen/Makefile b/xen/Makefile index fc9244420e..5ed029fed1 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -493,22 +493,6 @@ endif .PHONY: _build _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) -# Strip -# -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the -# option(s) to the strip command. -ifdef INSTALL_EFI_STRIP - -ifeq ($(INSTALL_EFI_STRIP),1) -efi-strip-opt := --strip-debug --keep-file-symbols -else -efi-strip-opt := $(INSTALL_EFI_STRIP) -endif - -endif - .PHONY: _install _install: D=$(DESTDIR) _install: T=$(notdir $(TARGET)) @@ -526,18 +510,15 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX) if [ -r $(TARGET).efi -a -n '$(EFI_DIR)' ]; then \ [ -d $(D)$(EFI_DIR) ] || $(INSTALL_DIR) $(D)$(EFI_DIR); \ $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_DIR)/$(T)-$(XEN_FULLVERSION).efi; \ - for x in map elf; do \ - if [ -e $(TARGET).efi.$$x ]; then \ - $(INSTALL_DATA) $(TARGET).efi.$$x $(D)$(DEBUG_DIR)/$(T)-$(XEN_FULLVERSION).efi.$$x; \ + for x in .efi.map .efi.elf -syms.efi; do \ + if [ -e $(TARGET)$$x ]; then \ + $(INSTALL_DATA) $(TARGET)$$x $(D)$(DEBUG_DIR)/$(T)-$(XEN_FULLVERSION)$$x; \ fi; \ done; \ ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).$(XEN_SUBVERSION).efi; \ ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \ ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \ if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \ - $(if $(efi-strip-opt), \ - $(STRIP) $(efi-strip-opt) -p -o $(TARGET).efi.stripped $(TARGET).efi && \ - $(INSTALL_DATA) $(TARGET).efi.stripped $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \ $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \ elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \ echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \ diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile index 407571c510..a154ffe6b2 100644 --- a/xen/arch/x86/Makefile +++ b/xen/arch/x86/Makefile @@ -228,12 +228,17 @@ endif $(MAKE) $(build)=$(@D) .$(@F).1r.o .$(@F).1s.o $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T $(obj)/efi.lds $< \ $(dot-target).1r.o $(dot-target).1s.o $(orphan-handling-y) \ - $(note_file_option) -o $@ - $(NM) -pa --format=sysv $@ \ + $(note_file_option) -o $(TARGET)-syms.efi + $(NM) -pa --format=sysv $(TARGET)-syms.efi \ | $(objtree)/tools/symbols --all-symbols --xensyms --sysv --sort \ > $@.map ifeq ($(CONFIG_DEBUG_INFO),y) - $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O elf64-x86-64 $@ $@.elf + $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) \ + -O elf64-x86-64 $(TARGET)-syms.efi $@.elf +endif + $(STRIP) $(TARGET)-syms.efi -o $@ +ifneq ($(CONFIG_DEBUG_INFO),y) + rm -f $(TARGET)-syms.efi endif rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]* ifeq ($(CONFIG_XEN_IBT),y) -- 2.43.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.