[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.22] xen/x86: Always strip xen.efi

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Tue, 9 Jun 2026 18:30:40 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IjH3sAuizMS53IN1fY8dPGGLXNVAjqiVjVWBh1c4/nY=; b=tcus/kF1od/jJgt7OXY2z+Xnn9REqEZUcaAZYq5ohnFeReLY+6f2YBd3YZOJqsInihGxTN57P5ZBTuLbcqKxXoP2Lb0ePBYu7Ae2gG/BXnu+nYO0QRaQPx+pzfl7jBWh6bZJmXXQ494zP0s0ztKK8NezUMLPpI7cBGGax1rvGSjyjCQb76DUtBxVVZXkfArpdHL3rkRbyElbV63Tg1s2iE6N6Psjvo0gL2U3SktkSfwECbQqPvIW41gfx6gkIydUuD4h9QhOExQ9QxBBrZ/U/gGhgSWrV+8823dHe++HkhU+UTsv9gwDzIrdT5DkvdBNV9w1EcbDXbSbxv/6xNB2VQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=stDTKF+ta5z2wsyt9yj8r/XOq0lkLMzwDjdMCJHZkhSmWrciHQqm46psGT+JjON4aa+OnLrSYtYLTZCpkBOhX4YFiVY/+fgzTWGLA8sXjjtOC07xd5oa/0/XjFXLA+kd0Ac0I7Evca1o/ByP8NceSdiXhYb2PowwjBLMe0BxuPdNofH2BNkZU+snhdCOXl4LPkrqQ0H0NC2hci4Sq+4S3b3qu2e2K/TU65Aw58+Bo4ffsFw0mqgHYieN9k72sHh/TCnfEcHczzjfG93eotfmf4ThH1rJ6kpKnWNowhIE/QD+qKQmHAnYNGGbssPRXc4d6lJR+uKx+7KYwulGy4aF1A==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Frediano Ziglio <frediano.ziglio@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, "Daniel P . Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 09 Jun 2026 16:31:01 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Mon, Jun 08, 2026 at 06:31:08PM +0100, Andrew Cooper wrote:
> From: Frediano Ziglio <frediano.ziglio@xxxxxxxxxx>
> 
> xen.efi with debugging symbols is ~45MB, down to ~9.3MB when stripped.
> Multiple firmwares (as seen by QubesOS, Trenchboot, and XenServer) are unable
> to boot xen.efi when debugging symbols are included.
> 
> Either way, having debug symbols by default is abnormal and contrary to how
> the non-EFI path works.
> 
> Produce xen-syms.efi unconditionally, just like xen-syms.  If
> CONFIG_DEBUG_INFO is enabled, these will contain debug symbols, and if not,
> then not.  When xen-syms is processed by mkelf32, the debug symbols are simply
> discarded.  For xen-syms.efi, call $(STRIP) to produce xen.efi.
> 
> Some old versions of binutils ld managed to produce efi files which the
> matching version of strip couldn't process.  This includes Binutils 2.26
> included in Ubuntu 16.04.  Delete the workaround for this bug, and require a
> less broken toolchain.

We should then bump the minimum required GNU binutils version in the
README, as strip is also part of the binutils suite itself?

> 
> Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxxx>
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> ---
> CC: Jan Beulich <jbeulich@xxxxxxxx>
> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> CC: Teddy Astie <teddy.astie@xxxxxxxxxx>
> CC: Frediano Ziglio <frediano.ziglio@xxxxxxxxxx>
> CC: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
> CC: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
> CC: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
> 
> For 4.22.  This was posted previously as
> 
>   
> https://lore.kernel.org/xen-devel/20251208133945.61375-1-frediano.ziglio@xxxxxxxxxx/T/#u
> 
> but merged the two patches and rewritten the commit message to make it clear
> that failing to strip xen.efi is causing boot failures.
> 
> Previously xen.efi.elf was produced but it's unclear why, and unnecessaerily
> different, so I've dropped it.
> 
> While this does want backporting, it can't be.  Xen 4.21 and older still build
> test with Ubuntu 16.04 and choke
> ---
>  .gitignore            |  1 +
>  CHANGELOG.md          |  3 +++
>  docs/misc/efi.pandoc  |  8 +-------
>  xen/Kconfig.debug     |  9 ++-------
>  xen/Makefile          | 19 -------------------
>  xen/arch/x86/Makefile | 11 ++++-------
>  xen/arch/x86/arch.mk  |  7 -------
>  7 files changed, 11 insertions(+), 47 deletions(-)
> 
> diff --git a/.gitignore b/.gitignore
> index bfc7bdf043c3..49e2c6961768 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -224,6 +224,7 @@ tools/flask/policy/xenpolicy-*
>  xen/xen
>  xen/suppression-list.txt
>  xen/xen-syms
> +xen/xen-syms.efi
>  xen/xen-syms.map
>  xen/xen.*
>  
> diff --git a/CHANGELOG.md b/CHANGELOG.md
> index 5cf19372a361..71d1e9ab8c69 100644
> --- a/CHANGELOG.md
> +++ b/CHANGELOG.md
> @@ -14,6 +14,9 @@ The format is based on [Keep a 
> Changelog](https://keepachangelog.com/en/1.0.0/)
>   - On x86:
>     - Enable pf-fixup option by default for PVH dom0.
>     - The libxenguest bzImage loader now uses the system liblz4 library.
> +   - The install-time environment variable INSTALL_EFI_STRIP no longer 
> exists.
> +     xen.efi is always stripped, while the symbols remain available in
> +     xen-syms.efi.

This is not x86-only, AFAICT ARM also seems to have a rune to generate
a xen.efi image, which will be affected by the removal of
INSTALL_EFI_STRIP?

>  
>  ### Added
>   - Support for per-domain Xenstore quota in C xenstored (includes
> diff --git a/docs/misc/efi.pandoc b/docs/misc/efi.pandoc
> index 8198a7f063cf..0a3fd67076fc 100644
> --- a/docs/misc/efi.pandoc
> +++ b/docs/misc/efi.pandoc
> @@ -20,13 +20,7 @@ Xen to load the configuration file even if multiboot 
> modules are found.
>  Once built, `make install-xen` will place the resulting binary directly into
>  the EFI boot partition, provided `EFI_VENDOR` is set in the environment (and
>  `EFI_MOUNTPOINT` is overridden as needed, should the default of `/boot/efi` 
> not
> -match your system). When built with debug info, the binary can be quite 
> large.
> -Setting `INSTALL_EFI_STRIP=1` in the environment will cause it to be stripped
> -of debug info in the process of installing. `INSTALL_EFI_STRIP` can also be 
> set
> -to any combination of options suitable to pass to `strip`, in case the 
> default
> -ones don't do. The xen.efi binary will also be installed in 
> `/usr/lib64/efi/`,
> -unless `EFI_DIR` is set in the environment to override this default. This
> -binary will not be stripped in the process.
> +match your system).
>  
>  The binary itself will require a configuration file (names with the `.efi`
>  extension of the binary's name replaced by `.cfg`, and - until an existing
> diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug
> index d900d926c555..fcd3fc3d36cf 100644
> --- a/xen/Kconfig.debug
> +++ b/xen/Kconfig.debug
> @@ -147,12 +147,7 @@ config DEBUG_INFO
>         Say Y here if you want to build Xen with debug information. This
>         information is needed e.g. for doing crash dump analysis of the
>         hypervisor via the "crash" tool.
> -       Saying Y will increase the size of the xen-syms and xen.efi
> -       binaries. In case the space on the EFI boot partition is rather
> -       limited, you may want to install a stripped variant of xen.efi in
> -       the EFI boot partition (look for "INSTALL_EFI_STRIP" in
> -       docs/misc/efi.pandoc for more information - when not using
> -       "make install-xen" for installing xen.efi, stripping needs to be
> -       done outside the Xen build environment).
> +       Saying Y will increase the size of the xen-syms and xen-syms.efi
> +       binaries.
>  
>  endmenu
> diff --git a/xen/Makefile b/xen/Makefile
> index 1f11610b5f68..0f9b56fc399d 100644
> --- a/xen/Makefile
> +++ b/xen/Makefile
> @@ -493,22 +493,6 @@ endif
>  .PHONY: _build
>  _build: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX)
>  
> -# Strip
> -#
> -# INSTALL_EFI_STRIP, if defined, will cause xen.efi to be stripped before it
> -# is installed. If INSTALL_EFI_STRIP is '1', then the default option(s) below
> -# will be used. Otherwise, INSTALL_EFI_STRIP value will be used as the
> -# option(s) to the strip command.
> -ifdef INSTALL_EFI_STRIP
> -
> -ifeq ($(INSTALL_EFI_STRIP),1)
> -efi-strip-opt := --strip-debug --keep-file-symbols
> -else
> -efi-strip-opt := $(INSTALL_EFI_STRIP)
> -endif
> -
> -endif
> -
>  .PHONY: _install
>  _install: D=$(DESTDIR)
>  _install: T=$(notdir $(TARGET))
> @@ -535,9 +519,6 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX)
>               ln -sf $(T)-$(XEN_FULLVERSION).efi 
> $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \
>               ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \
>               if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \
> -                     $(if $(efi-strip-opt), \
> -                          $(STRIP) $(efi-strip-opt) -p -o 
> $(TARGET).efi.stripped $(TARGET).efi && \
> -                          $(INSTALL_DATA) $(TARGET).efi.stripped 
> $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi ||) \
>                       $(INSTALL_DATA) $(TARGET).efi 
> $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \
>               elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && 
> pwd)/%,%,$(D))" ]; then \
>                       echo 'EFI installation only partially done (EFI_VENDOR 
> not set)' >&2; \
> diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile
> index 47dd6c50fe88..01ed7302202e 100644
> --- a/xen/arch/x86/Makefile
> +++ b/xen/arch/x86/Makefile
> @@ -196,10 +196,7 @@ note_file_option ?= $(note_file)
>  
>  extra-$(XEN_BUILD_PE) += efi.lds
>  ifeq ($(XEN_BUILD_PE),y)
> -$(TARGET).efi: $(objtree)/prelink.o $(note_file) $(obj)/efi.lds 
> $(obj)/efi/relocs-dummy.o $(obj)/efi/mkreloc
> -ifeq ($(CONFIG_DEBUG_INFO),y)
> -     $(if $(filter --strip-debug,$(EFI_LDFLAGS)),echo,:) "Will strip debug 
> info from $(@F)"
> -endif
> +$(TARGET)-syms.efi: $(objtree)/prelink.o $(note_file) $(obj)/efi.lds 
> $(obj)/efi/relocs-dummy.o $(obj)/efi/mkreloc
>       $(objtree)/tools/symbols $(all_symbols) --source-name=$(@F).S --empty \
>               > $(dot-target).0s.S
>       $(MAKE) $(build)=$(@D) .$(@F).0s.o
> @@ -233,10 +230,10 @@ endif
>       $(NM) -pa --format=sysv $@ \
>               | $(objtree)/tools/symbols --all-symbols --xensyms --sysv 
> --sort \
>               > $@.map
> -ifeq ($(CONFIG_DEBUG_INFO),y)
> -     $(if $(filter --strip-debug,$(EFI_LDFLAGS)),:$(space))$(OBJCOPY) -O 
> elf64-x86-64 $@ $@.elf
> -endif
>       rm -f $(dot-target).[0-9]* $(@D)/..$(@F).[0-9]*
> +
> +$(TARGET).efi: $(TARGET)-syms.efi
> +     $(STRIP) $< -o $@

I'm not that good with Makefiles, but don't we need a similar
adjustment to strip the .efi generated for ARM?

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.