Xen project Mailing List

Re: [PATCH for-4.22] xen/x86: Always strip xen.efi

From: Frediano Ziglio <freddy77@xxxxxxxxx>

Date: Tue, 16 Jun 2026 15:15:58 +0100

Arc-authentication-results: i=1; mx.google.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=PMEAINg+aHa6o7h2UNOmdBFFwqVJV4ixMeJz12g4qkM=; fh=KJng1RkmGevvKbAEHtKfKAYuaGlCKyXsKh/qhUVbq4c=; b=iLvx6jGqd2tKLq/uDdDWI5e+BdDxP4OmiOuWnJ9kXXNUhsvwC78oMKJWue5aqSN3qH 2veGYElNhXKMcyyoQgFNbstAIQppZC3b9W9cSYnD+EmtSLPkHnJJS7wbmGCpTv6gPHNr rjYdH1eapMq+idUdveqUgkOeTk3+UIzdpzpJllAadh8OYfCvqXf/y2nIHqa2VS7TAzEp goPrGN4wRQocVBoXgHO7aKQJzIP4X42sCeVORFREVOFracfT1/Z+tis/4icQYmuFDVG+ OGs8lej/Qsfy8YFm4CI1BnI43G5xczJkkYLUE4hDxog/7riDNXlazDZh2sS/SQ5vpLez PXLQ==; darn=lists.xenproject.org

Arc-seal: i=1; a=rsa-sha256; t=1781619371; cv=none; d=google.com; s=arc-20240605; b=GV7bu54ZpWpvsUMp92szU+NmkRK6pYbebIr4rYd/PDDWMQqC/sCjIzYRhBhb0hPdFm 7rf3jXq+LElO+fjlOhHi+ywsgWSgbEFwahTRV3TKJ7ZGTNrOWCodjmHZuZLbV6XKjhCy lhUi9o8J83S87Vhy66g4jg9M0mYTKR8SMulJGpn20DdBR0ELC3DBGEbZd1558tMwAVex yFwWexJBkrpNJeWR1XWdto5CNW370zTxkYMSvqdTMGNI3Fgjau3q/B28D/VulDoR8THT 74zvo2LQfAElm2a/milzxGkfIX6imWSocIhfY/emoxwOZAM7Uv2jZUWwZbi0WbReLHIG 7pXQ==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References:MIME-Version"

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Frediano Ziglio <frediano.ziglio@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, "Daniel P . Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 16 Jun 2026 14:16:15 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, 11 Jun 2026 at 16:18, Jan Beulich <jbeulich@xxxxxxxx> wrote: > > On 08.06.2026 19:31, Andrew Cooper wrote: > > From: Frediano Ziglio <frediano.ziglio@xxxxxxxxxx> > > > > xen.efi with debugging symbols is ~45MB, down to ~9.3MB when stripped. > > Multiple firmwares (as seen by QubesOS, Trenchboot, and XenServer) are > > unable > > to boot xen.efi when debugging symbols are included. > > > > Either way, having debug symbols by default is abnormal and contrary to how > > the non-EFI path works. > > I'm not happy with how things are put here. There's nothing abnormal about > including about anything. What is abnormal is the manufacturing of a 32-bit > ELF binary from a 64-bit one by mkelf32, to please bootloaders. An EFI > binary should be permitted to include whatever data it wants, and firmware > should be able to load it as long as memory permits. I don't expect you > mean to indicate that problematic systems don't have 45Mb available at boot. > > Including debug info can be a waste of I/O bandwidth and memory, when the > loader doesn't skip loading those .debug_* sections (for valid or bogus > reasons). > One reason, at least for secure boot, is to compute the hash of the file. The hash includes almost everything, excluding the header checksum, the signature section header and the signature section (all that must be read too). > > Produce xen-syms.efi unconditionally, just like xen-syms. If > > CONFIG_DEBUG_INFO is enabled, these will contain debug symbols, and if not, > > then not. When xen-syms is processed by mkelf32, the debug symbols are > > simply > > discarded. For xen-syms.efi, call $(STRIP) to produce xen.efi. > > > > Some old versions of binutils ld managed to produce efi files which the > > matching version of strip couldn't process. This includes Binutils 2.26 > > included in Ubuntu 16.04. Delete the workaround for this bug, and require a > > less broken toolchain. > > And we're certain newer versions of strip don't do any harm to the binaries? > Already towards Frediano's posting I said that having looked at how things > work there, I'm far from certain. > Yes, software contains bugs and in this area binutils has quite a history. What we know for sure is that a specific problem has been fixed. Are all the bugs fixed? Probably not. I don't see a valid reason to wait to have some kind of "bug free" version. > Jan > Frediano

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.