Skip to content

kmod: enable PIE for static builds#929

Open
piyush-jena wants to merge 1 commit into
bottlerocket-os:developfrom
piyush-jena:kmod-static-pie
Open

kmod: enable PIE for static builds#929
piyush-jena wants to merge 1 commit into
bottlerocket-os:developfrom
piyush-jena:kmod-static-pie

Conversation

@piyush-jena
Copy link
Copy Markdown
Contributor

@piyush-jena piyush-jena commented May 12, 2026
edited
Loading

Closes #394

Description of changes:

  • Update linker flag in kmod to build PIE in case of static builds.

Testing done:

  • AMI builds, instance boots, joins cluster
  • Checksec result
    Mounted bottlerocket root partition locally
$ checksec --dir=/mnt/bottlerocket-staticpie/usr/bin | grep kmod
Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   3599 Symbols      N/A   0               0     /mnt/bottlerocket-staticpie/usr/bin/kmod

From admin container (had to yum install -y checksec)

[root@admin]# checksec --dir=.bottlerocket/rootfs/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin | grep kmod
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   3599) Symbols     No    0               0               .bottlerocket/rootfs/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/kmod
  • nvidia-smoke-test succeeds
$ kubectl get nodes -A --kubeconfig bottlerocket-cluster-134.kubeconfig 
NAME                                           STATUS   ROLES    AGE     VERSION
ip-192-168-16-212.us-west-2.compute.internal   Ready    <none>   5m55s   v1.34.4-eks-f69f56f

$ kubectl get pods -A --kubeconfig bottlerocket-cluster-134.kubeconfig 
NAMESPACE     NAME                              READY   STATUS      RESTARTS   AGE
default       nvidia-smoke-test                 0/1     Completed   0          51s
kube-system   aws-node-6c7cg                    2/2     Running     0          6m2s
kube-system   coredns-7ccc7b7d9b-f277n          1/1     Running     0          7m14s
kube-system   coredns-7ccc7b7d9b-nvdw4          1/1     Running     0          7m14s
kube-system   kube-proxy-799tp                  1/1     Running     0          6m2s
kube-system   metrics-server-585b84fb9d-6n888   1/1     Running     0          7m17s
kube-system   metrics-server-585b84fb9d-vcdx7   1/1     Running     0          7m17s
  • nvidia-smi shows the device is loaded (driver works)
bash-5.2# nvidia-smi
Wed May 13 02:19:55 2026
+-----------------------------------------------------------------------------------------+
| NVIDIA-SMI 580.159.03             Driver Version: 580.159.03     CUDA Version: 13.0     |
+-----------------------------------------+------------------------+----------------------+
| GPU  Name                 Persistence-M | Bus-Id          Disp.A | Volatile Uncorr. ECC |
| Fan  Temp   Perf          Pwr:Usage/Cap |           Memory-Usage | GPU-Util  Compute M. |
|                                         |                        |               MIG M. |
|=========================================+========================+======================|
|   0  Tesla T4                       On  |   00000000:00:1E.0 Off |                    0 |
| N/A   33C    P8              9W /   70W |       0MiB /  15360MiB |      0%      Default |
|                                         |                        |                  N/A |
+-----------------------------------------+------------------------+----------------------+

+-----------------------------------------------------------------------------------------+
| Processes:                                                                              |
|  GPU   GI   CI              PID   Type   Process name                        GPU Memory |
|        ID   ID                                                               Usage      |
|=========================================================================================|
|  No running processes found                                                             |
+-----------------------------------------------------------------------------------------+

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@piyush-jena
kmod: enable PIE for static builds
58c797b 
Signed-off-by: Piyush Jena <jepiyush@amazon.com>
arnaldo2792
arnaldo2792 reviewed May 13, 2026
View reviewed changes
Comment thread packages/kmod/0001-meson-add-support-for-static-builds.patch
Subject: [PATCH] meson: add support for static builds

Signed-off-by: Piyush Jena <jepiyush@amazon.com>
[update to get PIE for static builds]
Copy link
Copy Markdown
Contributor

@arnaldo2792 arnaldo2792 May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need the double sign-off. Also, can you explain why we couldn't do this before and now we can? Is this just a new finding?

Copy link
Copy Markdown
Contributor Author

@piyush-jena piyush-jena May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I worked on it last time the objective was to get meson to build the exact same executables as automake (which was used before). I remember intentionally skipping PIE because "that would make it different". I found out about the existing issue recently.
I can't really comment on why it was harder to do earlier. The kmod contributors added PIE only after moving to meson. (kmod-project/kmod@6acdf06). I would assume meson just makes the process easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arnaldo2792 arnaldo2792 arnaldo2792 left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

build kmod with static pie

2 participants

@piyush-jena @arnaldo2792