diff mbox series

configure: Implement --enable-host-bind-now

Message ID	20221111025309.188226-1-polacek@redhat.com
State	Unresolved
Headers	Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 355B0385E001 To: GCC Patches <gcc-patches@gcc.gnu.org> Cc: oliva@adacore.com, Joseph Myers <joseph@codesourcery.com> Subject: [PATCH] configure: Implement --enable-host-bind-now Date: Thu, 10 Nov 2022 21:53:09 -0500 Message-Id: <20221111025309.188226-1-polacek@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true Precedence: list From: Marek Polacek via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: Marek Polacek <polacek@redhat.com> Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org> X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
Series	configure: Implement --enable-host-bind-now \| configure: Implement --enable-host-bind-now

Checks

Context	Check	Description
snail/gcc-patch-check	warning	Git am fail log

Commit Message

Marek Polacek Nov. 11, 2022, 2:53 a.m. UTC

  This is a rebased version of the patch I posted in February:
<https://gcc.gnu.org/pipermail/gcc-patches/2022-February/590201.html>.

Fortunately it is much simpler than the patch implementing --enable-host-pie.
I've converted the install.texi part into configuration.rst, otherwise
there are no changes to the original version.

With --enable-host-bind-now --enable-host-pie:
$ readelf -Wd ./gcc/cc1 ./gcc/cc1plus | grep FLAGS
 0x000000000000001e (FLAGS)              BIND_NOW
 0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
 0x000000000000001e (FLAGS)              BIND_NOW
 0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE

Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk?

-- >8 --

As promised in the --enable-host-pie patch, this patch adds another
configure option, --enable-host-bind-now, which adds -z now when linking
the compiler executables in order to extend hardening.  BIND_NOW with RELRO
allows the GOT to be marked RO; this prevents GOT modification attacks.

This option does not affect linking of target libraries; you can use
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.

c++tools/ChangeLog:

	* configure.ac (--enable-host-bind-now): New check.
	* configure: Regenerate.

gcc/ChangeLog:

	* configure.ac (--enable-host-bind-now): New check.  Add
	-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
	* configure: Regenerate.
	* doc/install/configuration.rst: Document --enable-host-bind-now.

lto-plugin/ChangeLog:

	* configure.ac (--enable-host-bind-now): New check.  Link with
	-z,now.
	* configure: Regenerate.
---
 c++tools/configure                | 11 +++++++++++
 c++tools/configure.ac             |  7 +++++++
 gcc/configure                     | 20 ++++++++++++++++++--
 gcc/configure.ac                  | 13 ++++++++++++-
 gcc/doc/install/configuration.rst |  7 +++++++
 lto-plugin/configure              | 20 ++++++++++++++++++--
 lto-plugin/configure.ac           | 11 +++++++++++
 7 files changed, 84 insertions(+), 5 deletions(-)


base-commit: 5c6546ca7d8cab1f1c129f5b55f709e2ceee0f94
prerequisite-patch-id: 312c7b6ec0b7c87f001758d071d26af5deae50c0

Comments

Jeff Law Nov. 20, 2022, 3:09 p.m. UTC | #1

On 11/10/22 19:53, Marek Polacek via Gcc-patches wrote:
> This is a rebased version of the patch I posted in February:
> <https://gcc.gnu.org/pipermail/gcc-patches/2022-February/590201.html>.
>
> Fortunately it is much simpler than the patch implementing --enable-host-pie.
> I've converted the install.texi part into configuration.rst, otherwise
> there are no changes to the original version.
>
> With --enable-host-bind-now --enable-host-pie:
> $ readelf -Wd ./gcc/cc1 ./gcc/cc1plus | grep FLAGS
>   0x000000000000001e (FLAGS)              BIND_NOW
>   0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
>   0x000000000000001e (FLAGS)              BIND_NOW
>   0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
>
> Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk?
>
> -- >8 --
>
> As promised in the --enable-host-pie patch, this patch adds another
> configure option, --enable-host-bind-now, which adds -z now when linking
> the compiler executables in order to extend hardening.  BIND_NOW with RELRO
> allows the GOT to be marked RO; this prevents GOT modification attacks.
>
> This option does not affect linking of target libraries; you can use
> LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
>
> c++tools/ChangeLog:
>
> 	* configure.ac (--enable-host-bind-now): New check.
> 	* configure: Regenerate.
>
> gcc/ChangeLog:
>
> 	* configure.ac (--enable-host-bind-now): New check.  Add
> 	-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
> 	* configure: Regenerate.
> 	* doc/install/configuration.rst: Document --enable-host-bind-now.
>
> lto-plugin/ChangeLog:
>
> 	* configure.ac (--enable-host-bind-now): New check.  Link with
> 	-z,now.
> 	* configure: Regenerate.
> ---

OK.  Glad to see this finally get to resolution.  While I'm largely in 
agreement with Jakub that PIE doesn't provide a major security benefit 
for the compiler, it seems better to not have the compiler be special 
WRT security options.


Jeff

diff mbox series

Patch

diff --git a/c++tools/configure b/c++tools/configure
index 88087009383..006efe07b35 100755
--- a/c++tools/configure
+++ b/c++tools/configure
@@ -628,6 +628,7 @@  EGREP
 GREP
 CXXCPP
 LD_PICFLAG
+enable_host_bind_now
 PICFLAG
 MAINTAINER
 CXX_AUX_TOOLS
@@ -702,6 +703,7 @@  enable_maintainer_mode
 enable_checking
 enable_default_pie
 enable_host_pie
+enable_host_bind_now
 with_gcc_major_version_only
 '
       ac_precious_vars='build_alias
@@ -1336,6 +1338,7 @@  Optional Features:
                           yes,no,all,none,release.
   --enable-default-pie    enable Position Independent Executable as default
   --enable-host-pie       build host code as PIE
+  --enable-host-bind-now  link host code as BIND_NOW
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -3007,6 +3010,14 @@  fi
 
 
 
+# Enable --enable-host-bind-now
+# Check whether --enable-host-bind-now was given.
+if test "${enable_host_bind_now+set}" = set; then :
+  enableval=$enable_host_bind_now; LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
+fi
+
+
+
 
 # Check if O_CLOEXEC is defined by fcntl
 
diff --git a/c++tools/configure.ac b/c++tools/configure.ac
index 1e42689f2eb..d3f23f66f00 100644
--- a/c++tools/configure.ac
+++ b/c++tools/configure.ac
@@ -110,6 +110,13 @@  AC_ARG_ENABLE(host-pie,
 		[build host code as PIE])],
 [PICFLAG=-fPIE; LD_PICFLAG=-pie], [])
 AC_SUBST(PICFLAG)
+
+# Enable --enable-host-bind-now
+AC_ARG_ENABLE(host-bind-now,
+[AS_HELP_STRING([--enable-host-bind-now],
+       [link host code as BIND_NOW])],
+[LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"], [])
+AC_SUBST(enable_host_bind_now)
 AC_SUBST(LD_PICFLAG)
 
 # Check if O_CLOEXEC is defined by fcntl
diff --git a/gcc/configure b/gcc/configure
index 3e303f7e5bd..fb88e41f712 100755
--- a/gcc/configure
+++ b/gcc/configure
@@ -635,6 +635,7 @@  CET_HOST_FLAGS
 LD_PICFLAG
 PICFLAG
 enable_default_pie
+enable_host_bind_now
 enable_host_pie
 enable_host_shared
 enable_plugin
@@ -1030,6 +1031,7 @@  enable_version_specific_runtime_libs
 enable_plugin
 enable_host_shared
 enable_host_pie
+enable_host_bind_now
 enable_libquadmath_support
 with_linker_hash_style
 with_diagnostics_color
@@ -1793,6 +1795,7 @@  Optional Features:
   --enable-plugin         enable plugin support
   --enable-host-shared    build host code as shared libraries
   --enable-host-pie       build host code as PIE
+  --enable-host-bind-now  link host code as BIND_NOW
   --disable-libquadmath-support
                           disable libquadmath support for Fortran
   --enable-default-pie    enable Position Independent Executable as default
@@ -19764,7 +19767,7 @@  else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 19779 "configure"
+#line 19782 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -19870,7 +19873,7 @@  else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 19885 "configure"
+#line 19888 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -32012,6 +32015,14 @@  fi
 
 
 
+# Enable --enable-host-bind-now
+# Check whether --enable-host-bind-now was given.
+if test "${enable_host_bind_now+set}" = set; then :
+  enableval=$enable_host_bind_now;
+fi
+
+
+
 # Check whether --enable-libquadmath-support was given.
 if test "${enable_libquadmath_support+set}" = set; then :
   enableval=$enable_libquadmath_support; ENABLE_LIBQUADMATH_SUPPORT=$enableval
@@ -32198,6 +32209,8 @@  else
   PICFLAG=
 fi
 
+
+
 if test x$enable_host_pie = xyes; then
   LD_PICFLAG=-pie
 elif test x$gcc_cv_no_pie = xyes; then
@@ -32206,6 +32219,9 @@  else
   LD_PICFLAG=
 fi
 
+if test x$enable_host_bind_now = xyes; then
+  LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
+fi
 
 
 
diff --git a/gcc/configure.ac b/gcc/configure.ac
index 29eeed7e569..fd6deaf82c8 100644
--- a/gcc/configure.ac
+++ b/gcc/configure.ac
@@ -7411,6 +7411,12 @@  AC_ARG_ENABLE(host-pie,
 		[build host code as PIE])])
 AC_SUBST(enable_host_pie)
 
+# Enable --enable-host-bind-now
+AC_ARG_ENABLE(host-bind-now,
+[AS_HELP_STRING([--enable-host-bind-now],
+		[link host code as BIND_NOW])])
+AC_SUBST(enable_host_bind_now)
+
 AC_ARG_ENABLE(libquadmath-support,
 [AS_HELP_STRING([--disable-libquadmath-support],
   [disable libquadmath support for Fortran])],
@@ -7552,6 +7558,8 @@  else
   PICFLAG=
 fi
 
+AC_SUBST([PICFLAG])
+
 if test x$enable_host_pie = xyes; then
   LD_PICFLAG=-pie
 elif test x$gcc_cv_no_pie = xyes; then
@@ -7560,7 +7568,10 @@  else
   LD_PICFLAG=
 fi
 
-AC_SUBST([PICFLAG])
+if test x$enable_host_bind_now = xyes; then
+  LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
+fi
+
 AC_SUBST([LD_PICFLAG])
 
 # Enable Intel CET on Intel CET enabled host if jit is enabled.
diff --git a/gcc/doc/install/configuration.rst b/gcc/doc/install/configuration.rst
index c2a9680e1e5..2a541f90156 100644
--- a/gcc/doc/install/configuration.rst
+++ b/gcc/doc/install/configuration.rst
@@ -446,6 +446,13 @@  corresponding :option:`--without` option.
   in which case :option:`-fPIC` is used when compiling, and :option:`-pie`
   when linking.
 
+.. option:: --enable-host-bind-now
+
+  Specify that the *host* executables should be linked with the option
+  :option:`-Wl,-z,now`, which means that the dynamic linker will resolve all
+  symbols when the executables are started, and that in turn allows RELRO to
+  mark the GOT read-only, resulting in better security.
+
 .. option:: --with-gnu-as
 
 .. _with-gnu-as:
diff --git a/lto-plugin/configure b/lto-plugin/configure
index d522bd24c95..3467defd416 100755
--- a/lto-plugin/configure
+++ b/lto-plugin/configure
@@ -663,6 +663,7 @@  accel_dir_suffix
 gcc_build_dir
 CET_HOST_FLAGS
 ac_lto_plugin_ldflags
+enable_host_bind_now
 ac_lto_plugin_warn_cflags
 EGREP
 GREP
@@ -778,6 +779,7 @@  enable_maintainer_mode
 with_libiberty
 enable_dependency_tracking
 enable_largefile
+enable_host_bind_now
 enable_cet
 with_gcc_major_version_only
 enable_shared
@@ -1425,6 +1427,7 @@  Optional Features:
   --disable-dependency-tracking
                           speeds up one-time build
   --disable-largefile     omit support for large files
+  --enable-host-bind-now  link host code as BIND_NOW
   --enable-cet            enable Intel CET in host libraries [default=auto]
   --enable-shared[=PKGS]  build shared libraries [default=yes]
   --enable-static[=PKGS]  build static libraries [default=yes]
@@ -5669,6 +5672,19 @@  if test "x$have_static_libgcc" = xyes; then
    ac_lto_plugin_ldflags="-Wc,-static-libgcc"
 fi
 
+# Enable --enable-host-bind-now
+# Check whether --enable-host-bind-now was given.
+if test "${enable_host_bind_now+set}" = set; then :
+  enableval=$enable_host_bind_now;
+fi
+
+
+
+if test x$enable_host_bind_now = xyes; then
+  ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
+fi
+
+
 
  # Check whether --enable-cet was given.
 if test "${enable_cet+set}" = set; then :
@@ -12134,7 +12150,7 @@  else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12137 "configure"
+#line 12165 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12240,7 +12256,7 @@  else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12243 "configure"
+#line 12271 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
diff --git a/lto-plugin/configure.ac b/lto-plugin/configure.ac
index 0a7202782ae..84f2a60b480 100644
--- a/lto-plugin/configure.ac
+++ b/lto-plugin/configure.ac
@@ -25,6 +25,17 @@  LDFLAGS="$saved_LDFLAGS"
 if test "x$have_static_libgcc" = xyes; then
    ac_lto_plugin_ldflags="-Wc,-static-libgcc"
 fi
+
+# Enable --enable-host-bind-now
+AC_ARG_ENABLE(host-bind-now,
+[AS_HELP_STRING([--enable-host-bind-now],
+       [link host code as BIND_NOW])])
+AC_SUBST(enable_host_bind_now)
+
+if test x$enable_host_bind_now = xyes; then
+  ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
+fi
+
 AC_SUBST(ac_lto_plugin_ldflags)
 
 GCC_CET_HOST_FLAGS(CET_HOST_FLAGS)