From patchwork Fri Nov 11 02:53:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Polacek X-Patchwork-Id: 18394 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp504433wru; Thu, 10 Nov 2022 18:54:24 -0800 (PST) X-Google-Smtp-Source: AMsMyM6Y3pAz9KeNla3/nE02YpMNFhEt6+R9jimq8vow7M49NIsW1/Vz0TE8qOorD+0npwPep1+V X-Received: by 2002:a50:9ea9:0:b0:461:a7e0:735c with SMTP id a38-20020a509ea9000000b00461a7e0735cmr4350678edf.14.1668135264063; Thu, 10 Nov 2022 18:54:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668135264; cv=none; d=google.com; s=arc-20160816; b=t7H6TOJunGkQUODQfFyEy/CVXou2sYGfpfIqhsUXbEcevyj95rXLOHT9Gq3badbXi/ dfhnIiaLkHKDH7o8sAIWae5ry2hvL9KLHan3jD8FfFDlSh4gMmuED69VW9Q1ygwUaCoq lWk0mmYRrJJOHnrGGmR491hocPAYWi5RAKwQOs/sPEM1nynP8bUlei00j6L+Y+ijWflO 75dIEMqrjndAgL7fQEycjgVEbfCd4nrzR00CjZkkXvnW41tyFzKWixWHzbsB6qk3xiQH XTK0riUYOq83TbF9lEhhARtAGCDGev5lB9xJ5ks/KodeJgB1mOlr2nKgwWXDa6uY3EbA Ke+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence :content-transfer-encoding:mime-version:message-id:date:subject:cc :to:dmarc-filter:delivered-to:dkim-signature:dkim-filter; bh=iExHdWoR0ybq5xadr/41UEtBXt1TrnSZ1EkKMohApNg=; b=wKMAbp/veIooSG9+4mfbpWeO4HAGxvwT5j6BKaK/GmvbdM77sWCOJXuPE9X630UgYP RNOeeUzZDZIIZSCYKaz5u0vyop6e+6RAhhK75YXx/J+xiDNIx3RqbrXPu2bDxWIPs39n 1i6pnQKZ08oqITrtsI8beDatc0mmBJ9yso+y1Ff4FsKhSKGLd07bt3j5RvplnqJC1kxh cZmJD649+vltr5xi0zLQkcHHhf8GgF+Sxqik3L363QkXb7RmwIx3sQxItlxLY6feYadg 9BtEp3v+WxU/DKQ7PeIYbE/3aL+mlPvN9L6yij+OvakEGxpnj6oQREAG/FSkcNH6rpnr g3IA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=Sh3l5O97; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from sourceware.org (ip-8-43-85-97.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id g8-20020a50ee08000000b00461b84a010fsi1099334eds.295.2022.11.10.18.54.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Nov 2022 18:54:24 -0800 (PST) Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=Sh3l5O97; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 8CD1D3887F69 for ; Fri, 11 Nov 2022 02:54:07 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8CD1D3887F69 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1668135247; bh=iExHdWoR0ybq5xadr/41UEtBXt1TrnSZ1EkKMohApNg=; h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=Sh3l5O97Ij/klN3vhxVveSSNjp2KZYSUObSqV8qEXROqdYzC+2HqiP6JzCgHy6McD abqQ3KyUC394Qla+cOZvanwEwpYEzwjIIc6g4Wsk/Bnh9XTiCjPECbuEl5k4EQq5ku 6NLnzs4CAcCgFiIUyEbl7ZUzBKrmEdj0rJ4mj6Ak= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 355B0385E001 for ; Fri, 11 Nov 2022 02:53:19 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 355B0385E001 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-609-wwBHGBUtPK-PcFr4ydd0Pw-1; Thu, 10 Nov 2022 21:53:14 -0500 X-MC-Unique: wwBHGBUtPK-PcFr4ydd0Pw-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 739993C02198; Fri, 11 Nov 2022 02:53:14 +0000 (UTC) Received: from pdp-11.lan (unknown [10.22.34.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3CFD2C15BA8; Fri, 11 Nov 2022 02:53:14 +0000 (UTC) To: GCC Patches Cc: oliva@adacore.com, Joseph Myers Subject: [PATCH] configure: Implement --enable-host-bind-now Date: Thu, 10 Nov 2022 21:53:09 -0500 Message-Id: <20221111025309.188226-1-polacek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-12.3 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Marek Polacek via Gcc-patches From: Marek Polacek Reply-To: Marek Polacek Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org Sender: "Gcc-patches" X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749166602422657906?= X-GMAIL-MSGID: =?utf-8?q?1749166602422657906?= This is a rebased version of the patch I posted in February: . Fortunately it is much simpler than the patch implementing --enable-host-pie. I've converted the install.texi part into configuration.rst, otherwise there are no changes to the original version. With --enable-host-bind-now --enable-host-pie: $ readelf -Wd ./gcc/cc1 ./gcc/cc1plus | grep FLAGS 0x000000000000001e (FLAGS) BIND_NOW 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE 0x000000000000001e (FLAGS) BIND_NOW 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? -- >8 -- As promised in the --enable-host-pie patch, this patch adds another configure option, --enable-host-bind-now, which adds -z now when linking the compiler executables in order to extend hardening. BIND_NOW with RELRO allows the GOT to be marked RO; this prevents GOT modification attacks. This option does not affect linking of target libraries; you can use LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW. c++tools/ChangeLog: * configure.ac (--enable-host-bind-now): New check. * configure: Regenerate. gcc/ChangeLog: * configure.ac (--enable-host-bind-now): New check. Add -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now. * configure: Regenerate. * doc/install/configuration.rst: Document --enable-host-bind-now. lto-plugin/ChangeLog: * configure.ac (--enable-host-bind-now): New check. Link with -z,now. * configure: Regenerate. --- c++tools/configure | 11 +++++++++++ c++tools/configure.ac | 7 +++++++ gcc/configure | 20 ++++++++++++++++++-- gcc/configure.ac | 13 ++++++++++++- gcc/doc/install/configuration.rst | 7 +++++++ lto-plugin/configure | 20 ++++++++++++++++++-- lto-plugin/configure.ac | 11 +++++++++++ 7 files changed, 84 insertions(+), 5 deletions(-) base-commit: 5c6546ca7d8cab1f1c129f5b55f709e2ceee0f94 prerequisite-patch-id: 312c7b6ec0b7c87f001758d071d26af5deae50c0 diff --git a/c++tools/configure b/c++tools/configure index 88087009383..006efe07b35 100755 --- a/c++tools/configure +++ b/c++tools/configure @@ -628,6 +628,7 @@ EGREP GREP CXXCPP LD_PICFLAG +enable_host_bind_now PICFLAG MAINTAINER CXX_AUX_TOOLS @@ -702,6 +703,7 @@ enable_maintainer_mode enable_checking enable_default_pie enable_host_pie +enable_host_bind_now with_gcc_major_version_only ' ac_precious_vars='build_alias @@ -1336,6 +1338,7 @@ Optional Features: yes,no,all,none,release. --enable-default-pie enable Position Independent Executable as default --enable-host-pie build host code as PIE + --enable-host-bind-now link host code as BIND_NOW Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -3007,6 +3010,14 @@ fi +# Enable --enable-host-bind-now +# Check whether --enable-host-bind-now was given. +if test "${enable_host_bind_now+set}" = set; then : + enableval=$enable_host_bind_now; LD_PICFLAG="$LD_PICFLAG -Wl,-z,now" +fi + + + # Check if O_CLOEXEC is defined by fcntl diff --git a/c++tools/configure.ac b/c++tools/configure.ac index 1e42689f2eb..d3f23f66f00 100644 --- a/c++tools/configure.ac +++ b/c++tools/configure.ac @@ -110,6 +110,13 @@ AC_ARG_ENABLE(host-pie, [build host code as PIE])], [PICFLAG=-fPIE; LD_PICFLAG=-pie], []) AC_SUBST(PICFLAG) + +# Enable --enable-host-bind-now +AC_ARG_ENABLE(host-bind-now, +[AS_HELP_STRING([--enable-host-bind-now], + [link host code as BIND_NOW])], +[LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"], []) +AC_SUBST(enable_host_bind_now) AC_SUBST(LD_PICFLAG) # Check if O_CLOEXEC is defined by fcntl diff --git a/gcc/configure b/gcc/configure index 3e303f7e5bd..fb88e41f712 100755 --- a/gcc/configure +++ b/gcc/configure @@ -635,6 +635,7 @@ CET_HOST_FLAGS LD_PICFLAG PICFLAG enable_default_pie +enable_host_bind_now enable_host_pie enable_host_shared enable_plugin @@ -1030,6 +1031,7 @@ enable_version_specific_runtime_libs enable_plugin enable_host_shared enable_host_pie +enable_host_bind_now enable_libquadmath_support with_linker_hash_style with_diagnostics_color @@ -1793,6 +1795,7 @@ Optional Features: --enable-plugin enable plugin support --enable-host-shared build host code as shared libraries --enable-host-pie build host code as PIE + --enable-host-bind-now link host code as BIND_NOW --disable-libquadmath-support disable libquadmath support for Fortran --enable-default-pie enable Position Independent Executable as default @@ -19764,7 +19767,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 19779 "configure" +#line 19782 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -19870,7 +19873,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 19885 "configure" +#line 19888 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -32012,6 +32015,14 @@ fi +# Enable --enable-host-bind-now +# Check whether --enable-host-bind-now was given. +if test "${enable_host_bind_now+set}" = set; then : + enableval=$enable_host_bind_now; +fi + + + # Check whether --enable-libquadmath-support was given. if test "${enable_libquadmath_support+set}" = set; then : enableval=$enable_libquadmath_support; ENABLE_LIBQUADMATH_SUPPORT=$enableval @@ -32198,6 +32209,8 @@ else PICFLAG= fi + + if test x$enable_host_pie = xyes; then LD_PICFLAG=-pie elif test x$gcc_cv_no_pie = xyes; then @@ -32206,6 +32219,9 @@ else LD_PICFLAG= fi +if test x$enable_host_bind_now = xyes; then + LD_PICFLAG="$LD_PICFLAG -Wl,-z,now" +fi diff --git a/gcc/configure.ac b/gcc/configure.ac index 29eeed7e569..fd6deaf82c8 100644 --- a/gcc/configure.ac +++ b/gcc/configure.ac @@ -7411,6 +7411,12 @@ AC_ARG_ENABLE(host-pie, [build host code as PIE])]) AC_SUBST(enable_host_pie) +# Enable --enable-host-bind-now +AC_ARG_ENABLE(host-bind-now, +[AS_HELP_STRING([--enable-host-bind-now], + [link host code as BIND_NOW])]) +AC_SUBST(enable_host_bind_now) + AC_ARG_ENABLE(libquadmath-support, [AS_HELP_STRING([--disable-libquadmath-support], [disable libquadmath support for Fortran])], @@ -7552,6 +7558,8 @@ else PICFLAG= fi +AC_SUBST([PICFLAG]) + if test x$enable_host_pie = xyes; then LD_PICFLAG=-pie elif test x$gcc_cv_no_pie = xyes; then @@ -7560,7 +7568,10 @@ else LD_PICFLAG= fi -AC_SUBST([PICFLAG]) +if test x$enable_host_bind_now = xyes; then + LD_PICFLAG="$LD_PICFLAG -Wl,-z,now" +fi + AC_SUBST([LD_PICFLAG]) # Enable Intel CET on Intel CET enabled host if jit is enabled. diff --git a/gcc/doc/install/configuration.rst b/gcc/doc/install/configuration.rst index c2a9680e1e5..2a541f90156 100644 --- a/gcc/doc/install/configuration.rst +++ b/gcc/doc/install/configuration.rst @@ -446,6 +446,13 @@ corresponding :option:`--without` option. in which case :option:`-fPIC` is used when compiling, and :option:`-pie` when linking. +.. option:: --enable-host-bind-now + + Specify that the *host* executables should be linked with the option + :option:`-Wl,-z,now`, which means that the dynamic linker will resolve all + symbols when the executables are started, and that in turn allows RELRO to + mark the GOT read-only, resulting in better security. + .. option:: --with-gnu-as .. _with-gnu-as: diff --git a/lto-plugin/configure b/lto-plugin/configure index d522bd24c95..3467defd416 100755 --- a/lto-plugin/configure +++ b/lto-plugin/configure @@ -663,6 +663,7 @@ accel_dir_suffix gcc_build_dir CET_HOST_FLAGS ac_lto_plugin_ldflags +enable_host_bind_now ac_lto_plugin_warn_cflags EGREP GREP @@ -778,6 +779,7 @@ enable_maintainer_mode with_libiberty enable_dependency_tracking enable_largefile +enable_host_bind_now enable_cet with_gcc_major_version_only enable_shared @@ -1425,6 +1427,7 @@ Optional Features: --disable-dependency-tracking speeds up one-time build --disable-largefile omit support for large files + --enable-host-bind-now link host code as BIND_NOW --enable-cet enable Intel CET in host libraries [default=auto] --enable-shared[=PKGS] build shared libraries [default=yes] --enable-static[=PKGS] build static libraries [default=yes] @@ -5669,6 +5672,19 @@ if test "x$have_static_libgcc" = xyes; then ac_lto_plugin_ldflags="-Wc,-static-libgcc" fi +# Enable --enable-host-bind-now +# Check whether --enable-host-bind-now was given. +if test "${enable_host_bind_now+set}" = set; then : + enableval=$enable_host_bind_now; +fi + + + +if test x$enable_host_bind_now = xyes; then + ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now" +fi + + # Check whether --enable-cet was given. if test "${enable_cet+set}" = set; then : @@ -12134,7 +12150,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12137 "configure" +#line 12165 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12240,7 +12256,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12243 "configure" +#line 12271 "configure" #include "confdefs.h" #if HAVE_DLFCN_H diff --git a/lto-plugin/configure.ac b/lto-plugin/configure.ac index 0a7202782ae..84f2a60b480 100644 --- a/lto-plugin/configure.ac +++ b/lto-plugin/configure.ac @@ -25,6 +25,17 @@ LDFLAGS="$saved_LDFLAGS" if test "x$have_static_libgcc" = xyes; then ac_lto_plugin_ldflags="-Wc,-static-libgcc" fi + +# Enable --enable-host-bind-now +AC_ARG_ENABLE(host-bind-now, +[AS_HELP_STRING([--enable-host-bind-now], + [link host code as BIND_NOW])]) +AC_SUBST(enable_host_bind_now) + +if test x$enable_host_bind_now = xyes; then + ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now" +fi + AC_SUBST(ac_lto_plugin_ldflags) GCC_CET_HOST_FLAGS(CET_HOST_FLAGS)