From patchwork Tue May 16 15:37:06 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marek Polacek <polacek@redhat.com>
X-Patchwork-Id: 94760
Return-Path: <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp520360vqo;
        Tue, 16 May 2023 08:38:14 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ7MNnkEf59R6Am/J671MShzTDwt8Gu5KHfPzvxPF3qyMAlmcH5l8D4+7K/iZN65kSR3zUsG
X-Received: by 2002:a17:907:628c:b0:94f:2a13:4e01 with SMTP id
 nd12-20020a170907628c00b0094f2a134e01mr35008205ejc.74.1684251494443;
        Tue, 16 May 2023 08:38:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684251494; cv=none;
        d=google.com; s=arc-20160816;
        b=rPI/Ah+0yShCVfXDLWZd/rqTP06hkm+HxvSdjRdGQ60mRP34Z/sGweB9sRsai7sm4/
         u5URK1+cn8ls9TWgLoJEiJOHSkE4Aw5/eEyRFHCAi2HYKR5NfCmh+ymNIK7vULJvRG4V
         /dPirPeovstwEz4ID5O3g/DhsjpDcZVpxdRlra5Se5e0H9oKQ8rAwy7D7o06UnTNlc6d
         eEWX1Dgg//FG1h8xcLM8czOI6R3qHQ2FYHTd1QjK7OmKVPd94Cp1i2pdbfN+pBhDQL64
         xNsqAffi4mshknkAlawx6innOGgtZUw4uK3JMACnxM+P8DnlUM34HwCtGoeddwQ4WSxe
         51Ng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post
         :list-archive:list-unsubscribe:list-id:precedence
         :content-disposition:user-agent:mime-version:message-id:subject:to
         :date:dmarc-filter:delivered-to:dkim-signature:dkim-filter;
        bh=Hi7KUfreO1wvqr5siURhBguA0SJSEeLQvhbNXGbi+Po=;
        b=GYWtoe6b+vsJ4b9/J1/b4FXDEvptUqdjgwAIvggT2Dha1qKoH5X4VsmS3bB3OdN26f
         b1M3ri3zV3460dbK5IgvTb1htQE16+jzQbMvcmQX6Qk/jMYRqJQ0LAW9OSPaW/vqH1LT
         90kgRA84BvdXSGSWVqvuznsZ4gW4ehzYsc1DWbuL5SHd7ReHI/hN+RCglxnu5NCl8YXl
         IUE7Pqd53a2BbQDELmkg5vvNQjCEwnYN3CtILoF3z30dqsM9tMhloSELOqqWf1ZV5f+V
         1I5hEeN4J+76FMY3wFq0ni7rsVQZgnV5pttu6f9T90Hemo9RWozdKFOXC0qWqAu8l92A
         zwCg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gcc.gnu.org header.s=default header.b=K+67hqTw;
       spf=pass (google.com: domain of
 gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates
 2620:52:3:1:0:246e:9693:128c as permitted sender)
 smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org
Received: from sourceware.org (server2.sourceware.org.
 [2620:52:3:1:0:246e:9693:128c])
        by mx.google.com with ESMTPS id
 ev21-20020a17090729d500b00965a718330esi14069523ejc.164.2023.05.16.08.38.14
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 16 May 2023 08:38:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates
 2620:52:3:1:0:246e:9693:128c as permitted sender)
 client-ip=2620:52:3:1:0:246e:9693:128c;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gcc.gnu.org header.s=default header.b=K+67hqTw;
       spf=pass (google.com: domain of
 gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates
 2620:52:3:1:0:246e:9693:128c as permitted sender)
 smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id F24E6385694D
	for <ouuuleilei@gmail.com>; Tue, 16 May 2023 15:38:12 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org F24E6385694D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1684251493;
	bh=Hi7KUfreO1wvqr5siURhBguA0SJSEeLQvhbNXGbi+Po=;
	h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=K+67hqTwNwQ7H2xzSGPmU21coDgwka0qgSX6E8vzj7vE42DQR9sCLwTG8VV2RFl0G
	 OFEFmCEht0MIqU70tZqNyVUJ8YInFHxE6W1PKeWhgR1cXsUV27iRN6KnX0r/UWOYkw
	 e9tKB5yAxY6qRE7HJisbXuk7FJ0EAB9QrhRnglYY=
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by sourceware.org (Postfix) with ESMTPS id 63F3E3857010
 for <gcc-patches@gcc.gnu.org>; Tue, 16 May 2023 15:37:11 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 63F3E3857010
Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com
 [209.85.222.197]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-79-NMTDRHZoOcqCsPmbT4OV2g-1; Tue, 16 May 2023 11:37:09 -0400
X-MC-Unique: NMTDRHZoOcqCsPmbT4OV2g-1
Received: by mail-qk1-f197.google.com with SMTP id
 af79cd13be357-7595c946411so225936985a.2
 for <gcc-patches@gcc.gnu.org>; Tue, 16 May 2023 08:37:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684251429; x=1686843429;
 h=user-agent:content-disposition:mime-version:message-id:subject:to
 :from:date:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=Hi7KUfreO1wvqr5siURhBguA0SJSEeLQvhbNXGbi+Po=;
 b=bXC+pfLBs4QbvitpWrbupdHIlyYqr//VMAuADbrXVVINcWeodJVPOsU51j9n2r7vv+
 h3NavA6MkQTM4YGJKKcX9g/tvLKXMKV8Rbdb5DC+/NtWN8snTQSJ/VoNqnwR6SfhyzOI
 2+pdc+jubydMfpHd/tpOHvTIKlHFavyQSpnA5cPkpDypckzg5lDdQY4zHaAOv3J5gkeg
 bUATDGwR0UUKq39FGmGl3ZkKixYWuxsKoK+Vtwx2N9+7UxRpXCyVZKEtnjXR/as5BQlx
 iqxKtFMC4SqMZgCQ5feG1NTFc4Qh44jelKMDVcXgerbyyDXIxpmBVEn6YV5EvvPJRTxH
 iQMA==
X-Gm-Message-State: AC+VfDz8bmv9pxmtKYLyWc5UrFhmTAUpfDI40y2razmQXqkjb4Qy8mHi
 QJE1VEZOKYf7COrWPj40Bvfd6eSJFFt5AEnplEnLSEEYPiRvIxNooE+XRXp3G1jBvCHHv4DMtOQ
 XI4K/Jm3oFOK8ClJKzJ4nlB1a4ImGOFb3chgR1545zmcmSFLGzojE27k8Ng3t41mHPpYukG/eBN
 rt
X-Received: by 2002:a05:622a:489:b0:3f5:543:4c3f with SMTP id
 p9-20020a05622a048900b003f505434c3fmr22957223qtx.66.1684251429155;
 Tue, 16 May 2023 08:37:09 -0700 (PDT)
X-Received: by 2002:a05:622a:489:b0:3f5:543:4c3f with SMTP id
 p9-20020a05622a048900b003f505434c3fmr22957175qtx.66.1684251428675;
 Tue, 16 May 2023 08:37:08 -0700 (PDT)
Received: from redhat.com
 (2603-7000-9500-34a5-0000-0000-0000-1db4.res6.spectrum.com.
 [2603:7000:9500:34a5::1db4]) by smtp.gmail.com with ESMTPSA id
 ci14-20020a05622a260e00b003e693d92781sm6258374qtb.70.2023.05.16.08.37.08
 for <gcc-patches@gcc.gnu.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 16 May 2023 08:37:08 -0700 (PDT)
Date: Tue, 16 May 2023 11:37:06 -0400
To: GCC Patches <gcc-patches@gcc.gnu.org>
Subject: [PATCH] configure: Implement --enable-host-bind-now
Message-ID: <ZGOjIunxHFQLfzQQ@redhat.com>
MIME-Version: 1.0
User-Agent: Mutt/2.2.9 (2022-11-12)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Disposition: inline
X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NONE, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
X-Patchwork-Original-From: Marek Polacek via Gcc-patches
 <gcc-patches@gcc.gnu.org>
From: Marek Polacek <polacek@redhat.com>
Reply-To: Marek Polacek <polacek@redhat.com>
Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org
Sender: "Gcc-patches" <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org>
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1766065695338893647?=
X-GMAIL-MSGID: =?utf-8?q?1766065695338893647?=

As promised in the --enable-host-pie patch, this patch adds another
configure option, --enable-host-bind-now, which adds -z now when linking
the compiler executables in order to extend hardening.  BIND_NOW with RELRO
allows the GOT to be marked RO; this prevents GOT modification attacks.

This option does not affect linking of target libraries; you can use
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.

With this patch:
$ readelf -Wd cc1{,plus} | grep FLAGS
 0x000000000000001e (FLAGS)              BIND_NOW
 0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
 0x000000000000001e (FLAGS)              BIND_NOW
 0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE

Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk?

c++tools/ChangeLog:

	* configure.ac (--enable-host-bind-now): New check.
	* configure: Regenerate.

gcc/ChangeLog:

	* configure.ac (--enable-host-bind-now): New check.  Add
	-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
	* configure: Regenerate.
	* doc/install.texi: Document --enable-host-bind-now.

lto-plugin/ChangeLog:

	* configure.ac (--enable-host-bind-now): New check.  Link with
	-z,now.
	* configure: Regenerate.

diff --git a/c++tools/configure b/c++tools/configure
index 88087009383..006efe07b35 100755
--- a/c++tools/configure
+++ b/c++tools/configure
@@ -628,6 +628,7 @@ EGREP
 GREP
 CXXCPP
 LD_PICFLAG
+enable_host_bind_now
 PICFLAG
 MAINTAINER
 CXX_AUX_TOOLS
@@ -702,6 +703,7 @@ enable_maintainer_mode
 enable_checking
 enable_default_pie
 enable_host_pie
+enable_host_bind_now
 with_gcc_major_version_only
 '
       ac_precious_vars='build_alias
@@ -1336,6 +1338,7 @@ Optional Features:
                           yes,no,all,none,release.
   --enable-default-pie    enable Position Independent Executable as default
   --enable-host-pie       build host code as PIE
+  --enable-host-bind-now  link host code as BIND_NOW
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -3007,6 +3010,14 @@ fi
 
 
 
+# Enable --enable-host-bind-now
+# Check whether --enable-host-bind-now was given.
+if test "${enable_host_bind_now+set}" = set; then :
+  enableval=$enable_host_bind_now; LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
+fi
+
+
+
 
 # Check if O_CLOEXEC is defined by fcntl
 
diff --git a/c++tools/configure.ac b/c++tools/configure.ac
index 44dfaccbbfa..c2a16601425 100644
--- a/c++tools/configure.ac
+++ b/c++tools/configure.ac
@@ -110,6 +110,13 @@ AC_ARG_ENABLE(host-pie,
 		[build host code as PIE])],
 [PICFLAG=-fPIE; LD_PICFLAG=-pie], [])
 AC_SUBST(PICFLAG)
+
+# Enable --enable-host-bind-now
+AC_ARG_ENABLE(host-bind-now,
+[AS_HELP_STRING([--enable-host-bind-now],
+       [link host code as BIND_NOW])],
+[LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"], [])
+AC_SUBST(enable_host_bind_now)
 AC_SUBST(LD_PICFLAG)
 
 # Check if O_CLOEXEC is defined by fcntl
diff --git a/gcc/configure b/gcc/configure
index 629446ecf3b..6d847c60024 100755
--- a/gcc/configure
+++ b/gcc/configure
@@ -635,6 +635,7 @@ CET_HOST_FLAGS
 LD_PICFLAG
 PICFLAG
 enable_default_pie
+enable_host_bind_now
 enable_host_pie
 enable_host_shared
 enable_plugin
@@ -1031,6 +1032,7 @@ enable_version_specific_runtime_libs
 enable_plugin
 enable_host_shared
 enable_host_pie
+enable_host_bind_now
 enable_libquadmath_support
 with_linker_hash_style
 with_diagnostics_color
@@ -1794,6 +1796,7 @@ Optional Features:
   --enable-plugin         enable plugin support
   --enable-host-shared    build host code as shared libraries
   --enable-host-pie       build host code as PIE
+  --enable-host-bind-now  link host code as BIND_NOW
   --disable-libquadmath-support
                           disable libquadmath support for Fortran
   --enable-default-pie    enable Position Independent Executable as default
@@ -19852,7 +19855,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 19867 "configure"
+#line 19870 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -19958,7 +19961,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 19973 "configure"
+#line 19976 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -32105,6 +32108,14 @@ fi
 
 
 
+# Enable --enable-host-bind-now
+# Check whether --enable-host-bind-now was given.
+if test "${enable_host_bind_now+set}" = set; then :
+  enableval=$enable_host_bind_now;
+fi
+
+
+
 # Check whether --enable-libquadmath-support was given.
 if test "${enable_libquadmath_support+set}" = set; then :
   enableval=$enable_libquadmath_support; ENABLE_LIBQUADMATH_SUPPORT=$enableval
@@ -32291,6 +32302,8 @@ else
   PICFLAG=
 fi
 
+
+
 if test x$enable_host_pie = xyes; then
   LD_PICFLAG=-pie
 elif test x$gcc_cv_no_pie = xyes; then
@@ -32299,6 +32312,9 @@ else
   LD_PICFLAG=
 fi
 
+if test x$enable_host_bind_now = xyes; then
+  LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
+fi
 
 
 
diff --git a/gcc/configure.ac b/gcc/configure.ac
index 9c69a55668e..f0d56e0eaf0 100644
--- a/gcc/configure.ac
+++ b/gcc/configure.ac
@@ -7427,6 +7427,12 @@ AC_ARG_ENABLE(host-pie,
 		[build host code as PIE])])
 AC_SUBST(enable_host_pie)
 
+# Enable --enable-host-bind-now
+AC_ARG_ENABLE(host-bind-now,
+[AS_HELP_STRING([--enable-host-bind-now],
+		[link host code as BIND_NOW])])
+AC_SUBST(enable_host_bind_now)
+
 AC_ARG_ENABLE(libquadmath-support,
 [AS_HELP_STRING([--disable-libquadmath-support],
   [disable libquadmath support for Fortran])],
@@ -7568,6 +7574,8 @@ else
   PICFLAG=
 fi
 
+AC_SUBST([PICFLAG])
+
 if test x$enable_host_pie = xyes; then
   LD_PICFLAG=-pie
 elif test x$gcc_cv_no_pie = xyes; then
@@ -7576,7 +7584,10 @@ else
   LD_PICFLAG=
 fi
 
-AC_SUBST([PICFLAG])
+if test x$enable_host_bind_now = xyes; then
+  LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
+fi
+
 AC_SUBST([LD_PICFLAG])
 
 # Enable Intel CET on Intel CET enabled host if jit is enabled.
diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi
index 2248308dbdf..a840d36bd6d 100644
--- a/gcc/doc/install.texi
+++ b/gcc/doc/install.texi
@@ -1092,6 +1092,12 @@ protection against Return Oriented Programming (ROP) attacks.
 in which case @option{-fPIC} is used when compiling, and @option{-pie} when
 linking.
 
+@item --enable-host-bind-now
+Specify that the @emph{host} executables should be linked with the option
+@option{-Wl,-z,now}, which means that the dynamic linker will resolve all
+symbols when the executables are started, and that in turn allows RELRO to
+mark the GOT read-only, resulting in better security.
+
 @item @anchor{with-gnu-as}--with-gnu-as
 Specify that the compiler should assume that the
 assembler it finds is the GNU assembler.  However, this does not modify
diff --git a/lto-plugin/configure b/lto-plugin/configure
index d522bd24c95..3467defd416 100755
--- a/lto-plugin/configure
+++ b/lto-plugin/configure
@@ -663,6 +663,7 @@ accel_dir_suffix
 gcc_build_dir
 CET_HOST_FLAGS
 ac_lto_plugin_ldflags
+enable_host_bind_now
 ac_lto_plugin_warn_cflags
 EGREP
 GREP
@@ -778,6 +779,7 @@ enable_maintainer_mode
 with_libiberty
 enable_dependency_tracking
 enable_largefile
+enable_host_bind_now
 enable_cet
 with_gcc_major_version_only
 enable_shared
@@ -1425,6 +1427,7 @@ Optional Features:
   --disable-dependency-tracking
                           speeds up one-time build
   --disable-largefile     omit support for large files
+  --enable-host-bind-now  link host code as BIND_NOW
   --enable-cet            enable Intel CET in host libraries [default=auto]
   --enable-shared[=PKGS]  build shared libraries [default=yes]
   --enable-static[=PKGS]  build static libraries [default=yes]
@@ -5669,6 +5672,19 @@ if test "x$have_static_libgcc" = xyes; then
    ac_lto_plugin_ldflags="-Wc,-static-libgcc"
 fi
 
+# Enable --enable-host-bind-now
+# Check whether --enable-host-bind-now was given.
+if test "${enable_host_bind_now+set}" = set; then :
+  enableval=$enable_host_bind_now;
+fi
+
+
+
+if test x$enable_host_bind_now = xyes; then
+  ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
+fi
+
+
 
  # Check whether --enable-cet was given.
 if test "${enable_cet+set}" = set; then :
@@ -12134,7 +12150,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12137 "configure"
+#line 12165 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12240,7 +12256,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12243 "configure"
+#line 12271 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
diff --git a/lto-plugin/configure.ac b/lto-plugin/configure.ac
index 0a7202782ae..84f2a60b480 100644
--- a/lto-plugin/configure.ac
+++ b/lto-plugin/configure.ac
@@ -25,6 +25,17 @@ LDFLAGS="$saved_LDFLAGS"
 if test "x$have_static_libgcc" = xyes; then
    ac_lto_plugin_ldflags="-Wc,-static-libgcc"
 fi
+
+# Enable --enable-host-bind-now
+AC_ARG_ENABLE(host-bind-now,
+[AS_HELP_STRING([--enable-host-bind-now],
+       [link host code as BIND_NOW])])
+AC_SUBST(enable_host_bind_now)
+
+if test x$enable_host_bind_now = xyes; then
+  ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
+fi
+
 AC_SUBST(ac_lto_plugin_ldflags)
 
 GCC_CET_HOST_FLAGS(CET_HOST_FLAGS)