From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 1734) id 68830385800C; Wed, 23 Nov 2022 01:48:42 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 68830385800C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1669168122; bh=sGdmipwylSyE+Sdl3rLTuSDyycnIIuh8zVKwdeFejP4=; h=From:To:Subject:Date:From; b=S9WZSOw4WHcgOqpTiTP6ch5ClFuw7FKVtANjaqYLYKP0noBQ796RY5+wsb1G4QGEM RYfXea2GXTemXESvuq8aXBemSoqBug0fUX32vBlYEe6mDVMpN8hWrrePrNvsPAbis7 qQ/F1mMLG1r6dzK4hXb4akdFoPldJx0RSalp3l78= MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" From: Marek Polacek To: gcc-cvs@gcc.gnu.org Subject: [gcc r13-4256] configure: Implement --enable-host-bind-now X-Act-Checkin: gcc X-Git-Author: Marek Polacek X-Git-Refname: refs/heads/trunk X-Git-Oldrev: 251c72a68af3a8b0638705b73ef120ffdf0053eb X-Git-Newrev: 258d7149f92f19380c9f7763618d62408c064e60 Message-Id: <20221123014842.68830385800C@sourceware.org> Date: Wed, 23 Nov 2022 01:48:42 +0000 (GMT) List-Id: https://gcc.gnu.org/g:258d7149f92f19380c9f7763618d62408c064e60 commit r13-4256-g258d7149f92f19380c9f7763618d62408c064e60 Author: Marek Polacek Date: Tue Nov 22 20:46:46 2022 -0500 configure: Implement --enable-host-bind-now As promised in the --enable-host-pie patch, this patch adds another configure option, --enable-host-bind-now, which adds -z now when linking the compiler executables in order to extend hardening. BIND_NOW with RELRO allows the GOT to be marked RO; this prevents GOT modification attacks. This option does not affect linking of target libraries; you can use LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW. c++tools/ChangeLog: * configure.ac (--enable-host-bind-now): New check. * configure: Regenerate. gcc/ChangeLog: * configure.ac (--enable-host-bind-now): New check. Add -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now. * configure: Regenerate. * doc/install.texi: Document --enable-host-bind-now. lto-plugin/ChangeLog: * configure.ac (--enable-host-bind-now): New check. Link with -z,now. * configure: Regenerate. Diff: --- c++tools/configure | 11 +++++++++++ c++tools/configure.ac | 7 +++++++ gcc/configure | 20 ++++++++++++++++++-- gcc/configure.ac | 13 ++++++++++++- gcc/doc/install.texi | 6 ++++++ lto-plugin/configure | 20 ++++++++++++++++++-- lto-plugin/configure.ac | 11 +++++++++++ 7 files changed, 83 insertions(+), 5 deletions(-) diff --git a/c++tools/configure b/c++tools/configure index 88087009383..006efe07b35 100755 --- a/c++tools/configure +++ b/c++tools/configure @@ -628,6 +628,7 @@ EGREP GREP CXXCPP LD_PICFLAG +enable_host_bind_now PICFLAG MAINTAINER CXX_AUX_TOOLS @@ -702,6 +703,7 @@ enable_maintainer_mode enable_checking enable_default_pie enable_host_pie +enable_host_bind_now with_gcc_major_version_only ' ac_precious_vars='build_alias @@ -1336,6 +1338,7 @@ Optional Features: yes,no,all,none,release. --enable-default-pie enable Position Independent Executable as default --enable-host-pie build host code as PIE + --enable-host-bind-now link host code as BIND_NOW Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -3007,6 +3010,14 @@ fi +# Enable --enable-host-bind-now +# Check whether --enable-host-bind-now was given. +if test "${enable_host_bind_now+set}" = set; then : + enableval=$enable_host_bind_now; LD_PICFLAG="$LD_PICFLAG -Wl,-z,now" +fi + + + # Check if O_CLOEXEC is defined by fcntl diff --git a/c++tools/configure.ac b/c++tools/configure.ac index 1e42689f2eb..d3f23f66f00 100644 --- a/c++tools/configure.ac +++ b/c++tools/configure.ac @@ -110,6 +110,13 @@ AC_ARG_ENABLE(host-pie, [build host code as PIE])], [PICFLAG=-fPIE; LD_PICFLAG=-pie], []) AC_SUBST(PICFLAG) + +# Enable --enable-host-bind-now +AC_ARG_ENABLE(host-bind-now, +[AS_HELP_STRING([--enable-host-bind-now], + [link host code as BIND_NOW])], +[LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"], []) +AC_SUBST(enable_host_bind_now) AC_SUBST(LD_PICFLAG) # Check if O_CLOEXEC is defined by fcntl diff --git a/gcc/configure b/gcc/configure index f631830386d..c45f5367d19 100755 --- a/gcc/configure +++ b/gcc/configure @@ -635,6 +635,7 @@ CET_HOST_FLAGS LD_PICFLAG PICFLAG enable_default_pie +enable_host_bind_now enable_host_pie enable_host_shared enable_plugin @@ -1026,6 +1027,7 @@ enable_version_specific_runtime_libs enable_plugin enable_host_shared enable_host_pie +enable_host_bind_now enable_libquadmath_support with_linker_hash_style with_diagnostics_color @@ -1789,6 +1791,7 @@ Optional Features: --enable-plugin enable plugin support --enable-host-shared build host code as shared libraries --enable-host-pie build host code as PIE + --enable-host-bind-now link host code as BIND_NOW --disable-libquadmath-support disable libquadmath support for Fortran --enable-default-pie enable Position Independent Executable as default @@ -19712,7 +19715,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 19727 "configure" +#line 19730 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -19818,7 +19821,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 19833 "configure" +#line 19836 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -31960,6 +31963,14 @@ fi +# Enable --enable-host-bind-now +# Check whether --enable-host-bind-now was given. +if test "${enable_host_bind_now+set}" = set; then : + enableval=$enable_host_bind_now; +fi + + + # Check whether --enable-libquadmath-support was given. if test "${enable_libquadmath_support+set}" = set; then : enableval=$enable_libquadmath_support; ENABLE_LIBQUADMATH_SUPPORT=$enableval @@ -32146,6 +32157,8 @@ else PICFLAG= fi + + if test x$enable_host_pie = xyes; then LD_PICFLAG=-pie elif test x$gcc_cv_no_pie = xyes; then @@ -32154,6 +32167,9 @@ else LD_PICFLAG= fi +if test x$enable_host_bind_now = xyes; then + LD_PICFLAG="$LD_PICFLAG -Wl,-z,now" +fi diff --git a/gcc/configure.ac b/gcc/configure.ac index f5b23b92df1..da95b611c66 100644 --- a/gcc/configure.ac +++ b/gcc/configure.ac @@ -7373,6 +7373,12 @@ AC_ARG_ENABLE(host-pie, [build host code as PIE])]) AC_SUBST(enable_host_pie) +# Enable --enable-host-bind-now +AC_ARG_ENABLE(host-bind-now, +[AS_HELP_STRING([--enable-host-bind-now], + [link host code as BIND_NOW])]) +AC_SUBST(enable_host_bind_now) + AC_ARG_ENABLE(libquadmath-support, [AS_HELP_STRING([--disable-libquadmath-support], [disable libquadmath support for Fortran])], @@ -7514,6 +7520,8 @@ else PICFLAG= fi +AC_SUBST([PICFLAG]) + if test x$enable_host_pie = xyes; then LD_PICFLAG=-pie elif test x$gcc_cv_no_pie = xyes; then @@ -7522,7 +7530,10 @@ else LD_PICFLAG= fi -AC_SUBST([PICFLAG]) +if test x$enable_host_bind_now = xyes; then + LD_PICFLAG="$LD_PICFLAG -Wl,-z,now" +fi + AC_SUBST([LD_PICFLAG]) # Enable Intel CET on Intel CET enabled host if jit is enabled. diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi index b91fbe0216c..ac36e9aff4c 100644 --- a/gcc/doc/install.texi +++ b/gcc/doc/install.texi @@ -1046,6 +1046,12 @@ protection against Return Oriented Programming (ROP) attacks. in which case @option{-fPIC} is used when compiling, and @option{-pie} when linking. +@item --enable-host-bind-now +Specify that the @emph{host} executables should be linked with the option +@option{-Wl,-z,now}, which means that the dynamic linker will resolve all +symbols when the executables are started, and that in turn allows RELRO to +mark the GOT read-only, resulting in better security. + @item @anchor{with-gnu-as}--with-gnu-as Specify that the compiler should assume that the assembler it finds is the GNU assembler. However, this does not modify diff --git a/lto-plugin/configure b/lto-plugin/configure index d522bd24c95..3467defd416 100755 --- a/lto-plugin/configure +++ b/lto-plugin/configure @@ -663,6 +663,7 @@ accel_dir_suffix gcc_build_dir CET_HOST_FLAGS ac_lto_plugin_ldflags +enable_host_bind_now ac_lto_plugin_warn_cflags EGREP GREP @@ -778,6 +779,7 @@ enable_maintainer_mode with_libiberty enable_dependency_tracking enable_largefile +enable_host_bind_now enable_cet with_gcc_major_version_only enable_shared @@ -1425,6 +1427,7 @@ Optional Features: --disable-dependency-tracking speeds up one-time build --disable-largefile omit support for large files + --enable-host-bind-now link host code as BIND_NOW --enable-cet enable Intel CET in host libraries [default=auto] --enable-shared[=PKGS] build shared libraries [default=yes] --enable-static[=PKGS] build static libraries [default=yes] @@ -5669,6 +5672,19 @@ if test "x$have_static_libgcc" = xyes; then ac_lto_plugin_ldflags="-Wc,-static-libgcc" fi +# Enable --enable-host-bind-now +# Check whether --enable-host-bind-now was given. +if test "${enable_host_bind_now+set}" = set; then : + enableval=$enable_host_bind_now; +fi + + + +if test x$enable_host_bind_now = xyes; then + ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now" +fi + + # Check whether --enable-cet was given. if test "${enable_cet+set}" = set; then : @@ -12134,7 +12150,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12137 "configure" +#line 12165 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12240,7 +12256,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12243 "configure" +#line 12271 "configure" #include "confdefs.h" #if HAVE_DLFCN_H diff --git a/lto-plugin/configure.ac b/lto-plugin/configure.ac index 0a7202782ae..84f2a60b480 100644 --- a/lto-plugin/configure.ac +++ b/lto-plugin/configure.ac @@ -25,6 +25,17 @@ LDFLAGS="$saved_LDFLAGS" if test "x$have_static_libgcc" = xyes; then ac_lto_plugin_ldflags="-Wc,-static-libgcc" fi + +# Enable --enable-host-bind-now +AC_ARG_ENABLE(host-bind-now, +[AS_HELP_STRING([--enable-host-bind-now], + [link host code as BIND_NOW])]) +AC_SUBST(enable_host_bind_now) + +if test x$enable_host_bind_now = xyes; then + ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now" +fi + AC_SUBST(ac_lto_plugin_ldflags) GCC_CET_HOST_FLAGS(CET_HOST_FLAGS)