From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=eCWk=BI=gmail.com=jeffreyalaw@sourceware.org>
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d])
	by sourceware.org (Postfix) with ESMTPS id 307623858C41
	for <gcc-patches@gcc.gnu.org>; Fri, 19 May 2023 21:29:47 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 307623858C41
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-1ae52ce3250so34726625ad.2
        for <gcc-patches@gcc.gnu.org>; Fri, 19 May 2023 14:29:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1684531786; x=1687123786;
        h=content-transfer-encoding:in-reply-to:from:references:to
         :content-language:subject:user-agent:mime-version:date:message-id
         :from:to:cc:subject:date:message-id:reply-to;
        bh=pdGIV3Qy9eyJJT9JrRe4emytAkh+ex1sSg+Z5/oG4O8=;
        b=a8AsMSJJehJxoO/VWJ59+EJAVie0dL/IpjF7OEY63A25UTvg6n9qMhkqqB/uHFRpBk
         t7n4ZIJnjs7Tre8+uq4Hcg4ECLrLV7W0Am87w3l5CHNoHIQEv8wnqmErEcdB9zKrX9FG
         SCr8LpHxetHJUA61HigYTXwvbYLlkWwzgwnWSgmfuDu0/zfzrGQ5wchp/n078Z6ZYLQa
         A+Cv1G0rdkGoLHfIWlBn18Ew3j39OwwTjyc4o9ZXM2knVuEPGtuT0iDd5S8DWgcHtmxB
         R42+u6osAOWtg73g59VZ+dcMCireCq8WAhPPVM1isKnHSk1t3Yh+5tF3DZMP45Dnno+i
         h8BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1684531786; x=1687123786;
        h=content-transfer-encoding:in-reply-to:from:references:to
         :content-language:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=pdGIV3Qy9eyJJT9JrRe4emytAkh+ex1sSg+Z5/oG4O8=;
        b=MMKwXvsyD6oIbpBPk71XglxvydtQXN+IQuFe/BmBz/oM+zybJXQgj6cjOTBeNVWoQW
         lpEMHBm/obZKLbzWJ1s+c3/Ms2d/dz1jU0osW7gfKhX3T0HGJ1QINtWC8HPNwkBm/gkZ
         KadUa1sfkPor62gMVqjwSNpV9w99x7+123Q6wesPf3yKW7VjiHvUutzq4Xul1bd6Tzpy
         FYUINezX16Kz7xOAnbwqKwo1UioCKu+3Gwd4qQ9AVIPIZuq6A+5TGdFc/vN2ldsBaxZ/
         KuyoPzPBThBP7c6k0dsaJCxEOQvIPSFlpkKgnc5jLDrEnOiwCOSIpPNI3BQtgwasjA99
         X1vg==
X-Gm-Message-State: AC+VfDwT+JCQcJ0lc+TOF3tYaKd2tWozns2bkhpu7WcYB+AUVDLp/HLs
	BPDpNL9IrGLrPSJvbG6nOTw=
X-Google-Smtp-Source: ACHHUZ5/lNEXrhoxLQszbaCh57c9DbsHbSVtACv/uZScQx6dQalOx+RzP6bIRQrVzE8mfosM9vTJ+w==
X-Received: by 2002:a17:903:2283:b0:1a6:a405:f714 with SMTP id b3-20020a170903228300b001a6a405f714mr4650262plh.63.1684531785997;
        Fri, 19 May 2023 14:29:45 -0700 (PDT)
Received: from ?IPV6:2601:681:8d00:265::f0a? ([2601:681:8d00:265::f0a])
        by smtp.gmail.com with ESMTPSA id b6-20020a170902d50600b001ac6b926621sm57810plg.292.2023.05.19.14.29.44
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 19 May 2023 14:29:45 -0700 (PDT)
Message-ID: <1b19e831-95e0-490a-d6d5-0c65b89dc696@gmail.com>
Date: Fri, 19 May 2023 15:29:44 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.9.1
Subject: Re: [PATCH] configure: Implement --enable-host-bind-now
Content-Language: en-US
To: Marek Polacek <polacek@redhat.com>, GCC Patches <gcc-patches@gcc.gnu.org>
References: <ZGOjIunxHFQLfzQQ@redhat.com>
From: Jeff Law <jeffreyalaw@gmail.com>
In-Reply-To: <ZGOjIunxHFQLfzQQ@redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>



On 5/16/23 09:37, Marek Polacek via Gcc-patches wrote:
> As promised in the --enable-host-pie patch, this patch adds another
> configure option, --enable-host-bind-now, which adds -z now when linking
> the compiler executables in order to extend hardening.  BIND_NOW with RELRO
> allows the GOT to be marked RO; this prevents GOT modification attacks.
> 
> This option does not affect linking of target libraries; you can use
> LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
> 
> With this patch:
> $ readelf -Wd cc1{,plus} | grep FLAGS
>   0x000000000000001e (FLAGS)              BIND_NOW
>   0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
>   0x000000000000001e (FLAGS)              BIND_NOW
>   0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
> 
> Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk?
> 
> c++tools/ChangeLog:
> 
> 	* configure.ac (--enable-host-bind-now): New check.
> 	* configure: Regenerate.
> 
> gcc/ChangeLog:
> 
> 	* configure.ac (--enable-host-bind-now): New check.  Add
> 	-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
> 	* configure: Regenerate.
> 	* doc/install.texi: Document --enable-host-bind-now.
> 
> lto-plugin/ChangeLog:
> 
> 	* configure.ac (--enable-host-bind-now): New check.  Link with
> 	-z,now.
> 	* configure: Regenerate.
OK
jeff