From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) by sourceware.org (Postfix) with ESMTPS id C1BAB3982409 for ; Sun, 20 Nov 2022 15:09:25 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C1BAB3982409 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-x42e.google.com with SMTP id 130so9164686pfu.8 for ; Sun, 20 Nov 2022 07:09:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=6oyfWelZ0tK0Od0t0+lX1yqA1y+09ZfNEjjuHYIJ/mw=; b=PtlgAmC+RXY7H7DeD6jsO/UsWU86vox6x+QdiKYlHlIK9Dg+fCWMThpyX0MEp6DjUb UXMWNTzJBbWg2gTYQri4xxT8PmI45lWtxabCdqSgDuYbAWieX6crpx2OdGuhvI6bMv6n 7PHSbs0z35dArieInxRpuU8lACEZcPKuSlhT9hKkZTOj7JJG7qdulIK8tS965kAXky2y F5TrqY8o6Wq5EZxRYuY5pClG7OEi1/pbghqeiKpycuyB/mUF+hI8mZeco843RrheOzXg 5l2be2slDwAIWgLXrR19NQETa74Y5iaQrojW7zZogB2iAzm7Pfe0i5H6UUsaNAVZPfEp ttjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=6oyfWelZ0tK0Od0t0+lX1yqA1y+09ZfNEjjuHYIJ/mw=; b=s7BuQT9Z1DynRENTw0ETtJgnA0p8UfprcQnLWJGD9XiaznOgS2PGodaoCg2+8NDQ2G kVt8+ctNmhv8uCmciDbAZQ3DEyEKk5umv6gUlljSsZYBZNxVBw7hrWTKqmlTftSeW9ng olUmJsBO6blifJa+eXc0mNCo9/xcP4yS2sZ+8NxSFFTlKSr1VDaeNL5PeehmV17Ur2RO 3uacQKmsounhfJpKANEMmqjyK0NS0wU3l7I1Mc5CXcU7Q6QBCyua6i/OkgRkfI70er5R OAgMZRZHSdpFhYL/nB5X1DNVtw6GuFO8PhlwqjUqaUkqG0AHwbl9V52JBa/d3psD6vXI t3FA== X-Gm-Message-State: ANoB5plblOkD/TjbS0EkKinPImU9RWLVInys/1MgwsCt+XmUSTZppP+V qe/B97PrpLrhAPYXhUlCq3A= X-Google-Smtp-Source: AA0mqf6rBev6kNJyPY92ksV4kEKV2ieRnmL/7SxwAIdULWMuqa4PNP8ayPj8v9RMdlRO0bP0Cbo0Nw== X-Received: by 2002:a63:f047:0:b0:476:7742:de19 with SMTP id s7-20020a63f047000000b004767742de19mr540338pgj.343.1668956964640; Sun, 20 Nov 2022 07:09:24 -0800 (PST) Received: from ?IPV6:2601:681:8600:13d0::f0a? ([2601:681:8600:13d0::f0a]) by smtp.gmail.com with ESMTPSA id i9-20020a17090332c900b00188a1ae94bbsm7707371plr.23.2022.11.20.07.09.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 20 Nov 2022 07:09:23 -0800 (PST) Message-ID: <204aa39e-d85f-8639-08ed-57c8ccf7fdc9@gmail.com> Date: Sun, 20 Nov 2022 08:09:22 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 Subject: Re: [PATCH] configure: Implement --enable-host-bind-now Content-Language: en-US To: Marek Polacek , GCC Patches Cc: oliva@adacore.com, Joseph Myers References: <20221111025309.188226-1-polacek@redhat.com> From: Jeff Law In-Reply-To: <20221111025309.188226-1-polacek@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,KAM_SHORT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 11/10/22 19:53, Marek Polacek via Gcc-patches wrote: > This is a rebased version of the patch I posted in February: > . > > Fortunately it is much simpler than the patch implementing --enable-host-pie. > I've converted the install.texi part into configuration.rst, otherwise > there are no changes to the original version. > > With --enable-host-bind-now --enable-host-pie: > $ readelf -Wd ./gcc/cc1 ./gcc/cc1plus | grep FLAGS > 0x000000000000001e (FLAGS) BIND_NOW > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE > 0x000000000000001e (FLAGS) BIND_NOW > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE > > Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? > > -- >8 -- > > As promised in the --enable-host-pie patch, this patch adds another > configure option, --enable-host-bind-now, which adds -z now when linking > the compiler executables in order to extend hardening. BIND_NOW with RELRO > allows the GOT to be marked RO; this prevents GOT modification attacks. > > This option does not affect linking of target libraries; you can use > LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW. > > c++tools/ChangeLog: > > * configure.ac (--enable-host-bind-now): New check. > * configure: Regenerate. > > gcc/ChangeLog: > > * configure.ac (--enable-host-bind-now): New check. Add > -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now. > * configure: Regenerate. > * doc/install/configuration.rst: Document --enable-host-bind-now. > > lto-plugin/ChangeLog: > > * configure.ac (--enable-host-bind-now): New check. Link with > -z,now. > * configure: Regenerate. > --- OK.  Glad to see this finally get to resolution.  While I'm largely in agreement with Jakub that PIE doesn't provide a major security benefit for the compiler, it seems better to not have the compiler be special WRT security options. Jeff