From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by sourceware.org (Postfix) with ESMTPS id CC38B3858D28 for ; Tue, 27 Jun 2023 15:50:26 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CC38B3858D28 Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=googlemail.com Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-3fbab0d0b88so2983545e9.0 for ; Tue, 27 Jun 2023 08:50:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20221208; t=1687881025; x=1690473025; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=LWhEP/f3g6iRn3fSixOyfY0pC5VKCC4Y/aymxBZQ9vE=; b=i4D0O1kh7tcn6JmhcnZshb8i3cMsJglZQFw7kBGXhY6hFyYg7b8ksWHQn+djPazxAU ka8V3YJzYqgLPxPnHvEpO8nfL5jXWV6fBoRaJGNR3F8o6g2QzUVjTqv8/OHP1z7EhWT0 TkpYgjrdDAUddmRFLZGAwFQ4jL9RPFWTzrRRbGFUtqu7jRwTj8xyk+qeYy8UoBzNLS53 ZWF6mPswDevliZS4HptRjyDmGVCJ4GQFaXk+C0nZ7chCmWNPzva6cEv+LdzeguTuNZBu Uwa0OFaHCC0dk+SgkzhBIZFuIrCXhqEiGf97ieVn/UFYNc/his4p+w+84d4F+7ZdPj1a eyFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687881025; x=1690473025; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LWhEP/f3g6iRn3fSixOyfY0pC5VKCC4Y/aymxBZQ9vE=; b=Y8+TQu/9Domv/ZXFX5sUk6QByNMNX2qXN2BV3npYag1qyrnrgrbwX5uk7sh0fq5EPJ LOYkB+mLKnnXAQEINYQf6MuSgyPSGx9l/Er4yNXVmsyJPCUma69dDDFSFrHxx0GnGhi5 MU/QjI8pGWo3jikFG0wGnC1RtkyhNgHK5cTjWThX0g7rv/uA/e36G/VH8ssRqwjTaZZD LURt8nL0kE/Cr4B75C+vTCiPGbxZY7qG4YametaFPNU5BVeZG4x/PGfqGXuGV98SeIIb F2618kxjODMvm7frlmQCgD0pk6PX+O7JB0yMuBsZOk54739AZPQWWHvP67vf0crXPR+1 +iFw== X-Gm-Message-State: AC+VfDyJqihb+zNf7v97OFVGknD4lkdd5oHmlLO5zhzqIRPweZ0RcCgZ lNYWQ23fV1KU5++71v0lJTYxqeBUtuvZBA== X-Google-Smtp-Source: ACHHUZ6DjuaF/pmoa5Tha44ws/Onn8hVGmVYyU7wAvNsBgsrDI9XfozlaOcBLlKSGnJscNaqNKsXhw== X-Received: by 2002:a1c:4b09:0:b0:3fa:8cd8:974f with SMTP id y9-20020a1c4b09000000b003fa8cd8974fmr7615965wma.12.1687881025268; Tue, 27 Jun 2023 08:50:25 -0700 (PDT) Received: from smtpclient.apple (host81-138-1-83.in-addr.btopenworld.com. [81.138.1.83]) by smtp.googlemail.com with ESMTPSA id y17-20020a1c4b11000000b003f9b24cf881sm14082436wma.16.2023.06.27.08.50.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Jun 2023 08:50:24 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\)) Subject: Re: [PATCH] configure: Implement --enable-host-bind-now From: Iain Sandoe In-Reply-To: Date: Tue, 27 Jun 2023 16:50:24 +0100 Cc: Martin Jambor , GCC Patches , Marek Polacek Content-Transfer-Encoding: quoted-printable Message-Id: <56618579-374E-4292-A1C1-F2B554C64797@googlemail.com> References: To: Eric Botcazou X-Mailer: Apple Mail (2.3696.120.41.1.3) X-Spam-Status: No, score=-8.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > On 27 Jun 2023, at 16:31, Marek Polacek via Gcc-patches = wrote: >=20 > On Tue, Jun 27, 2023 at 01:39:16PM +0200, Martin Jambor wrote: >> Hello, >>=20 >> On Tue, May 16 2023, Marek Polacek via Gcc-patches wrote: >>> As promised in the --enable-host-pie patch, this patch adds another >>> configure option, --enable-host-bind-now, which adds -z now when = linking >>> the compiler executables in order to extend hardening. BIND_NOW = with RELRO >>> allows the GOT to be marked RO; this prevents GOT modification = attacks. >>>=20 >>> This option does not affect linking of target libraries; you can use >>> LDFLAGS_FOR_TARGET=3D-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW. >>>=20 >>> With this patch: >>> $ readelf -Wd cc1{,plus} | grep FLAGS >>> 0x000000000000001e (FLAGS) BIND_NOW >>> 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE >>> 0x000000000000001e (FLAGS) BIND_NOW >>> 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE >>>=20 >>> Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? >>>=20 >>> c++tools/ChangeLog: >>>=20 >>> * configure.ac (--enable-host-bind-now): New check. >>> * configure: Regenerate. >>>=20 >>> gcc/ChangeLog: >>>=20 >>> * configure.ac (--enable-host-bind-now): New check. Add >>> -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now. >>> * configure: Regenerate. >>> * doc/install.texi: Document --enable-host-bind-now. >>>=20 >>> lto-plugin/ChangeLog: >>>=20 >>> * configure.ac (--enable-host-bind-now): New check. Link with >>> -z,now. >>> * configure: Regenerate. >>=20 >> Our reconfiguration checking script complains about a missing hunk in >> lto-plugin/Makefile.in: >>=20 >> diff --git a/lto-plugin/Makefile.in b/lto-plugin/Makefile.in >> index cb568e1e09f..f6f5b020ff5 100644 >> --- a/lto-plugin/Makefile.in >> +++ b/lto-plugin/Makefile.in >> @@ -298,6 +298,7 @@ datadir =3D @datadir@ >> datarootdir =3D @datarootdir@ >> docdir =3D @docdir@ >> dvidir =3D @dvidir@ >> +enable_host_bind_now =3D @enable_host_bind_now@ >> exec_prefix =3D @exec_prefix@ >> gcc_build_dir =3D @gcc_build_dir@ >> get_gcc_base_ver =3D @get_gcc_base_ver@ >>=20 >>=20 >> I am somewhat puzzled why the line is not missing in any of the other >> Makefile.in files. Can you please check whether that is the only = thing >> that is missing (assuming it is actually missing)? >=20 > Arg, once again, I'm sorry. I don't know how this happened. It would > be trivial to fix it but since >=20 > commit 4a48a38fa99f067b8f3a3d1a5dc7a1e602db351f > Author: Eric Botcazou > Date: Wed Jun 21 18:19:36 2023 +0200 >=20 > ada: Fix build of GNAT tools >=20 > the build with Ada included fails with --enable-host-pie. So that = needs > to be fixed first. >=20 > Eric, I'm not asking you to fix that, but I'm curious, what did the > commit above fix? The patch looks correct; I'm just puzzled why I > hadn't seen any build failures. I am also curious as to why we do not need some logic to do a similar = job in gcc-interface/Make-lang.in: ifeq ($(STAGE1),True) ADA_INCLUDES=3D$(COMMON_ADA_INCLUDES) adalib=3D$(dir $(shell $(CC) -print-libgcc-file-name))adalib GNATLIB=3D$(adalib)/$(if $(wildcard $(adalib)/libgnat.a), = libgnat.a,libgnat.so) $(STAGE1_LIBS) else ^^^ I would expect us to need to switch to libgnat_pic.a when we are = building a PIE exe. Iain > The --enable-host-pie patch has been a nightmare :(. >=20 > Marek