From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) by sourceware.org (Postfix) with ESMTPS id 14BD038582A4 for ; Thu, 26 Oct 2023 15:56:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 14BD038582A4 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 14BD038582A4 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2a00:1450:4864:20::12c ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1698335772; cv=none; b=EbIN0dv2Sz5YCECkLlIkYnhSoi1RybOGC+hQNNCkjH/m5sq8x+xCgUnirwHy4KRVINCPKnlxKesdES+pgvIqJbrTWc/CwmIsfQWfiDEr63uz1vDF2l2bWomAHZqLtl8dsGuj0ghfaCmyjwQE0hnHsv3l0qWvI+xcg7v+H/NT99U= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1698335772; c=relaxed/simple; bh=5GyQ1+xilNbCieSFkIJUFBaNr3aUCzgduTSYsFAhXBM=; h=DKIM-Signature:Subject:Mime-Version:From:Date:Message-Id:To; b=aQfE6d+/w7tLWtvi5jkW3hs7yu2rtfCQmX4oNQ07FeY1qKUifLOq22nFw6Zyygf4/1Sepu7c2HKN1yxdc882mXgEf8gJwe8rrf/JIL7shvTo8T7BFtbGo2KQIAEg1IArN7uhak7ODG8WbMBAFn6oP1QfNvpKHdurxxuBZcigRo8= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-lf1-x12c.google.com with SMTP id 2adb3069b0e04-507ac66a969so1289586e87.3 for ; Thu, 26 Oct 2023 08:56:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698335768; x=1698940568; darn=gcc.gnu.org; h=to:references:message-id:date:cc:in-reply-to:from:mime-version :subject:content-transfer-encoding:from:to:cc:subject:date :message-id:reply-to; bh=FPRKB7cPG16gVgnZM169FPg26eGQ8nJh6DWTowyV4Tk=; b=FCyanmVMIfA+JZVgO+9yeI5hqteul2y63x3VPdMhDNu/e3o95gFGJyzlKlSIaCaLbo vbLvUlllA+LlGAw30BuerAsMBcco8CH5oNtBhnZsFMsm56CqRDN+89TicK3NLxn4SJUv NMIDeUSgWL9XCZ/FDc3wqYxHz2/6M4hYkq4LmddeIUflRcpT2G+sZhZ+otmbjEqB/iEd wXx3RahSjABKHVq+7NvTMnwEur1/Lx4YtVZEXzxiC0osBxKqlwPGQiinggacRKwlR6ki lzn9XHhsi+8CVj9pN28Yv3SVCxzFFAxXZmdhADczLINpLgsb6GVFkGeOW/+a+zV2QRpT 5sRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698335768; x=1698940568; h=to:references:message-id:date:cc:in-reply-to:from:mime-version :subject:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FPRKB7cPG16gVgnZM169FPg26eGQ8nJh6DWTowyV4Tk=; b=plfiWc7H6cSyHLUuhmUCnNsD3gryjSJJkP3euGWb0ShkVZ4HW3cm1r4wjCEtAQQyhk zQAvOjPgBhFkyXeaO+wexYqUm0Zjkwzv2IlAz71BZZmU4FfrirgDteFlpnRK1YNXbPmH wTI0D0cYS1lFQbJLYABk8oJ4fNtySX9uy9RP8WFOBn5MV7ocmi07VhGzVAz16JNeDEci Xu/EkEItOFCoVfeZ8iTngVl23nv0Wv5nR6EPVWgs+b0el31X3BEanRDLSEiD15FaqBTf TkQOKCX1XmQ6bheeOymrWoI6UJhukADR353vUmJvW1djLVhzgPxuXXIa+/60PYhd7UBG 17lw== X-Gm-Message-State: AOJu0YzXkmOdfAGvITz/mnpOpV5Fevkh+92OmfHEzfWfShINd84GGAU4 YU+G917EYHoRMNy0/byDBBv7LxFaIQQ= X-Google-Smtp-Source: AGHT+IHVTcm/cJJKr7eIGp0uea+i2l8lVLPbRe0qTCKAoti2kI60qVtOtn9qYtho8WlOUaqlPq21GQ== X-Received: by 2002:ac2:5456:0:b0:507:b074:ecd4 with SMTP id d22-20020ac25456000000b00507b074ecd4mr12975749lfn.7.1698335767697; Thu, 26 Oct 2023 08:56:07 -0700 (PDT) Received: from smtpclient.apple (dynamic-077-007-027-039.77.7.pool.telefonica.de. [77.7.27.39]) by smtp.gmail.com with ESMTPSA id cy8-20020a0564021c8800b0054018a76825sm8690513edb.8.2023.10.26.08.56.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 26 Oct 2023 08:56:07 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PATCH v3] gcc: Introduce -fhardened Mime-Version: 1.0 (1.0) X-Apple-Notify-Thread: NO X-Universally-Unique-Identifier: ACEE303B-844A-4FAF-9B05-3DAEF9E38321 From: Richard Biener In-Reply-To: Cc: iain@sandoe.co.uk, GCC Patches Date: Thu, 26 Oct 2023 17:55:56 +0200 X-Apple-Message-Smime-Encrypt: NO Message-Id: <8A3E5AA3-0785-4C2E-B75B-9388B703FFEA@gmail.com> References: To: Marek Polacek X-Mailer: iPhone Mail (20H115) X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,KAM_SHORT,RCVD_IN_BARRACUDACENTRAL,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > Am 24.10.2023 um 21:09 schrieb Marek Polacek : >=20 > =EF=BB=BFOn Tue, Oct 24, 2023 at 09:22:25AM +0200, Richard Biener wrote: >>> On Mon, Oct 23, 2023 at 9:26=E2=80=AFPM Marek Polacek wrote: >>>=20 >>> On Thu, Oct 19, 2023 at 02:24:11PM +0200, Richard Biener wrote: >>>> On Wed, Oct 11, 2023 at 10:48=E2=80=AFPM Marek Polacek wrote: >>>>>=20 >>>>> On Tue, Sep 19, 2023 at 10:58:19AM -0400, Marek Polacek wrote: >>>>>> On Mon, Sep 18, 2023 at 08:57:39AM +0200, Richard Biener wrote: >>>>>>> On Fri, Sep 15, 2023 at 5:09=E2=80=AFPM Marek Polacek via Gcc-patche= s >>>>>>> wrote: >>>>>>>>=20 >>>>>>>> Bootstrapped/regtested on x86_64-pc-linux-gnu, powerpc64le-unknown-= linux-gnu, >>>>>>>> and aarch64-unknown-linux-gnu; ok for trunk? >>>>>>>>=20 >>>>>>>> -- >8 -- >>>>>>>> In >>>>>>>> I proposed -fhardened, a new umbrella option that enables a reasona= ble set >>>>>>>> of hardening flags. The read of the room seems to be that the opti= on >>>>>>>> would be useful. So here's a patch implementing that option. >>>>>>>>=20 >>>>>>>> Currently, -fhardened enables: >>>>>>>>=20 >>>>>>>> -D_FORTIFY_SOURCE=3D3 (or =3D2 for older glibcs) >>>>>>>> -D_GLIBCXX_ASSERTIONS >>>>>>>> -ftrivial-auto-var-init=3Dpattern >>>>=20 >>>> I think =3Dzero is much better here given the overhead is way >>>> cheaper and pointers get a more reliable behavior. >>>=20 >>> Ok, changed now. >>>=20 >>>>>>>> -fPIE -pie -Wl,-z,relro,-z,now >>>>>>>> -fstack-protector-strong >>>>>>>> -fstack-clash-protection >>>>>>>> -fcf-protection=3Dfull (x86 GNU/Linux only) >>>>>>>>=20 >>>>>>>> -fhardened will not override options that were specified on the com= mand line >>>>>>>> (before or after -fhardened). For example, >>>>>>>>=20 >>>>>>>> -D_FORTIFY_SOURCE=3D1 -fhardened >>>>>>>>=20 >>>>>>>> means that _FORTIFY_SOURCE=3D1 will be used. Similarly, >>>>>>>>=20 >>>>>>>> -fhardened -fstack-protector >>>>>>>>=20 >>>>>>>> will not enable -fstack-protector-strong. >>>>>>>>=20 >>>>>>>> In DW_AT_producer it is reflected only as -fhardened; it doesn't ex= pand >>>>>>>> to anything. I think we need a better way to show what it actually= >>>>>>>> enables. >>>>>>>=20 >>>>>>> I do think we need to find a solution here to solve asserting compli= ance. >>>>>>=20 >>>>>> Fair enough. >>>>>>=20 >>>>>>> Maybe we can have -Whardened that will diagnose any altering of >>>>>>> -fhardened by other options on the command-line or by missed target >>>>>>> implementations? People might for example use -fstack-protector >>>>>>> but don't really want to make protection lower than requested with -= fhardened. >>>>>>>=20 >>>>>>> Any such conflict is much less appearant than when you use the >>>>>>> flags -fhardened composes. >>>>>>=20 >>>>>> How about: --help=3Dhardened says which options -fhardened attempts t= o >>>>>> enable, and -Whardened warns when it didn't enable an option? E.g., >>>>>>=20 >>>>>> -fstack-protector -fhardened -Whardened >>>>>>=20 >>>>>> would say that it didn't enable -fstack-protector-strong because >>>>>> -fstack-protector was specified on the command line? >>>>>>=20 >>>>>> If !HAVE_LD_NOW_SUPPORT, --help=3Dhardened probably doesn't even have= to >>>>>> list -z now, likewise for -z relro. >>>>>>=20 >>>>>> Unclear if -Whardened should be enabled by default, but probably yes?= >>>>>=20 >>>>> Here's v2 which adds -Whardened (enabled by default). >>>>>=20 >>>>> Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? >>>>=20 >>>> I think it's OK but I'd like to see a second ACK here. >>>=20 >>> Thanks! >>>=20 >>>> Can you see how our >>>> primary and secondary targets (+ host OS) behave here? >>>=20 >>> That's very reasonable. I tried to build gcc on Compile Farm 119 (AIX) b= ut >>> that fails with: >>>=20 >>> ar -X64 x ../ppc64/libgcc/libgcc_s.a shr.o >>> ar: 0707-100 ../ppc64/libgcc/libgcc_s.a does not exist. >>> make[2]: *** [/home/polacek/gcc/libgcc/config/rs6000/t-slibgcc-aix:98: a= ll] Error 1 >>> make[2]: Leaving directory '/home/polacek/x/trunk/powerpc-ibm-aix7.3.1.0= /libgcc' >>>=20 >>> and I tried Darwin (104) and that fails with >>>=20 >>> *** Configuration aarch64-apple-darwin21.6.0 not supported >>>=20 >>> Is anyone else able to build gcc on those machines, or test the attached= >>> patch? >>>=20 >>>> I think the >>>> documentation should elaborate a bit on expectations for non-Linux/GNU >>>> targets, specifically I think the default configuration for a target sh= ould >>>> with -fhardened _not_ have any -Whardened diagnostics. Maybe we can >>>> have a testcase for this? >>>=20 >>> Sorry, I'm not sure how to test that. I suppose if -fhardened enables >>> something not supported on those systems, and it's something for which >>> we have a configure test, then we shouldn't warn. This is already the >>> case for -pie, -z relro, and -z now. >>=20 >> I was thinking of >>=20 >> /* { dg-do compile } */ >> /* { dg-additional-options "-fhardened -Whardened" } */ >>=20 >> int main () {} >>=20 >> and excess errors should catch "misconfigurations"? >=20 > I see. fhardened-3.c is basically just like this (-Whardened is on by def= ault). >=20 >>> Should the docs say something like the following for features without >>> configure checks? >>>=20 >>> @option{-fhardened} can, on certain systems, attempt to enable features >>> not supported on that particular system. In that case, it's possible to= >>> prevent the warning using the @option{-Wno-hardened} option. >>=20 >> Yeah, but ideally >>=20 >> @option{-fhardened} can, on certain systems, not enable features not >> available on those systems and @option{-Whardened} will not diagnose >> those as missing. >>=20 >> But I understand it doesn't work like that? >=20 > Right. It will not diagnose missing features if they have a configure > check, otherwise it will. And I don't know if we want a configure check > for every feature. Maybe we can add them in the future if the current > patch turns out to be problematical in practice? Maybe we can have a switch on known target triples and statically configure b= ased On that, eventually even not support -fhardened for targets not listed. Tha= t=E2=80=99s certainly easier than detecting the target system features (thin= k of cross compilers) > Thanks, >=20 > Marek >=20