From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=0jHr=3X=redhat.com=polacek@sourceware.org>
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by sourceware.org (Postfix) with ESMTPS id 2EBCF3857365
	for <gcc-patches@gcc.gnu.org>; Wed, 23 Nov 2022 02:18:13 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 2EBCF3857365
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1669169892;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=nJ2jjAqP8+EE9FOqZ1bFmXTr9lK3PgjVKIedbHYQa5E=;
	b=PY1iaxnkr8OupEqfqdqzGFaV7LSAdDPpLjmV5iRKEzAJ23iretXAcFXe03Wipl6Lc8rld+
	FNaVEeZZmm3eF/1bTlKKzpw+DLh3AyX0qJKrX+bbY4EufP9/94jefQzH/LibVYFABalH7m
	QsQ1WvYp3ieWUOGwcudcvtywFvVpNxE=
Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com
 [209.85.222.198]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id
 us-mta-665-iTPgnvUuPfSaZt7Z-FYPrw-1; Tue, 22 Nov 2022 21:18:11 -0500
X-MC-Unique: iTPgnvUuPfSaZt7Z-FYPrw-1
Received: by mail-qk1-f198.google.com with SMTP id j13-20020a05620a410d00b006e08208eb31so21048964qko.3
        for <gcc-patches@gcc.gnu.org>; Tue, 22 Nov 2022 18:18:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=nJ2jjAqP8+EE9FOqZ1bFmXTr9lK3PgjVKIedbHYQa5E=;
        b=UcfQaYWn9ToHXaZWh9tGvOgBYsx8VlFFCLC/ODEgxwDz+1hxEMXsE4n6nx4MeTe3Lz
         Xs6A2lOjeN5Ffj6hTtG4Brluwyy1ypRTXMCFhU/ihQVBT8iGHeyi6WkUd3cOJzgg1UCJ
         gFzWQqeQC9Vk5XAfrb+HYk+WR0Eh/jJeMhybORZ0VAH73NW5bZ4Xlws5pCXZmlRYRKkX
         2AujKBu8qY+ka1V/Q9BIOjnxQ+4NY2QDZWcJTiyKi3cLVU+WC8QFgUkdDteVJdruMblY
         VqQHx43YXpVpEhTElEMY4Y8/51miLd+n9W2llWrA2Rrrz9DOezHRReoKcppJgaxTSsKP
         cnoA==
X-Gm-Message-State: ANoB5plqNH/3cbLZ82caZmvokCFs09QqCX7BdMgmT7bpf0MlOBc+1aK1
	I1GeLoO1QEuof1g4FFX5dvQoGkv4GIllvBrhoKI9BT/bsPng0LOUMkSTR3HiKNjJSYTZ/htI69s
	T1ovXjxy10T+EosenaA==
X-Received: by 2002:a37:8c1:0:b0:6fa:2ffe:6d48 with SMTP id 184-20020a3708c1000000b006fa2ffe6d48mr6872197qki.305.1669169891142;
        Tue, 22 Nov 2022 18:18:11 -0800 (PST)
X-Google-Smtp-Source: AA0mqf4xApWtsoUW9AkK2C+bgwSadNgUp709VtatQn4CiYUT4D2+p1oQzBHQiPBCZasT8dsi4iqb/Q==
X-Received: by 2002:a37:8c1:0:b0:6fa:2ffe:6d48 with SMTP id 184-20020a3708c1000000b006fa2ffe6d48mr6872169qki.305.1669169890387;
        Tue, 22 Nov 2022 18:18:10 -0800 (PST)
Received: from redhat.com (2603-7000-9500-2e39-0000-0000-0000-1db4.res6.spectrum.com. [2603:7000:9500:2e39::1db4])
        by smtp.gmail.com with ESMTPSA id h9-20020a05620a284900b006f9ddaaf01esm11483721qkp.102.2022.11.22.18.18.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 22 Nov 2022 18:18:09 -0800 (PST)
Date: Tue, 22 Nov 2022 21:18:07 -0500
From: Marek Polacek <polacek@redhat.com>
To: Jeff Law <jeffreyalaw@gmail.com>
Cc: GCC Patches <gcc-patches@gcc.gnu.org>, oliva@adacore.com,
	Joseph Myers <joseph@codesourcery.com>
Subject: Re: [PATCH] configure: Implement --enable-host-pie
Message-ID: <Y32C33hh0FAGQND/@redhat.com>
References: <20221111025244.188157-1-polacek@redhat.com>
 <eb5af85b-f7a6-a2e2-40c8-16a80f59af01@gmail.com>
MIME-Version: 1.0
In-Reply-To: <eb5af85b-f7a6-a2e2-40c8-16a80f59af01@gmail.com>
User-Agent: Mutt/2.2.7 (2022-08-07)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-6.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_SHORT,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

On Sun, Nov 20, 2022 at 08:06:55AM -0700, Jeff Law wrote:
> 
> On 11/10/22 19:52, Marek Polacek via Gcc-patches wrote:
> > This is a rebased version of the patch I posted in March:
> > <https://gcc.gnu.org/pipermail/gcc-patches/2022-March/591239.html>
> > which Alex sort of approved here:
> > <https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592360.html>
> > but it was too late to commit the patch in GCC 12.
> > 
> > There are no changes except that I've converted the documentation
> > part into the ReST format, and of course regenerated configure.
> > 
> > With --enable-host-pie enabled:
> > $ file ./gcc/cc1 ./gcc/cc1plus
> > ./gcc/cc1:     ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
> > ./gcc/cc1plus: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
> > 
> > Bootstrapped/regtested on x86_64-pc-linux-gnu w/ and w/o --enable-host-pie,
> > ok for trunk?
> > 
> > -- >8 --
> > 
> > This patch implements the --enable-host-pie configure option which
> > makes the compiler executables PIE.  This can be used to enhance
> > protection against ROP attacks, and can be viewed as part of a wider
> > trend to harden binaries.
> > 
> > It is similar to the option --enable-host-shared, except that --e-h-s
> > won't add -shared to the linker flags whereas --e-h-p will add -pie.
> > It is different from --enable-default-pie because that option just
> > adds an implicit -fPIE/-pie when the compiler is invoked, but the
> > compiler itself isn't PIE.
> > 
> > Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
> > regressions.
> > 
> > When building the compiler, the build process may use various in-tree
> > libraries; these need to be built with -fPIE so that it's possible to
> > use them when building a PIE.  For instance, when --with-included-gettext
> > is in effect, intl object files must be compiled with -fPIE.  Similarly,
> > when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
> > -fPIE.
> > 
> > I plan to add an option to link with -Wl,-z,now.
> > 
> > ChangeLog:
> > 
> > 	* Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and
> > 	isl.
> > 	* Makefile.in: Regenerate.
> > 	* Makefile.tpl: Set PICFLAG.
> > 	* configure.ac (--enable-host-pie): New check.  Set PICFLAG after this
> > 	check.
> > 	* configure: Regenerate.
> > 
> > c++tools/ChangeLog:
> > 
> > 	* Makefile.in: Rename PIEFLAG to PICFLAG.  Set LD_PICFLAG.  Use it.
> > 	Use pic/libiberty.a if PICFLAG is set.
> > 	* configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG.
> > 	(--enable-host-pie): New check.
> > 	* configure: Regenerate.
> > 
> > fixincludes/ChangeLog:
> > 
> > 	* Makefile.in: Set and use PICFLAG and LD_PICFLAG.  Use the "pic"
> > 	build of libiberty if PICFLAG is set.
> > 	* configure.ac:
> > 	* configure: Regenerate.
> > 
> > gcc/ChangeLog:
> > 
> > 	* Makefile.in: Set LD_PICFLAG.  Use it.  Set enable_host_pie.
> > 	Remove NO_PIE_CFLAGS and NO_PIE_FLAG.  Pass LD_PICFLAG to
> > 	ALL_LINKERFLAGS.  Use the "pic" build of libiberty if --enable-host-pie.
> > 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> > 	(--enable-host-pie): New check.  Set PICFLAG and LD_PICFLAG after this
> > 	check.
> > 	* configure: Regenerate.
> > 	* doc/install/configuration.rst: Document --enable-host-pie.
> > 
> > gcc/d/ChangeLog:
> > 
> > 	* Make-lang.in: Remove NO_PIE_CFLAGS.
> > 
> > intl/ChangeLog:
> > 
> > 	* Makefile.in: Use @PICFLAG@ in COMPILE as well.
> > 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> > 	(--enable-host-pie): New check.  Set PICFLAG after this check.
> > 	* configure: Regenerate.
> > 
> > libcody/ChangeLog:
> > 
> > 	* Makefile.in: Pass LD_PICFLAG to LDFLAGS.
> > 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> > 	(--enable-host-pie): New check.  Set PICFLAG and LD_PICFLAG after this
> > 	check.
> > 	* configure: Regenerate.
> > 
> > libcpp/ChangeLog:
> > 
> > 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> > 	(--enable-host-pie): New check.  Set PICFLAG after this check.
> > 	* configure: Regenerate.
> > 
> > libdecnumber/ChangeLog:
> > 
> > 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> > 	(--enable-host-pie): New check.  Set PICFLAG after this check.
> > 	* configure: Regenerate.
> > 
> > libiberty/ChangeLog:
> > 
> > 	* configure.ac: Also set shared when enable_host_pie.
> > 	* configure: Regenerate.
> > 
> > zlib/ChangeLog:
> > 
> > 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> > 	(--enable-host-pie): New check.  Set PICFLAG after this check.
> > 	* configure: Regenerate.
> 
> OK.

Thanks!  Unfortunately, even though I'd retested the patch before pushing,
it seemed to break the build on gcc-debian-amd64:
https://builder.sourceware.org/buildbot/#/builders/154/builds/2160/steps/4/logs/stdio
so I've reverted both patches.  Sigh.

Marek