From: Marek Polacek <polacek@redhat.com>
To: GCC Patches <gcc-patches@gcc.gnu.org>
Subject: [PATCH] configure: Implement --enable-host-bind-now
Date: Tue, 16 May 2023 11:37:06 -0400 [thread overview]
Message-ID: <ZGOjIunxHFQLfzQQ@redhat.com> (raw)
As promised in the --enable-host-pie patch, this patch adds another
configure option, --enable-host-bind-now, which adds -z now when linking
the compiler executables in order to extend hardening. BIND_NOW with RELRO
allows the GOT to be marked RO; this prevents GOT modification attacks.
This option does not affect linking of target libraries; you can use
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
With this patch:
$ readelf -Wd cc1{,plus} | grep FLAGS
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk?
c++tools/ChangeLog:
* configure.ac (--enable-host-bind-now): New check.
* configure: Regenerate.
gcc/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Add
-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-bind-now.
lto-plugin/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Link with
-z,now.
* configure: Regenerate.
diff --git a/c++tools/configure b/c++tools/configure
index 88087009383..006efe07b35 100755
--- a/c++tools/configure
+++ b/c++tools/configure
@@ -628,6 +628,7 @@ EGREP
GREP
CXXCPP
LD_PICFLAG
+enable_host_bind_now
PICFLAG
MAINTAINER
CXX_AUX_TOOLS
@@ -702,6 +703,7 @@ enable_maintainer_mode
enable_checking
enable_default_pie
enable_host_pie
+enable_host_bind_now
with_gcc_major_version_only
'
ac_precious_vars='build_alias
@@ -1336,6 +1338,7 @@ Optional Features:
yes,no,all,none,release.
--enable-default-pie enable Position Independent Executable as default
--enable-host-pie build host code as PIE
+ --enable-host-bind-now link host code as BIND_NOW
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -3007,6 +3010,14 @@ fi
+# Enable --enable-host-bind-now
+# Check whether --enable-host-bind-now was given.
+if test "${enable_host_bind_now+set}" = set; then :
+ enableval=$enable_host_bind_now; LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
+fi
+
+
+
# Check if O_CLOEXEC is defined by fcntl
diff --git a/c++tools/configure.ac b/c++tools/configure.ac
index 44dfaccbbfa..c2a16601425 100644
--- a/c++tools/configure.ac
+++ b/c++tools/configure.ac
@@ -110,6 +110,13 @@ AC_ARG_ENABLE(host-pie,
[build host code as PIE])],
[PICFLAG=-fPIE; LD_PICFLAG=-pie], [])
AC_SUBST(PICFLAG)
+
+# Enable --enable-host-bind-now
+AC_ARG_ENABLE(host-bind-now,
+[AS_HELP_STRING([--enable-host-bind-now],
+ [link host code as BIND_NOW])],
+[LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"], [])
+AC_SUBST(enable_host_bind_now)
AC_SUBST(LD_PICFLAG)
# Check if O_CLOEXEC is defined by fcntl
diff --git a/gcc/configure b/gcc/configure
index 629446ecf3b..6d847c60024 100755
--- a/gcc/configure
+++ b/gcc/configure
@@ -635,6 +635,7 @@ CET_HOST_FLAGS
LD_PICFLAG
PICFLAG
enable_default_pie
+enable_host_bind_now
enable_host_pie
enable_host_shared
enable_plugin
@@ -1031,6 +1032,7 @@ enable_version_specific_runtime_libs
enable_plugin
enable_host_shared
enable_host_pie
+enable_host_bind_now
enable_libquadmath_support
with_linker_hash_style
with_diagnostics_color
@@ -1794,6 +1796,7 @@ Optional Features:
--enable-plugin enable plugin support
--enable-host-shared build host code as shared libraries
--enable-host-pie build host code as PIE
+ --enable-host-bind-now link host code as BIND_NOW
--disable-libquadmath-support
disable libquadmath support for Fortran
--enable-default-pie enable Position Independent Executable as default
@@ -19852,7 +19855,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 19867 "configure"
+#line 19870 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -19958,7 +19961,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 19973 "configure"
+#line 19976 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -32105,6 +32108,14 @@ fi
+# Enable --enable-host-bind-now
+# Check whether --enable-host-bind-now was given.
+if test "${enable_host_bind_now+set}" = set; then :
+ enableval=$enable_host_bind_now;
+fi
+
+
+
# Check whether --enable-libquadmath-support was given.
if test "${enable_libquadmath_support+set}" = set; then :
enableval=$enable_libquadmath_support; ENABLE_LIBQUADMATH_SUPPORT=$enableval
@@ -32291,6 +32302,8 @@ else
PICFLAG=
fi
+
+
if test x$enable_host_pie = xyes; then
LD_PICFLAG=-pie
elif test x$gcc_cv_no_pie = xyes; then
@@ -32299,6 +32312,9 @@ else
LD_PICFLAG=
fi
+if test x$enable_host_bind_now = xyes; then
+ LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
+fi
diff --git a/gcc/configure.ac b/gcc/configure.ac
index 9c69a55668e..f0d56e0eaf0 100644
--- a/gcc/configure.ac
+++ b/gcc/configure.ac
@@ -7427,6 +7427,12 @@ AC_ARG_ENABLE(host-pie,
[build host code as PIE])])
AC_SUBST(enable_host_pie)
+# Enable --enable-host-bind-now
+AC_ARG_ENABLE(host-bind-now,
+[AS_HELP_STRING([--enable-host-bind-now],
+ [link host code as BIND_NOW])])
+AC_SUBST(enable_host_bind_now)
+
AC_ARG_ENABLE(libquadmath-support,
[AS_HELP_STRING([--disable-libquadmath-support],
[disable libquadmath support for Fortran])],
@@ -7568,6 +7574,8 @@ else
PICFLAG=
fi
+AC_SUBST([PICFLAG])
+
if test x$enable_host_pie = xyes; then
LD_PICFLAG=-pie
elif test x$gcc_cv_no_pie = xyes; then
@@ -7576,7 +7584,10 @@ else
LD_PICFLAG=
fi
-AC_SUBST([PICFLAG])
+if test x$enable_host_bind_now = xyes; then
+ LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
+fi
+
AC_SUBST([LD_PICFLAG])
# Enable Intel CET on Intel CET enabled host if jit is enabled.
diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi
index 2248308dbdf..a840d36bd6d 100644
--- a/gcc/doc/install.texi
+++ b/gcc/doc/install.texi
@@ -1092,6 +1092,12 @@ protection against Return Oriented Programming (ROP) attacks.
in which case @option{-fPIC} is used when compiling, and @option{-pie} when
linking.
+@item --enable-host-bind-now
+Specify that the @emph{host} executables should be linked with the option
+@option{-Wl,-z,now}, which means that the dynamic linker will resolve all
+symbols when the executables are started, and that in turn allows RELRO to
+mark the GOT read-only, resulting in better security.
+
@item @anchor{with-gnu-as}--with-gnu-as
Specify that the compiler should assume that the
assembler it finds is the GNU assembler. However, this does not modify
diff --git a/lto-plugin/configure b/lto-plugin/configure
index d522bd24c95..3467defd416 100755
--- a/lto-plugin/configure
+++ b/lto-plugin/configure
@@ -663,6 +663,7 @@ accel_dir_suffix
gcc_build_dir
CET_HOST_FLAGS
ac_lto_plugin_ldflags
+enable_host_bind_now
ac_lto_plugin_warn_cflags
EGREP
GREP
@@ -778,6 +779,7 @@ enable_maintainer_mode
with_libiberty
enable_dependency_tracking
enable_largefile
+enable_host_bind_now
enable_cet
with_gcc_major_version_only
enable_shared
@@ -1425,6 +1427,7 @@ Optional Features:
--disable-dependency-tracking
speeds up one-time build
--disable-largefile omit support for large files
+ --enable-host-bind-now link host code as BIND_NOW
--enable-cet enable Intel CET in host libraries [default=auto]
--enable-shared[=PKGS] build shared libraries [default=yes]
--enable-static[=PKGS] build static libraries [default=yes]
@@ -5669,6 +5672,19 @@ if test "x$have_static_libgcc" = xyes; then
ac_lto_plugin_ldflags="-Wc,-static-libgcc"
fi
+# Enable --enable-host-bind-now
+# Check whether --enable-host-bind-now was given.
+if test "${enable_host_bind_now+set}" = set; then :
+ enableval=$enable_host_bind_now;
+fi
+
+
+
+if test x$enable_host_bind_now = xyes; then
+ ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
+fi
+
+
# Check whether --enable-cet was given.
if test "${enable_cet+set}" = set; then :
@@ -12134,7 +12150,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12137 "configure"
+#line 12165 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -12240,7 +12256,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12243 "configure"
+#line 12271 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
diff --git a/lto-plugin/configure.ac b/lto-plugin/configure.ac
index 0a7202782ae..84f2a60b480 100644
--- a/lto-plugin/configure.ac
+++ b/lto-plugin/configure.ac
@@ -25,6 +25,17 @@ LDFLAGS="$saved_LDFLAGS"
if test "x$have_static_libgcc" = xyes; then
ac_lto_plugin_ldflags="-Wc,-static-libgcc"
fi
+
+# Enable --enable-host-bind-now
+AC_ARG_ENABLE(host-bind-now,
+[AS_HELP_STRING([--enable-host-bind-now],
+ [link host code as BIND_NOW])])
+AC_SUBST(enable_host_bind_now)
+
+if test x$enable_host_bind_now = xyes; then
+ ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
+fi
+
AC_SUBST(ac_lto_plugin_ldflags)
GCC_CET_HOST_FLAGS(CET_HOST_FLAGS)
next reply other threads:[~2023-05-16 15:37 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-16 15:37 Marek Polacek [this message]
2023-05-19 21:29 ` Jeff Law
2023-06-27 11:39 ` Martin Jambor
2023-06-27 15:31 ` Marek Polacek
2023-06-27 15:50 ` Iain Sandoe
2023-06-27 17:06 ` Eric Botcazou
2023-06-29 15:58 ` Martin Jambor
2023-06-29 16:13 ` Marek Polacek
2023-06-30 11:33 ` [committed] Regenrate lto-plugin/Makefile.in Martin Jambor
-- strict thread matches above, loose matches on Subject: below --
2022-11-11 2:53 [PATCH] configure: Implement --enable-host-bind-now Marek Polacek
2022-11-20 15:09 ` Jeff Law
2022-02-10 16:50 Marek Polacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZGOjIunxHFQLfzQQ@redhat.com \
--to=polacek@redhat.com \
--cc=gcc-patches@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).