From: Jeff Law <jeffreyalaw@gmail.com>
To: Marek Polacek <polacek@redhat.com>,
GCC Patches <gcc-patches@gcc.gnu.org>
Cc: oliva@adacore.com, Joseph Myers <joseph@codesourcery.com>
Subject: Re: [PATCH] configure: Implement --enable-host-pie
Date: Sun, 20 Nov 2022 08:06:55 -0700 [thread overview]
Message-ID: <eb5af85b-f7a6-a2e2-40c8-16a80f59af01@gmail.com> (raw)
In-Reply-To: <20221111025244.188157-1-polacek@redhat.com>
On 11/10/22 19:52, Marek Polacek via Gcc-patches wrote:
> This is a rebased version of the patch I posted in March:
> <https://gcc.gnu.org/pipermail/gcc-patches/2022-March/591239.html>
> which Alex sort of approved here:
> <https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592360.html>
> but it was too late to commit the patch in GCC 12.
>
> There are no changes except that I've converted the documentation
> part into the ReST format, and of course regenerated configure.
>
> With --enable-host-pie enabled:
> $ file ./gcc/cc1 ./gcc/cc1plus
> ./gcc/cc1: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
> ./gcc/cc1plus: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
>
> Bootstrapped/regtested on x86_64-pc-linux-gnu w/ and w/o --enable-host-pie,
> ok for trunk?
>
> -- >8 --
>
> This patch implements the --enable-host-pie configure option which
> makes the compiler executables PIE. This can be used to enhance
> protection against ROP attacks, and can be viewed as part of a wider
> trend to harden binaries.
>
> It is similar to the option --enable-host-shared, except that --e-h-s
> won't add -shared to the linker flags whereas --e-h-p will add -pie.
> It is different from --enable-default-pie because that option just
> adds an implicit -fPIE/-pie when the compiler is invoked, but the
> compiler itself isn't PIE.
>
> Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
> regressions.
>
> When building the compiler, the build process may use various in-tree
> libraries; these need to be built with -fPIE so that it's possible to
> use them when building a PIE. For instance, when --with-included-gettext
> is in effect, intl object files must be compiled with -fPIE. Similarly,
> when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
> -fPIE.
>
> I plan to add an option to link with -Wl,-z,now.
>
> ChangeLog:
>
> * Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and
> isl.
> * Makefile.in: Regenerate.
> * Makefile.tpl: Set PICFLAG.
> * configure.ac (--enable-host-pie): New check. Set PICFLAG after this
> check.
> * configure: Regenerate.
>
> c++tools/ChangeLog:
>
> * Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it.
> Use pic/libiberty.a if PICFLAG is set.
> * configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG.
> (--enable-host-pie): New check.
> * configure: Regenerate.
>
> fixincludes/ChangeLog:
>
> * Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic"
> build of libiberty if PICFLAG is set.
> * configure.ac:
> * configure: Regenerate.
>
> gcc/ChangeLog:
>
> * Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie.
> Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to
> ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie.
> * configure.ac (--enable-host-shared): Don't set PICFLAG here.
> (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
> check.
> * configure: Regenerate.
> * doc/install/configuration.rst: Document --enable-host-pie.
>
> gcc/d/ChangeLog:
>
> * Make-lang.in: Remove NO_PIE_CFLAGS.
>
> intl/ChangeLog:
>
> * Makefile.in: Use @PICFLAG@ in COMPILE as well.
> * configure.ac (--enable-host-shared): Don't set PICFLAG here.
> (--enable-host-pie): New check. Set PICFLAG after this check.
> * configure: Regenerate.
>
> libcody/ChangeLog:
>
> * Makefile.in: Pass LD_PICFLAG to LDFLAGS.
> * configure.ac (--enable-host-shared): Don't set PICFLAG here.
> (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
> check.
> * configure: Regenerate.
>
> libcpp/ChangeLog:
>
> * configure.ac (--enable-host-shared): Don't set PICFLAG here.
> (--enable-host-pie): New check. Set PICFLAG after this check.
> * configure: Regenerate.
>
> libdecnumber/ChangeLog:
>
> * configure.ac (--enable-host-shared): Don't set PICFLAG here.
> (--enable-host-pie): New check. Set PICFLAG after this check.
> * configure: Regenerate.
>
> libiberty/ChangeLog:
>
> * configure.ac: Also set shared when enable_host_pie.
> * configure: Regenerate.
>
> zlib/ChangeLog:
>
> * configure.ac (--enable-host-shared): Don't set PICFLAG here.
> (--enable-host-pie): New check. Set PICFLAG after this check.
> * configure: Regenerate.
OK.
Jeff
next prev parent reply other threads:[~2022-11-20 15:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-11 2:52 Marek Polacek
2022-11-20 15:06 ` Jeff Law [this message]
2022-11-23 2:18 ` Marek Polacek
-- strict thread matches above, loose matches on Subject: below --
2023-05-09 19:41 Marek Polacek
2023-05-16 15:29 ` Marek Polacek
2023-05-16 20:11 ` Iain Sandoe
2022-02-10 16:48 Marek Polacek
2022-02-10 21:10 ` Joseph Myers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eb5af85b-f7a6-a2e2-40c8-16a80f59af01@gmail.com \
--to=jeffreyalaw@gmail.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=joseph@codesourcery.com \
--cc=oliva@adacore.com \
--cc=polacek@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).