Re: [PATCH] configure: Implement --enable-host-pie

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

From: Jeff Law <jeffreyalaw@gmail.com>
To: Marek Polacek <polacek@redhat.com>,
	GCC Patches <gcc-patches@gcc.gnu.org>
Cc: oliva@adacore.com, Joseph Myers <joseph@codesourcery.com>
Subject: Re: [PATCH] configure: Implement --enable-host-pie
Date: Sun, 20 Nov 2022 08:06:55 -0700	[thread overview]
Message-ID: <eb5af85b-f7a6-a2e2-40c8-16a80f59af01@gmail.com> (raw)
In-Reply-To: <20221111025244.188157-1-polacek@redhat.com>


On 11/10/22 19:52, Marek Polacek via Gcc-patches wrote:
> This is a rebased version of the patch I posted in March:
> <https://gcc.gnu.org/pipermail/gcc-patches/2022-March/591239.html>
> which Alex sort of approved here:
> <https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592360.html>
> but it was too late to commit the patch in GCC 12.
>
> There are no changes except that I've converted the documentation
> part into the ReST format, and of course regenerated configure.
>
> With --enable-host-pie enabled:
> $ file ./gcc/cc1 ./gcc/cc1plus
> ./gcc/cc1:     ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
> ./gcc/cc1plus: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
>
> Bootstrapped/regtested on x86_64-pc-linux-gnu w/ and w/o --enable-host-pie,
> ok for trunk?
>
> -- >8 --
>
> This patch implements the --enable-host-pie configure option which
> makes the compiler executables PIE.  This can be used to enhance
> protection against ROP attacks, and can be viewed as part of a wider
> trend to harden binaries.
>
> It is similar to the option --enable-host-shared, except that --e-h-s
> won't add -shared to the linker flags whereas --e-h-p will add -pie.
> It is different from --enable-default-pie because that option just
> adds an implicit -fPIE/-pie when the compiler is invoked, but the
> compiler itself isn't PIE.
>
> Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
> regressions.
>
> When building the compiler, the build process may use various in-tree
> libraries; these need to be built with -fPIE so that it's possible to
> use them when building a PIE.  For instance, when --with-included-gettext
> is in effect, intl object files must be compiled with -fPIE.  Similarly,
> when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
> -fPIE.
>
> I plan to add an option to link with -Wl,-z,now.
>
> ChangeLog:
>
> 	* Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and
> 	isl.
> 	* Makefile.in: Regenerate.
> 	* Makefile.tpl: Set PICFLAG.
> 	* configure.ac (--enable-host-pie): New check.  Set PICFLAG after this
> 	check.
> 	* configure: Regenerate.
>
> c++tools/ChangeLog:
>
> 	* Makefile.in: Rename PIEFLAG to PICFLAG.  Set LD_PICFLAG.  Use it.
> 	Use pic/libiberty.a if PICFLAG is set.
> 	* configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG.
> 	(--enable-host-pie): New check.
> 	* configure: Regenerate.
>
> fixincludes/ChangeLog:
>
> 	* Makefile.in: Set and use PICFLAG and LD_PICFLAG.  Use the "pic"
> 	build of libiberty if PICFLAG is set.
> 	* configure.ac:
> 	* configure: Regenerate.
>
> gcc/ChangeLog:
>
> 	* Makefile.in: Set LD_PICFLAG.  Use it.  Set enable_host_pie.
> 	Remove NO_PIE_CFLAGS and NO_PIE_FLAG.  Pass LD_PICFLAG to
> 	ALL_LINKERFLAGS.  Use the "pic" build of libiberty if --enable-host-pie.
> 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> 	(--enable-host-pie): New check.  Set PICFLAG and LD_PICFLAG after this
> 	check.
> 	* configure: Regenerate.
> 	* doc/install/configuration.rst: Document --enable-host-pie.
>
> gcc/d/ChangeLog:
>
> 	* Make-lang.in: Remove NO_PIE_CFLAGS.
>
> intl/ChangeLog:
>
> 	* Makefile.in: Use @PICFLAG@ in COMPILE as well.
> 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> 	(--enable-host-pie): New check.  Set PICFLAG after this check.
> 	* configure: Regenerate.
>
> libcody/ChangeLog:
>
> 	* Makefile.in: Pass LD_PICFLAG to LDFLAGS.
> 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> 	(--enable-host-pie): New check.  Set PICFLAG and LD_PICFLAG after this
> 	check.
> 	* configure: Regenerate.
>
> libcpp/ChangeLog:
>
> 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> 	(--enable-host-pie): New check.  Set PICFLAG after this check.
> 	* configure: Regenerate.
>
> libdecnumber/ChangeLog:
>
> 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> 	(--enable-host-pie): New check.  Set PICFLAG after this check.
> 	* configure: Regenerate.
>
> libiberty/ChangeLog:
>
> 	* configure.ac: Also set shared when enable_host_pie.
> 	* configure: Regenerate.
>
> zlib/ChangeLog:
>
> 	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
> 	(--enable-host-pie): New check.  Set PICFLAG after this check.
> 	* configure: Regenerate.

OK.


Jeff

next prev parent reply	other threads:[~2022-11-20 15:06 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-11  2:52 Marek Polacek
2022-11-20 15:06 ` Jeff Law [this message]
2022-11-23  2:18   ` Marek Polacek
  -- strict thread matches above, loose matches on Subject: below --
2023-05-09 19:41 Marek Polacek
2023-05-16 15:29 ` Marek Polacek
2023-05-16 20:11   ` Iain Sandoe
2022-02-10 16:48 Marek Polacek
2022-02-10 21:10 ` Joseph Myers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=eb5af85b-f7a6-a2e2-40c8-16a80f59af01@gmail.com \
    --to=jeffreyalaw@gmail.com \
    --cc=gcc-patches@gcc.gnu.org \
    --cc=joseph@codesourcery.com \
    --cc=oliva@adacore.com \
    --cc=polacek@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).