From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by sourceware.org (Postfix) with ESMTPS id A212839730F5 for ; Sun, 20 Nov 2022 15:06:58 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A212839730F5 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-x635.google.com with SMTP id b21so8470396plc.9 for ; Sun, 20 Nov 2022 07:06:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=efGcKN6ZUwfJWS8aOeGhFNn/smxMtuRGxZphE2gy1UU=; b=ksTfxjQUYEIKmf06XrrGG4WSIl8LHDPtkwl5YiOeOKSDOM1IjOBVljxG8qgAtPbPk3 qE6QrzEUARzp0bzbnHlC7y+sdczel124tN7q47Pdhbj92Hu8oe+8FnlC8zcCwyFoMBkj M1tgZeY1+mG2jSdEzpriKYE935+jIajc00fafH6afxzMrGxF/XK7fiUacIC/+4VxY1MU nC9mshqnvEv613mCoQJPOSEU9bKi6LGzufUATzkIG/fuzwgFVuKOHkKebn979EI0tVME ivpcVtYaLJtJvhU6zmdMiC5cnj36gDLl0QZUvzJVBhADhrZB8OvrKrfpjcPIhdLDoU/w I4gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=efGcKN6ZUwfJWS8aOeGhFNn/smxMtuRGxZphE2gy1UU=; b=TpmwWeO+WzxQD3LjWgq9F0JJJMcyiGlGnYYrJfMVQbEveodGLXRYejNWRtza1tdrRr gvEM0Y3uK1pzCp/B6PhB3KGc+yR7Em9bZkUAnWNR28gCPQ/GEvWWZtDEq/86kECCYgpS 1G4mqYwpBFnT5XqY2ZE4i1pg391hgfwhx2ZAWftuTQrnQsYgbOR5VM/vaX7LRhCInDqJ K7PpCwXrxGobinm0JiH42DfwJP0p5OXMm679VuXZP4lF32uc26z5fWl6jiH2PkhfeDOC 9MN1cpR/DkgPeaBmiLYeMtc0D0UkqQPqGWShOYG/zkjJ3Bl1WJbhVIfWGfOLaSG03BzV pBSA== X-Gm-Message-State: ANoB5pm9iOZyWkafBYbfp8u5HpXr/dKNIvrtJcjLvvmokrXSrKBQPmil W3jeUcO3iX09HFp2xYFNZ14= X-Google-Smtp-Source: AA0mqf7WtL5PXl/lpbtyyl8z4cF/LtOOBiVd4iARWTfZ4R4xnfw6Wgt99iHnOw1NRiag5j/RaBMlHw== X-Received: by 2002:a17:902:7c0e:b0:186:7395:e36a with SMTP id x14-20020a1709027c0e00b001867395e36amr7817345pll.83.1668956817424; Sun, 20 Nov 2022 07:06:57 -0800 (PST) Received: from ?IPV6:2601:681:8600:13d0::f0a? ([2601:681:8600:13d0::f0a]) by smtp.gmail.com with ESMTPSA id x10-20020a170902ec8a00b0017f6c9622b9sm7643651plg.183.2022.11.20.07.06.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 20 Nov 2022 07:06:56 -0800 (PST) Message-ID: Date: Sun, 20 Nov 2022 08:06:55 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 Subject: Re: [PATCH] configure: Implement --enable-host-pie Content-Language: en-US To: Marek Polacek , GCC Patches Cc: oliva@adacore.com, Joseph Myers References: <20221111025244.188157-1-polacek@redhat.com> From: Jeff Law In-Reply-To: <20221111025244.188157-1-polacek@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,KAM_SHORT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 11/10/22 19:52, Marek Polacek via Gcc-patches wrote: > This is a rebased version of the patch I posted in March: > > which Alex sort of approved here: > > but it was too late to commit the patch in GCC 12. > > There are no changes except that I've converted the documentation > part into the ReST format, and of course regenerated configure. > > With --enable-host-pie enabled: > $ file ./gcc/cc1 ./gcc/cc1plus > ./gcc/cc1: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped > ./gcc/cc1plus: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped > > Bootstrapped/regtested on x86_64-pc-linux-gnu w/ and w/o --enable-host-pie, > ok for trunk? > > -- >8 -- > > This patch implements the --enable-host-pie configure option which > makes the compiler executables PIE. This can be used to enhance > protection against ROP attacks, and can be viewed as part of a wider > trend to harden binaries. > > It is similar to the option --enable-host-shared, except that --e-h-s > won't add -shared to the linker flags whereas --e-h-p will add -pie. > It is different from --enable-default-pie because that option just > adds an implicit -fPIE/-pie when the compiler is invoked, but the > compiler itself isn't PIE. > > Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH > regressions. > > When building the compiler, the build process may use various in-tree > libraries; these need to be built with -fPIE so that it's possible to > use them when building a PIE. For instance, when --with-included-gettext > is in effect, intl object files must be compiled with -fPIE. Similarly, > when building in-tree gmp, isl, mpfr and mpc, they must be compiled with > -fPIE. > > I plan to add an option to link with -Wl,-z,now. > > ChangeLog: > > * Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and > isl. > * Makefile.in: Regenerate. > * Makefile.tpl: Set PICFLAG. > * configure.ac (--enable-host-pie): New check. Set PICFLAG after this > check. > * configure: Regenerate. > > c++tools/ChangeLog: > > * Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it. > Use pic/libiberty.a if PICFLAG is set. > * configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG. > (--enable-host-pie): New check. > * configure: Regenerate. > > fixincludes/ChangeLog: > > * Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic" > build of libiberty if PICFLAG is set. > * configure.ac: > * configure: Regenerate. > > gcc/ChangeLog: > > * Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie. > Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to > ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie. > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this > check. > * configure: Regenerate. > * doc/install/configuration.rst: Document --enable-host-pie. > > gcc/d/ChangeLog: > > * Make-lang.in: Remove NO_PIE_CFLAGS. > > intl/ChangeLog: > > * Makefile.in: Use @PICFLAG@ in COMPILE as well. > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > (--enable-host-pie): New check. Set PICFLAG after this check. > * configure: Regenerate. > > libcody/ChangeLog: > > * Makefile.in: Pass LD_PICFLAG to LDFLAGS. > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this > check. > * configure: Regenerate. > > libcpp/ChangeLog: > > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > (--enable-host-pie): New check. Set PICFLAG after this check. > * configure: Regenerate. > > libdecnumber/ChangeLog: > > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > (--enable-host-pie): New check. Set PICFLAG after this check. > * configure: Regenerate. > > libiberty/ChangeLog: > > * configure.ac: Also set shared when enable_host_pie. > * configure: Regenerate. > > zlib/ChangeLog: > > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > (--enable-host-pie): New check. Set PICFLAG after this check. > * configure: Regenerate. OK. Jeff