From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by sourceware.org (Postfix) with ESMTPS id 7E3803858D33 for ; Tue, 27 Jun 2023 11:39:17 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7E3803858D33 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.cz Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id B061D21847; Tue, 27 Jun 2023 11:39:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1687865956; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=4aFaSCR1dV0Lri5qkF6DZmj7sOzu1f2vP02yfJaPjLc=; b=ZT/tSLaTJ4350JjukDTxKpJx4mYwdIohN2eabPLiZICkG38mYIE81x5AuLl4Qt8Lm0Dazq lKENzJb7aUrHc9OfREubM9OuakENNRGri9TWZMviVODxQqFTU1Cmu2OwFlfVEUTCjAdO9P fqR3qzHvmVpYZP2JCGDXWvtapG8152M= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1687865956; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=4aFaSCR1dV0Lri5qkF6DZmj7sOzu1f2vP02yfJaPjLc=; b=eXOM80lSDO5xZTwlNO0/qrg2Kdg49264LlyEZru3/qJt2t9Pkuxs8IEjn3GsGf8f0+0HBA YfZvFZDimPXYN/AQ== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id A4FE113462; Tue, 27 Jun 2023 11:39:16 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id jUZCKGTKmmSWKgAAMHmgww (envelope-from ); Tue, 27 Jun 2023 11:39:16 +0000 From: Martin Jambor To: Marek Polacek Cc: GCC Patches Subject: Re: [PATCH] configure: Implement --enable-host-bind-now In-Reply-To: References: User-Agent: Notmuch/0.37 (https://notmuchmail.org) Emacs/28.2 (x86_64-suse-linux-gnu) Date: Tue, 27 Jun 2023 13:39:16 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hello, On Tue, May 16 2023, Marek Polacek via Gcc-patches wrote: > As promised in the --enable-host-pie patch, this patch adds another > configure option, --enable-host-bind-now, which adds -z now when linking > the compiler executables in order to extend hardening. BIND_NOW with RELRO > allows the GOT to be marked RO; this prevents GOT modification attacks. > > This option does not affect linking of target libraries; you can use > LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW. > > With this patch: > $ readelf -Wd cc1{,plus} | grep FLAGS > 0x000000000000001e (FLAGS) BIND_NOW > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE > 0x000000000000001e (FLAGS) BIND_NOW > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE > > Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? > > c++tools/ChangeLog: > > * configure.ac (--enable-host-bind-now): New check. > * configure: Regenerate. > > gcc/ChangeLog: > > * configure.ac (--enable-host-bind-now): New check. Add > -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now. > * configure: Regenerate. > * doc/install.texi: Document --enable-host-bind-now. > > lto-plugin/ChangeLog: > > * configure.ac (--enable-host-bind-now): New check. Link with > -z,now. > * configure: Regenerate. Our reconfiguration checking script complains about a missing hunk in lto-plugin/Makefile.in: diff --git a/lto-plugin/Makefile.in b/lto-plugin/Makefile.in index cb568e1e09f..f6f5b020ff5 100644 --- a/lto-plugin/Makefile.in +++ b/lto-plugin/Makefile.in @@ -298,6 +298,7 @@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ +enable_host_bind_now = @enable_host_bind_now@ exec_prefix = @exec_prefix@ gcc_build_dir = @gcc_build_dir@ get_gcc_base_ver = @get_gcc_base_ver@ I am somewhat puzzled why the line is not missing in any of the other Makefile.in files. Can you please check whether that is the only thing that is missing (assuming it is actually missing)? Thanks, Martin