From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=zbHd=CP=suse.cz=mjambor@sourceware.org>
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28])
	by sourceware.org (Postfix) with ESMTPS id 7E3803858D33
	for <gcc-patches@gcc.gnu.org>; Tue, 27 Jun 2023 11:39:17 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7E3803858D33
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=suse.cz
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.cz
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
	(No client certificate requested)
	by smtp-out1.suse.de (Postfix) with ESMTPS id B061D21847;
	Tue, 27 Jun 2023 11:39:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa;
	t=1687865956; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=4aFaSCR1dV0Lri5qkF6DZmj7sOzu1f2vP02yfJaPjLc=;
	b=ZT/tSLaTJ4350JjukDTxKpJx4mYwdIohN2eabPLiZICkG38mYIE81x5AuLl4Qt8Lm0Dazq
	lKENzJb7aUrHc9OfREubM9OuakENNRGri9TWZMviVODxQqFTU1Cmu2OwFlfVEUTCjAdO9P
	fqR3qzHvmVpYZP2JCGDXWvtapG8152M=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;
	s=susede2_ed25519; t=1687865956;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=4aFaSCR1dV0Lri5qkF6DZmj7sOzu1f2vP02yfJaPjLc=;
	b=eXOM80lSDO5xZTwlNO0/qrg2Kdg49264LlyEZru3/qJt2t9Pkuxs8IEjn3GsGf8f0+0HBA
	YfZvFZDimPXYN/AQ==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
	(No client certificate requested)
	by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id A4FE113462;
	Tue, 27 Jun 2023 11:39:16 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
	by imap2.suse-dmz.suse.de with ESMTPSA
	id jUZCKGTKmmSWKgAAMHmgww
	(envelope-from <mjambor@suse.cz>); Tue, 27 Jun 2023 11:39:16 +0000
From: Martin Jambor <mjambor@suse.cz>
To: Marek Polacek <polacek@redhat.com>
Cc: GCC Patches <gcc-patches@gcc.gnu.org>
Subject: Re: [PATCH] configure: Implement --enable-host-bind-now
In-Reply-To: <ZGOjIunxHFQLfzQQ@redhat.com>
References: <ZGOjIunxHFQLfzQQ@redhat.com>
User-Agent: Notmuch/0.37 (https://notmuchmail.org) Emacs/28.2
 (x86_64-suse-linux-gnu)
Date: Tue, 27 Jun 2023 13:39:16 +0200
Message-ID: <ri61qhxqgm3.fsf@suse.cz>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

Hello,

On Tue, May 16 2023, Marek Polacek via Gcc-patches wrote:
> As promised in the --enable-host-pie patch, this patch adds another
> configure option, --enable-host-bind-now, which adds -z now when linking
> the compiler executables in order to extend hardening.  BIND_NOW with RELRO
> allows the GOT to be marked RO; this prevents GOT modification attacks.
>
> This option does not affect linking of target libraries; you can use
> LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
>
> With this patch:
> $ readelf -Wd cc1{,plus} | grep FLAGS
>  0x000000000000001e (FLAGS)              BIND_NOW
>  0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
>  0x000000000000001e (FLAGS)              BIND_NOW
>  0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
>
> Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk?
>
> c++tools/ChangeLog:
>
> 	* configure.ac (--enable-host-bind-now): New check.
> 	* configure: Regenerate.
>
> gcc/ChangeLog:
>
> 	* configure.ac (--enable-host-bind-now): New check.  Add
> 	-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
> 	* configure: Regenerate.
> 	* doc/install.texi: Document --enable-host-bind-now.
>
> lto-plugin/ChangeLog:
>
> 	* configure.ac (--enable-host-bind-now): New check.  Link with
> 	-z,now.
> 	* configure: Regenerate.

Our reconfiguration checking script complains about a missing hunk in
lto-plugin/Makefile.in:

diff --git a/lto-plugin/Makefile.in b/lto-plugin/Makefile.in
index cb568e1e09f..f6f5b020ff5 100644
--- a/lto-plugin/Makefile.in
+++ b/lto-plugin/Makefile.in
@@ -298,6 +298,7 @@ datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@
 dvidir = @dvidir@
+enable_host_bind_now = @enable_host_bind_now@
 exec_prefix = @exec_prefix@
 gcc_build_dir = @gcc_build_dir@
 get_gcc_base_ver = @get_gcc_base_ver@


I am somewhat puzzled why the line is not missing in any of the other
Makefile.in files.  Can you please check whether that is the only thing
that is missing (assuming it is actually missing)?

Thanks,

Martin