From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by sourceware.org (Postfix) with ESMTPS id E43563858D35 for ; Thu, 29 Jun 2023 15:58:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E43563858D35 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.cz Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 27AEB21852; Thu, 29 Jun 2023 15:58:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1688054303; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9O/Rs+x+8nvJRHRmB10Qpk+ux0vLZqxhU3zB9h2K/eQ=; b=upEWoxYp5nx2nFQ007lfTnikteP2e9xQ3YOMRn04z0KOIKdXU4l+Bc4dq8dbai6je7nWtt 81iXe+RpwTHxUhxAY0mP3EFtLsjI26G3mgmSHpITzeH7YgNGDJ6mIR/DlkXNK1m+vKTnjb +2t1cH85HJpkHnaGRuwJVAIEXD4DSd4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1688054303; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9O/Rs+x+8nvJRHRmB10Qpk+ux0vLZqxhU3zB9h2K/eQ=; b=zLf+aFvOBLVHDXEHsH0+0k4+4KCVSXkZne1GY11Te62rddYZ/N0gl86IAO6COn1Ylp+qId ENpqeiTxdBXXkfAA== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 1AF4A13905; Thu, 29 Jun 2023 15:58:23 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 0lGOBh+qnWTBRAAAMHmgww (envelope-from ); Thu, 29 Jun 2023 15:58:23 +0000 From: Martin Jambor To: Marek Polacek , Eric Botcazou Cc: GCC Patches Subject: Re: [PATCH] configure: Implement --enable-host-bind-now In-Reply-To: References: User-Agent: Notmuch/0.37 (https://notmuchmail.org) Emacs/28.2 (x86_64-suse-linux-gnu) Date: Thu, 29 Jun 2023 17:58:22 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi, On Tue, Jun 27 2023, Marek Polacek wrote: > On Tue, Jun 27, 2023 at 01:39:16PM +0200, Martin Jambor wrote: >> Hello, >> >> On Tue, May 16 2023, Marek Polacek via Gcc-patches wrote: >> > As promised in the --enable-host-pie patch, this patch adds another >> > configure option, --enable-host-bind-now, which adds -z now when linking >> > the compiler executables in order to extend hardening. BIND_NOW with RELRO >> > allows the GOT to be marked RO; this prevents GOT modification attacks. >> > >> > This option does not affect linking of target libraries; you can use >> > LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW. >> > >> > With this patch: >> > $ readelf -Wd cc1{,plus} | grep FLAGS >> > 0x000000000000001e (FLAGS) BIND_NOW >> > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE >> > 0x000000000000001e (FLAGS) BIND_NOW >> > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE >> > >> > Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? >> > >> > c++tools/ChangeLog: >> > >> > * configure.ac (--enable-host-bind-now): New check. >> > * configure: Regenerate. >> > >> > gcc/ChangeLog: >> > >> > * configure.ac (--enable-host-bind-now): New check. Add >> > -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now. >> > * configure: Regenerate. >> > * doc/install.texi: Document --enable-host-bind-now. >> > >> > lto-plugin/ChangeLog: >> > >> > * configure.ac (--enable-host-bind-now): New check. Link with >> > -z,now. >> > * configure: Regenerate. >> >> Our reconfiguration checking script complains about a missing hunk in >> lto-plugin/Makefile.in: >> >> diff --git a/lto-plugin/Makefile.in b/lto-plugin/Makefile.in >> index cb568e1e09f..f6f5b020ff5 100644 >> --- a/lto-plugin/Makefile.in >> +++ b/lto-plugin/Makefile.in >> @@ -298,6 +298,7 @@ datadir = @datadir@ >> datarootdir = @datarootdir@ >> docdir = @docdir@ >> dvidir = @dvidir@ >> +enable_host_bind_now = @enable_host_bind_now@ >> exec_prefix = @exec_prefix@ >> gcc_build_dir = @gcc_build_dir@ >> get_gcc_base_ver = @get_gcc_base_ver@ >> >> >> I am somewhat puzzled why the line is not missing in any of the other >> Makefile.in files. Can you please check whether that is the only thing >> that is missing (assuming it is actually missing)? > > Arg, once again, I'm sorry. I don't know how this happened. It would > be trivial to fix it but since > > commit 4a48a38fa99f067b8f3a3d1a5dc7a1e602db351f > Author: Eric Botcazou > Date: Wed Jun 21 18:19:36 2023 +0200 > > ada: Fix build of GNAT tools > > the build with Ada included fails with --enable-host-pie. So that needs > to be fixed first. > > Eric, I'm not asking you to fix that, but I'm curious, what did the > commit above fix? The patch looks correct; I'm just puzzled why I > hadn't seen any build failures. > > The --enable-host-pie patch has been a nightmare :(. > No worries, I can see how these things can easily get difficult. Unfortunately I won't have time to actually look at this in the next 2-3 weeks, so I am inclined to just trust the verification script (which essentially runs autoconf/automake everywhere and then expects no diff) and commit the one-line change. What do you think, does that make sense (even without looking at why other Makefile.in files did not change)? Thanks, Martin