From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.esperi.org.uk (icebox.esperi.org.uk [81.187.191.129]) by sourceware.org (Postfix) with ESMTP id E0E44384A01E for ; Mon, 8 Feb 2021 19:06:58 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org E0E44384A01E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=esperi.org.uk Authentication-Results: sourceware.org; spf=none smtp.mailfrom=nix@esperi.org.uk Received: from loom (nix@sidle.srvr.nix [192.168.14.8]) by mail.esperi.org.uk (8.16.1/8.16.1) with ESMTP id 118J6vrk008112; Mon, 8 Feb 2021 19:06:57 GMT From: Nix To: Siddhesh Poyarekar Cc: libc-alpha@sourceware.org Subject: Re: [PATCH] Build libc-start with stack protector for SHARED References: <20210203054219.1589041-1-siddhesh@sourceware.org> <87v9b23cci.fsf@esperi.org.uk> <290a38c1-5982-29a7-9d65-9836a73698de@sourceware.org> <87czxa3625.fsf@esperi.org.uk> Emacs: if SIGINT doesn't work, try a tranquilizer. Date: Mon, 08 Feb 2021 19:06:57 +0000 In-Reply-To: (Siddhesh Poyarekar's message of "Mon, 8 Feb 2021 21:32:43 +0530") Message-ID: <87y2fy1ir2.fsf@esperi.org.uk> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-DCC-wuwien-Metrics: loom 1290; Body=2 Fuz1=2 Fuz2=2 X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, KHOP_HELO_FCRDNS, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2021 19:07:00 -0000 On 8 Feb 2021, Siddhesh Poyarekar told this: > On 2/8/21 9:28 PM, Nix wrote: >>> Also, I checked codegen for libc-start.os with libc-start.os with >>> stack-protector-strong as well as -all and found no differences >>> compared to not having stack-protector enabled, which seems logical >>> from the compiler standpoint since the function technically does not >>> return. >> >> That's curious. I checked it and found a *lot* of differences, though >> mostly in debuginfo/CFI and harmless register allocation changes. (Maybe >> this is platform-specific? This was with an x86-32 build... in any case, >> things clearly still work!) > > Interesting, I would love to know your configuration, including what > compiler+binutils you're using. I'm thinking of massaging the > stack-protector bits a little more and your configuration could help > me with better testing coverage. Hah. I was hoping you wouldn't ask :P My config for this is... weird: scripted autobuilders mean you can build up fairly complex configuration, and I've definitely done that with the toolchain here! The machine the stack-protector-all patches were written for is a Geode LX firewall (an aging Soekris net5501), with builds run on a much faster x86_64 box with a biarch GCC 10: the installation root for all this stuff is rsynced to the real machine nightly, and manually rsynced for things like glibc builds where I want to check them out by hand right away. The compiler is hacked similarly to various distros' hardened configurations, adding a 32-bit -march=geode multilib that jams in different default specs, to wit extra C/C++ compiler flags of "-fstack-clash-protection -fstack-protector-all", preprocessor flags of -D_FORTIFY_SOURCE=2, and link flags of "-z relro -z now". This works fine for almost all programs, but glibc wants more control over the CFLAGS, so I reverse this hackery for glibc builds via -specs, where the specs are dumped directly from an unmodified compiler, leaving only the -m32 and the -march=geode: export CPPFLAGS="-m32 -march=geode -specs=$SHAI_BUILD_CONFIG_PATH/scripts/specs.fold" export CFLAGS="-O2 -m32 -march=geode -pipe -specs=$SHAI_BUILD_CONFIG_PATH/scripts/specs.fold -fomit-frame-pointer" export ASFLAGS="-O2 -m32 -march=geode -pipe -specs=$SHAI_BUILD_CONFIG_PATH/scripts/specs.fold" export ALL_LDFLAGS="-m32 -march=geode -specs=$SHAI_BUILD_CONFIG_PATH/scripts/specs.fold" (glibc itself has a few light makefile modifications to make sure the ALL_LDFLAGS, unlike the LDFLAGS, are passed to literally everything at link time, so that the -specs are never accidentally omitted and the stack protector state is exactly what glibc asks it to be). (well, the -m32 is not actually there -- on all my machines, /usr/bin/gcc and the other compiler drivers are replaced with a tiny wrapper executable, statically linked to musl, which erases -m32 and -m64 from the arguments and adds them back before invoking the real driver, depending on whether the active personality is linux32 or linux64. This means I can be sure that I never get a part-32/part-64 build, since personalities are inherited by subprocesses.) But, honestly, most of the local modifications above, other than the compiler driver wrapper, are doing something and then going to great lengths to undo it again: a perfectly good test with an unmodified GCC 10.2 and binutils 2.35.x (I'm using a branch current as of 20201023) is just to compile with "-O2 -m32 -march=geode" in the CFLAGS. My usual configure line is perhaps a bit longer than is sane: --build=i586-pc-linux-gnu --prefix=/usr --enable-shared --enable-bind-now \ --enable-maintainer-mode --enable-kernel=5.7.0 --enable-check-abi=warn \ --disable-werror --enable-hardcoded-path-in-tests \ --with-nonshared-cflags=-Wp,-D_FORTIFY_SOURCE=2 \ --enable-stackguard-randomization --enable-stack-protector=all \ --enable-tunables=no --build=i586-pc-linux-gnu TIMEOUTFACTOR=5 (these have been accumulated over many years: several of them have since become the default, and I'm honestly not sure why I put some of them in any more. In particular the --with-nonshared-cflags is a bit of a mystery, but probably just trying to get everything fortified!) All the non-Geodes use a slightly saner config: a CONFIG_SITE that sets the slibdir appropriately depending on the bitness of the build, and compiler flags of export CFLAGS="-O2 -march=native -pipe -fomit-frame-pointer" export ASFLAGS="-O2 -march=native -pipe" ... and this configure line for the x86_64 hosts (both 32-bit and 64-bit), which have actual native compilers so none of this multilib nonsense is necessary: --prefix=/usr --enable-shared --enable-bind-now --enable-maintainer-mode \ --enable-kernel=5.7.0 --enable-check-abi=warn --disable-werror \ --enable-hardcoded-path-in-tests \ --with-nonshared-cflags=-Wp,-D_FORTIFY_SOURCE=2 --enable-profile