|
 |
8af166 |
From 36362544fb039599c0eb58d839e90ffb5410ad27 Mon Sep 17 00:00:00 2001
|
|
|
8af166 |
From: Marek Polacek <polacek@redhat.com>
|
|
|
8af166 |
Date: Wed, 9 Feb 2022 15:18:43 -0500
|
|
|
8af166 |
Subject: [PATCH] configure: Implement --enable-host-bind-now
|
|
|
8af166 |
|
|
|
8af166 |
As promised in the --enable-host-pie patch, this patch adds another
|
|
|
8af166 |
configure option, --enable-host-bind-now, which adds -z now when linking
|
|
|
8af166 |
the compiler executables in order to extend hardening. BIND_NOW with RELRO
|
|
|
8af166 |
allows the GOT to be marked RO; this prevents GOT modification attacks.
|
|
|
8af166 |
|
|
|
8af166 |
This option does not affect linking of target libraries; you can use
|
|
|
8af166 |
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
|
|
|
8af166 |
|
|
|
8af166 |
Bootstrapped/regtested on x86_64-pc-linux-gnu (with the option enabled vs
|
|
|
8af166 |
not enabled). I suppose this is GCC 13 material, but maybe I'll get some
|
|
|
8af166 |
comments anyway.
|
|
|
8af166 |
|
|
|
8af166 |
c++tools/ChangeLog:
|
|
|
8af166 |
|
|
|
8af166 |
* configure.ac (--enable-host-bind-now): New check.
|
|
|
8af166 |
* configure: Regenerate.
|
|
|
8af166 |
|
|
|
8af166 |
gcc/ChangeLog:
|
|
|
8af166 |
|
|
|
8af166 |
* configure.ac (--enable-host-bind-now): New check. Add
|
|
|
8af166 |
-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
|
|
|
8af166 |
* configure: Regenerate.
|
|
|
8af166 |
* doc/install.texi: Document --enable-host-bind-now.
|
|
|
8af166 |
|
|
|
8af166 |
lto-plugin/ChangeLog:
|
|
|
8af166 |
|
|
|
8af166 |
* configure.ac (--enable-host-bind-now): New check. Link with
|
|
|
8af166 |
-z,now.
|
|
|
8af166 |
* configure: Regenerate.
|
|
|
8af166 |
---
|
|
|
8af166 |
c++tools/configure | 11 +++++++++++
|
|
|
8af166 |
c++tools/configure.ac | 7 +++++++
|
|
|
8af166 |
gcc/configure | 20 ++++++++++++++++++--
|
|
|
8af166 |
gcc/configure.ac | 13 ++++++++++++-
|
|
|
8af166 |
gcc/doc/install.texi | 6 ++++++
|
|
|
8af166 |
lto-plugin/configure | 20 ++++++++++++++++++--
|
|
|
8af166 |
lto-plugin/configure.ac | 11 +++++++++++
|
|
|
8af166 |
7 files changed, 83 insertions(+), 5 deletions(-)
|
|
|
8af166 |
|
|
|
8af166 |
diff --git a/c++tools/configure b/c++tools/configure
|
|
|
8af166 |
index c1aceb8404a..25432b5040d 100755
|
|
|
8af166 |
--- a/c++tools/configure
|
|
|
8af166 |
+++ b/c++tools/configure
|
|
|
8af166 |
@@ -631,6 +631,7 @@ ac_ct_CC
|
|
|
8af166 |
CFLAGS
|
|
|
8af166 |
CC
|
|
|
8af166 |
LD_PICFLAG
|
|
|
8af166 |
+enable_host_bind_now
|
|
|
8af166 |
PICFLAG
|
|
|
8af166 |
MAINTAINER
|
|
|
8af166 |
CXX_AUX_TOOLS
|
|
|
8af166 |
@@ -704,6 +705,7 @@ enable_c___tools
|
|
|
8af166 |
enable_maintainer_mode
|
|
|
8af166 |
enable_default_pie
|
|
|
8af166 |
enable_host_pie
|
|
|
8af166 |
+enable_host_bind_now
|
|
|
8af166 |
with_gcc_major_version_only
|
|
|
8af166 |
'
|
|
|
8af166 |
ac_precious_vars='build_alias
|
|
|
8af166 |
@@ -1336,6 +1338,7 @@ Optional Features:
|
|
|
8af166 |
configurey bits
|
|
|
8af166 |
--enable-default-pie enable Position Independent Executable as default
|
|
|
8af166 |
--enable-host-pie build host code as PIE
|
|
|
8af166 |
+ --enable-host-bind-now link host code as BIND_NOW
|
|
|
8af166 |
|
|
|
8af166 |
Optional Packages:
|
|
|
8af166 |
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
|
|
|
8af166 |
@@ -3009,6 +3012,14 @@ fi
|
|
|
8af166 |
|
|
|
8af166 |
|
|
|
8af166 |
|
|
|
8af166 |
+# Enable --enable-host-bind-now
|
|
|
8af166 |
+# Check whether --enable-host-bind-now was given.
|
|
|
8af166 |
+if test "${enable_host_bind_now+set}" = set; then :
|
|
|
8af166 |
+ enableval=$enable_host_bind_now; LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
|
|
|
8af166 |
+fi
|
|
|
8af166 |
+
|
|
|
8af166 |
+
|
|
|
8af166 |
+
|
|
|
8af166 |
|
|
|
8af166 |
# Check if O_CLOEXEC is defined by fcntl
|
|
|
8af166 |
ac_ext=c
|
|
|
8af166 |
diff --git a/c++tools/configure.ac b/c++tools/configure.ac
|
|
|
8af166 |
index 1e42689f2eb..d3f23f66f00 100644
|
|
|
8af166 |
--- a/c++tools/configure.ac
|
|
|
8af166 |
+++ b/c++tools/configure.ac
|
|
|
8af166 |
@@ -110,6 +110,13 @@ AC_ARG_ENABLE(host-pie,
|
|
|
8af166 |
[build host code as PIE])],
|
|
|
8af166 |
[PICFLAG=-fPIE; LD_PICFLAG=-pie], [])
|
|
|
8af166 |
AC_SUBST(PICFLAG)
|
|
|
8af166 |
+
|
|
|
8af166 |
+# Enable --enable-host-bind-now
|
|
|
8af166 |
+AC_ARG_ENABLE(host-bind-now,
|
|
|
8af166 |
+[AS_HELP_STRING([--enable-host-bind-now],
|
|
|
8af166 |
+ [link host code as BIND_NOW])],
|
|
|
8af166 |
+[LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"], [])
|
|
|
8af166 |
+AC_SUBST(enable_host_bind_now)
|
|
|
8af166 |
AC_SUBST(LD_PICFLAG)
|
|
|
8af166 |
|
|
|
8af166 |
# Check if O_CLOEXEC is defined by fcntl
|
|
|
8af166 |
diff --git a/gcc/configure b/gcc/configure
|
|
|
8af166 |
index 2ded5d4c50b..5671dc7dcf4 100755
|
|
|
8af166 |
--- a/gcc/configure
|
|
|
8af166 |
+++ b/gcc/configure
|
|
|
8af166 |
@@ -635,6 +635,7 @@ CET_HOST_FLAGS
|
|
|
8af166 |
LD_PICFLAG
|
|
|
8af166 |
PICFLAG
|
|
|
8af166 |
enable_default_pie
|
|
|
8af166 |
+enable_host_bind_now
|
|
|
8af166 |
enable_host_pie
|
|
|
8af166 |
enable_host_shared
|
|
|
8af166 |
enable_plugin
|
|
|
8af166 |
@@ -1023,6 +1024,7 @@ enable_version_specific_runtime_libs
|
|
|
8af166 |
enable_plugin
|
|
|
8af166 |
enable_host_shared
|
|
|
8af166 |
enable_host_pie
|
|
|
8af166 |
+enable_host_bind_now
|
|
|
8af166 |
enable_libquadmath_support
|
|
|
8af166 |
with_linker_hash_style
|
|
|
8af166 |
with_diagnostics_color
|
|
|
8af166 |
@@ -1786,6 +1788,7 @@ Optional Features:
|
|
|
8af166 |
--enable-plugin enable plugin support
|
|
|
8af166 |
--enable-host-shared build host code as shared libraries
|
|
|
8af166 |
--enable-host-pie build host code as PIE
|
|
|
8af166 |
+ --enable-host-bind-now link host code as BIND_NOW
|
|
|
8af166 |
--disable-libquadmath-support
|
|
|
8af166 |
disable libquadmath support for Fortran
|
|
|
8af166 |
--enable-default-pie enable Position Independent Executable as default
|
|
|
8af166 |
@@ -32109,6 +32112,14 @@ fi
|
|
|
8af166 |
|
|
|
8af166 |
|
|
|
8af166 |
|
|
|
8af166 |
+# Enable --enable-host-bind-now
|
|
|
8af166 |
+# Check whether --enable-host-bind-now was given.
|
|
|
8af166 |
+if test "${enable_host_bind_now+set}" = set; then :
|
|
|
8af166 |
+ enableval=$enable_host_bind_now;
|
|
|
8af166 |
+fi
|
|
|
8af166 |
+
|
|
|
8af166 |
+
|
|
|
8af166 |
+
|
|
|
8af166 |
# Check whether --enable-libquadmath-support was given.
|
|
|
8af166 |
if test "${enable_libquadmath_support+set}" = set; then :
|
|
|
8af166 |
enableval=$enable_libquadmath_support; ENABLE_LIBQUADMATH_SUPPORT=$enableval
|
|
|
8af166 |
@@ -32295,6 +32306,8 @@ else
|
|
|
8af166 |
PICFLAG=
|
|
|
8af166 |
fi
|
|
|
8af166 |
|
|
|
8af166 |
+
|
|
|
8af166 |
+
|
|
|
8af166 |
if test x$enable_host_pie = xyes; then
|
|
|
8af166 |
LD_PICFLAG=-pie
|
|
|
8af166 |
elif test x$gcc_cv_no_pie = xyes; then
|
|
|
8af166 |
@@ -32303,6 +32316,9 @@ else
|
|
|
8af166 |
LD_PICFLAG=
|
|
|
8af166 |
fi
|
|
|
8af166 |
|
|
|
8af166 |
+if test x$enable_host_bind_now = xyes; then
|
|
|
8af166 |
+ LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
|
|
|
8af166 |
+fi
|
|
|
8af166 |
|
|
|
8af166 |
|
|
|
8af166 |
|
|
|
8af166 |
diff --git a/gcc/configure.ac b/gcc/configure.ac
|
|
|
8af166 |
index dca995aeec7..6017bcbc8c6 100644
|
|
|
8af166 |
--- a/gcc/configure.ac
|
|
|
8af166 |
+++ b/gcc/configure.ac
|
|
|
8af166 |
@@ -7497,6 +7497,12 @@ AC_ARG_ENABLE(host-pie,
|
|
|
8af166 |
[build host code as PIE])])
|
|
|
8af166 |
AC_SUBST(enable_host_pie)
|
|
|
8af166 |
|
|
|
8af166 |
+# Enable --enable-host-bind-now
|
|
|
8af166 |
+AC_ARG_ENABLE(host-bind-now,
|
|
|
8af166 |
+[AS_HELP_STRING([--enable-host-bind-now],
|
|
|
8af166 |
+ [link host code as BIND_NOW])])
|
|
|
8af166 |
+AC_SUBST(enable_host_bind_now)
|
|
|
8af166 |
+
|
|
|
8af166 |
AC_ARG_ENABLE(libquadmath-support,
|
|
|
8af166 |
[AS_HELP_STRING([--disable-libquadmath-support],
|
|
|
8af166 |
[disable libquadmath support for Fortran])],
|
|
|
8af166 |
@@ -7638,6 +7644,8 @@ else
|
|
|
8af166 |
PICFLAG=
|
|
|
8af166 |
fi
|
|
|
8af166 |
|
|
|
8af166 |
+AC_SUBST([PICFLAG])
|
|
|
8af166 |
+
|
|
|
8af166 |
if test x$enable_host_pie = xyes; then
|
|
|
8af166 |
LD_PICFLAG=-pie
|
|
|
8af166 |
elif test x$gcc_cv_no_pie = xyes; then
|
|
|
8af166 |
@@ -7646,7 +7654,10 @@ else
|
|
|
8af166 |
LD_PICFLAG=
|
|
|
8af166 |
fi
|
|
|
8af166 |
|
|
|
8af166 |
-AC_SUBST([PICFLAG])
|
|
|
8af166 |
+if test x$enable_host_bind_now = xyes; then
|
|
|
8af166 |
+ LD_PICFLAG="$LD_PICFLAG -Wl,-z,now"
|
|
|
8af166 |
+fi
|
|
|
8af166 |
+
|
|
|
8af166 |
AC_SUBST([LD_PICFLAG])
|
|
|
8af166 |
|
|
|
8af166 |
# Enable Intel CET on Intel CET enabled host if jit is enabled.
|
|
|
8af166 |
diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi
|
|
|
8af166 |
index 9747f832a75..b59af198d3e 100644
|
|
|
8af166 |
--- a/gcc/doc/install.texi
|
|
|
8af166 |
+++ b/gcc/doc/install.texi
|
|
|
8af166 |
@@ -1041,6 +1041,12 @@ protection against Return Oriented Programming (ROP) attacks.
|
|
|
8af166 |
in which case @option{-fPIC} is used when compiling, and @option{-pie} when
|
|
|
8af166 |
linking.
|
|
|
8af166 |
|
|
|
8af166 |
+@item --enable-host-bind-now
|
|
|
8af166 |
+Specify that the @emph{host} executables should be linked with the option
|
|
|
8af166 |
+@option{-Wl,-z,now}, which means that the dynamic linker will resolve all
|
|
|
8af166 |
+symbols when the executables are started, and that in turn allows RELRO to
|
|
|
8af166 |
+mark the GOT read-only, resulting in better security.
|
|
|
8af166 |
+
|
|
|
8af166 |
@item @anchor{with-gnu-as}--with-gnu-as
|
|
|
8af166 |
Specify that the compiler should assume that the
|
|
|
8af166 |
assembler it finds is the GNU assembler. However, this does not modify
|
|
|
8af166 |
diff --git a/lto-plugin/configure b/lto-plugin/configure
|
|
|
8af166 |
index baa84adbb6c..669ccaede52 100755
|
|
|
8af166 |
--- a/lto-plugin/configure
|
|
|
8af166 |
+++ b/lto-plugin/configure
|
|
|
8af166 |
@@ -656,6 +656,7 @@ accel_dir_suffix
|
|
|
8af166 |
gcc_build_dir
|
|
|
8af166 |
CET_HOST_FLAGS
|
|
|
8af166 |
ac_lto_plugin_ldflags
|
|
|
8af166 |
+enable_host_bind_now
|
|
|
8af166 |
ac_lto_plugin_warn_cflags
|
|
|
8af166 |
EGREP
|
|
|
8af166 |
GREP
|
|
|
8af166 |
@@ -771,6 +772,7 @@ enable_maintainer_mode
|
|
|
8af166 |
with_libiberty
|
|
|
8af166 |
enable_dependency_tracking
|
|
|
8af166 |
enable_largefile
|
|
|
8af166 |
+enable_host_bind_now
|
|
|
8af166 |
enable_cet
|
|
|
8af166 |
with_gcc_major_version_only
|
|
|
8af166 |
enable_shared
|
|
|
8af166 |
@@ -1418,6 +1420,7 @@ Optional Features:
|
|
|
8af166 |
--disable-dependency-tracking
|
|
|
8af166 |
speeds up one-time build
|
|
|
8af166 |
--disable-largefile omit support for large files
|
|
|
8af166 |
+ --enable-host-bind-now link host code as BIND_NOW
|
|
|
8af166 |
--enable-cet enable Intel CET in host libraries [default=auto]
|
|
|
8af166 |
--enable-shared[=PKGS] build shared libraries [default=yes]
|
|
|
8af166 |
--enable-static[=PKGS] build static libraries [default=yes]
|
|
|
8af166 |
@@ -5662,6 +5665,19 @@ if test "x$have_static_libgcc" = xyes; then
|
|
|
8af166 |
ac_lto_plugin_ldflags="-Wc,-static-libgcc"
|
|
|
8af166 |
fi
|
|
|
8af166 |
|
|
|
8af166 |
+# Enable --enable-host-bind-now
|
|
|
8af166 |
+# Check whether --enable-host-bind-now was given.
|
|
|
8af166 |
+if test "${enable_host_bind_now+set}" = set; then :
|
|
|
8af166 |
+ enableval=$enable_host_bind_now;
|
|
|
8af166 |
+fi
|
|
|
8af166 |
+
|
|
|
8af166 |
+
|
|
|
8af166 |
+
|
|
|
8af166 |
+if test x$enable_host_bind_now = xyes; then
|
|
|
8af166 |
+ ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
|
|
|
8af166 |
+fi
|
|
|
8af166 |
+
|
|
|
8af166 |
+
|
|
|
8af166 |
|
|
|
8af166 |
# Check whether --enable-cet was given.
|
|
|
8af166 |
if test "${enable_cet+set}" = set; then :
|
|
|
8af166 |
diff --git a/lto-plugin/configure.ac b/lto-plugin/configure.ac
|
|
|
8af166 |
index 7e6f729e9dc..5d5fea8fe70 100644
|
|
|
8af166 |
--- a/lto-plugin/configure.ac
|
|
|
8af166 |
+++ b/lto-plugin/configure.ac
|
|
|
8af166 |
@@ -25,6 +25,17 @@ LDFLAGS="$saved_LDFLAGS"
|
|
|
8af166 |
if test "x$have_static_libgcc" = xyes; then
|
|
|
8af166 |
ac_lto_plugin_ldflags="-Wc,-static-libgcc"
|
|
|
8af166 |
fi
|
|
|
8af166 |
+
|
|
|
8af166 |
+# Enable --enable-host-bind-now
|
|
|
8af166 |
+AC_ARG_ENABLE(host-bind-now,
|
|
|
8af166 |
+[AS_HELP_STRING([--enable-host-bind-now],
|
|
|
8af166 |
+ [link host code as BIND_NOW])])
|
|
|
8af166 |
+AC_SUBST(enable_host_bind_now)
|
|
|
8af166 |
+
|
|
|
8af166 |
+if test x$enable_host_bind_now = xyes; then
|
|
|
8af166 |
+ ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now"
|
|
|
8af166 |
+fi
|
|
|
8af166 |
+
|
|
|
8af166 |
AC_SUBST(ac_lto_plugin_ldflags)
|
|
|
8af166 |
|
|
|
8af166 |
GCC_CET_HOST_FLAGS(CET_HOST_FLAGS)
|
|
|
8af166 |
|
|
|
8af166 |
base-commit: bf799d3409cb9a189114a6c9ff5b7cd123915764
|
|
|
8af166 |
--
|
|
|
8af166 |
2.34.1
|
|
|
8af166 |
|