From e80299c56b86d907b1ea226d8214b22da39e0cb6 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Thu, 4 Feb 2021 02:05:28 +0000 Subject: [build] Work around -fPIE patched versions of gcc on all architectures Several distributions include versions of gcc that are patched to create position-independent executables by default. These have caused multiple problems over the years: see e.g. commits fe61f6d ("[build] Fix compilation when gcc is patched to default to -fPIE -Wl,-pie"), 5de1346 ("[build] Apply the "-fno-PIE -nopie" workaround only to i386 builds"), 7c395b0 ("[build] Use -no-pie on newer versions of gcc"), and decee20 ("[build] Disable position-independent code for ARM64 EFI builds"). The build system currently attempts to work around these mildly broken patched versions of gcc for the i386 and arm64 architectures. This misses the relatively obscure bin-x86_64-pcbios build platform, which turns out to also require the same workaround. Attempt to preempt the next such required workaround by moving the existing i386 version to apply to all platforms and all architectures, unless -fpie has been requested explicitly by another Makefile (as is done by arch/x86_64/Makefile.efi). Signed-off-by: Michael Brown --- src/Makefile.housekeeping | 27 +++++++++++++++++++++++++++ src/arch/arm64/Makefile.efi | 4 ---- src/arch/i386/Makefile | 16 ---------------- 3 files changed, 27 insertions(+), 20 deletions(-) diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping index f379ff4..b3fa045 100644 --- a/src/Makefile.housekeeping +++ b/src/Makefile.housekeeping @@ -376,6 +376,33 @@ endif ############################################################################### # +# Especially ugly workarounds + +# Some widespread patched versions of gcc include -fPIE -Wl,-pie by +# default. Note that gcc will exit *successfully* if it fails to +# recognise an option that starts with "no", so we have to test for +# output on stderr instead of checking the exit status. +# +# Current versions of gcc require -no-pie; older versions require +# -nopie. We therefore test for both. +# +# This workaround must be determined only after the +# architecture-specific Makefile has been included, since some +# platforms (e.g. bin-x86_64-efi) will explicitly require the use of +# -fpie. +# +ifeq ($(filter -fpie,$(CFLAGS)),) +ifeq ($(CCTYPE),gcc) +PIE_TEST = [ -z "`$(CC) -fno-PIE -no-pie -x c -c /dev/null -o /dev/null 2>&1`" ] +PIE_FLAGS := $(shell $(PIE_TEST) && $(ECHO) '-fno-PIE -no-pie') +PIE_TEST2 = [ -z "`$(CC) -fno-PIE -nopie -x c -c /dev/null -o /dev/null 2>&1`" ] +PIE_FLAGS2 := $(shell $(PIE_TEST2) && $(ECHO) '-fno-PIE -nopie') +WORKAROUND_CFLAGS += $(PIE_FLAGS) $(PIE_FLAGS2) +endif +endif + +############################################################################### +# # Source file handling # Exclude known-insecure files from Secure Boot builds diff --git a/src/arch/arm64/Makefile.efi b/src/arch/arm64/Makefile.efi index eb04c0e..998a64d 100644 --- a/src/arch/arm64/Makefile.efi +++ b/src/arch/arm64/Makefile.efi @@ -1,9 +1,5 @@ # -*- makefile -*- : Force emacs to use Makefile mode -# Avoid untranslatable relocations -# -CFLAGS += -fno-pic - # Specify EFI image builder # ELF2EFI = $(ELF2EFI64) diff --git a/src/arch/i386/Makefile b/src/arch/i386/Makefile index b7c2792..e59f05f 100644 --- a/src/arch/i386/Makefile +++ b/src/arch/i386/Makefile @@ -69,22 +69,6 @@ CFLAGS += -fshort-wchar # CFLAGS += -Ui386 -# Some widespread patched versions of gcc include -fPIE -Wl,-pie by -# default. Note that gcc will exit *successfully* if it fails to -# recognise an option that starts with "no", so we have to test for -# output on stderr instead of checking the exit status. -# -# Current versions of gcc require -no-pie; older versions require -# -nopie. We therefore test for both. -# -ifeq ($(CCTYPE),gcc) -PIE_TEST = [ -z "`$(CC) -fno-PIE -no-pie -x c -c /dev/null -o /dev/null 2>&1`" ] -PIE_FLAGS := $(shell $(PIE_TEST) && $(ECHO) '-fno-PIE -no-pie') -PIE_TEST2 = [ -z "`$(CC) -fno-PIE -nopie -x c -c /dev/null -o /dev/null 2>&1`" ] -PIE_FLAGS2 := $(shell $(PIE_TEST2) && $(ECHO) '-fno-PIE -nopie') -WORKAROUND_CFLAGS += $(PIE_FLAGS) $(PIE_FLAGS2) -endif - # i386-specific directories containing source files # SRCDIRS += arch/i386/core -- cgit v1.1