diff options
| author | Marek Polacek <polacek@redhat.com> | 2023-05-03 17:06:13 -0400 |
|---|---|---|
| committer | Marek Polacek <polacek@redhat.com> | 2023-06-15 16:51:27 -0400 |
| commit | b6cb10af12cf869c1ae348c0e5cb2d364ef0abce (patch) | |
| tree | 88f9cea1c453c72689c6ff178f0bc4c5542ced55 /configure | |
| parent | 6a2e8dcbbd4bab374b27abea375bf7a921047800 (diff) | |
| download | gcc-b6cb10af12cf869c1ae348c0e5cb2d364ef0abce.zip gcc-b6cb10af12cf869c1ae348c0e5cb2d364ef0abce.tar.gz gcc-b6cb10af12cf869c1ae348c0e5cb2d364ef0abce.tar.bz2 | |
configure: Implement --enable-host-pie
[ This is my third attempt to add this configure option. The first
version was approved but it came too late in the development cycle.
The second version was also approved, but I had to revert it:
<https://gcc.gnu.org/pipermail/gcc-patches/2022-November/607082.html>.
I've fixed the problem (by moving $(PICFLAG) from INTERNAL_CFLAGS to
ALL_COMPILERFLAGS). Another change is that since r13-4536 I no longer
need to touch Makefile.def, so this patch is simplified. ]
This patch implements the --enable-host-pie configure option which
makes the compiler executables PIE. This can be used to enhance
protection against ROP attacks, and can be viewed as part of a wider
trend to harden binaries.
It is similar to the option --enable-host-shared, except that --e-h-s
won't add -shared to the linker flags whereas --e-h-p will add -pie.
It is different from --enable-default-pie because that option just
adds an implicit -fPIE/-pie when the compiler is invoked, but the
compiler itself isn't PIE.
Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
regressions.
When building the compiler, the build process may use various in-tree
libraries; these need to be built with -fPIE so that it's possible to
use them when building a PIE. For instance, when --with-included-gettext
is in effect, intl object files must be compiled with -fPIE. Similarly,
when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
-fPIE.
With this patch and --enable-host-pie used to configure gcc:
$ file gcc/cc1{,plus,obj,gm2} gcc/f951 gcc/lto1 gcc/cpp gcc/go1 gcc/rust1 gcc/gnat1
gcc/cc1: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=98e22cde129d304aa6f33e61b1c39e144aeb135e, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/cc1plus: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=859d1ea37e43dfe50c18fd4e3dd9a34bb1db8f77, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/cc1obj: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1964f8ecee6163182bc26134e2ac1f324816e434, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/cc1gm2: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=a396672c7ff913d21855829202e7b02ecf42ff4c, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/f951: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=59c523db893186547ac75c7a71f48be0a461c06b, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/lto1: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=084a7b77df7be2d63c2d4c655b5bbc3fcdb6038d, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/cpp: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3503bf8390d219a10d6653b8560aa21158132168, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/go1: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=988cc673af4fba5dcb482f4b34957b99050a68c5, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/rust1: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b6a5d3d514446c4dcdee0707f086ab9b274a8a3c, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/gnat1: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=bb11ccdc2c366fe3fe0980476bcd8ca19b67f9dc, for GNU/Linux 3.2.0, with debug_info, not stripped
I plan to add an option to link with -Wl,-z,now.
Bootstrapped on x86_64-pc-linux-gnu with --with-included-gettext
--enable-host-pie as well as without --enable-host-pie. Also tested
on a Debian system where the system gcc was configured with
--enable-default-pie.
Co-Authored by: Iain Sandoe <iain@sandoe.co.uk>
ChangeLog:
* configure.ac (--enable-host-pie): New check. Set PICFLAG after this
check.
* configure: Regenerate.
c++tools/ChangeLog:
* Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it.
Use pic/libiberty.a if PICFLAG is set.
* configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG.
(--enable-host-pie): New check.
* configure: Regenerate.
fixincludes/ChangeLog:
* Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic"
build of libiberty if PICFLAG is set.
* configure.ac:
* configure: Regenerate.
gcc/ChangeLog:
* Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie.
Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to
ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-pie.
gcc/ada/ChangeLog:
* gcc-interface/Make-lang.in (ALL_ADAFLAGS): Remove NO_PIE_CFLAGS. Add
PICFLAG. Use PICFLAG when building ada/b_gnat1.o and ada/b_gnatb.o.
* gcc-interface/Makefile.in: Use pic/libiberty.a if PICFLAG is set.
Remove NO_PIE_FLAG.
gcc/m2/ChangeLog:
* Make-lang.in: New var, GM2_PICFLAGS. Use it.
gcc/d/ChangeLog:
* Make-lang.in: Remove NO_PIE_CFLAGS.
intl/ChangeLog:
* Makefile.in: Use @PICFLAG@ in COMPILE as well.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libcody/ChangeLog:
* Makefile.in: Pass LD_PICFLAG to LDFLAGS.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
libcpp/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libdecnumber/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libiberty/ChangeLog:
* configure.ac: Also set shared when enable_host_pie.
* configure: Regenerate.
zlib/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
Diffstat (limited to 'configure')
| -rwxr-xr-x | configure | 49 |
1 files changed, 47 insertions, 2 deletions
@@ -687,7 +687,9 @@ extra_host_zlib_configure_flags extra_host_libiberty_configure_flags stage1_languages host_libs_picflag +PICFLAG host_shared +host_pie extra_linker_plugin_flags extra_linker_plugin_configure_flags islinc @@ -830,6 +832,7 @@ enable_isl_version_check enable_lto enable_linker_plugin_configure_flags enable_linker_plugin_flags +enable_host_pie enable_host_shared enable_stage1_languages enable_objc_gc @@ -1558,6 +1561,7 @@ Optional Features: --enable-linker-plugin-flags=FLAGS additional flags for configuring and building linker plugins [none] + --enable-host-pie build position independent host executables --enable-host-shared build host code as shared libraries --enable-stage1-languages[=all] choose additional languages to build during stage1. @@ -8645,6 +8649,30 @@ fi +# Enable --enable-host-pie. +# Checked early to determine whether jit is an 'all' language +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; host_pie=$enableval + case $host in + x86_64-*-darwin* | aarch64-*-darwin*) + if test x$host_pie != xyes ; then + # PIC is the default, and actually cannot be switched off. + echo configure.ac: warning: PIC code is required for the configured target, host-shared setting ignored. 1>&2 + host_pie=yes + fi ;; + *) ;; + esac +else + case $host in + *-*-darwin2*) host_pie=yes ;; + *) host_pie=no ;; + esac +fi + + + + # Enable --enable-host-shared. # Checked early to determine whether jit is an 'all' language # Check whether --enable-host-shared was given. @@ -8657,23 +8685,40 @@ if test "${enable_host_shared+set}" = set; then : echo configure.ac: warning: PIC code is required for the configured target, host-shared setting ignored. 1>&2 host_shared=yes fi ;; + *-*-darwin*) + if test x$host_pie == xyes ; then + echo configure.ac: warning: PIC code is required for PIE executables. 1>&2 + host_shared=yes + fi ;; *) ;; esac else case $host in x86_64-*-darwin* | aarch64-*-darwin*) host_shared=yes ;; - *) host_shared=no ;; + # Darwin needs PIC objects to link PIE executables. + *-*-darwin*) host_shared=host_pie ;; + *) host_shared=no;; esac fi +if test x$host_shared = xyes; then + PICFLAG=-fPIC +elif test x$host_pie = xyes; then + PICFLAG=-fPIE +else + PICFLAG= +fi + + + # If we are building PIC/PIE host executables, and we are building dependent # libs (e.g. GMP) in-tree those libs need to be configured to generate PIC # code. host_libs_picflag= -if test "$host_shared" = "yes";then +if test "$host_shared" = "yes" -o "$host_pie" = "yes"; then host_libs_picflag='--with-pic' fi |