configure: Implement --enable-host-pie

This patch implements the --enable-host-pie configure option which makes the compiler executables PIE. This can be used to enhance protection against ROP attacks, and can be viewed as part of a wider trend to harden binaries. It is similar to the option --enable-host-shared, except that --e-h-s won't add -shared to the linker flags whereas --e-h-p will add -pie. It is different from --enable-default-pie because that option just adds an implicit -fPIE/-pie when the compiler is invoked, but the compiler itself isn't PIE. Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH regressions. When building the compiler, the build process may use various in-tree libraries; these need to be built with -fPIE so that it's possible to use them when building a PIE. For instance, when --with-included-gettext is in effect, intl object files must be compiled with -fPIE. Similarly, when building in-tree gmp, isl, mpfr and mpc, they must be compiled with -fPIE. I plan to add an option to link with -Wl,-z,now. ChangeLog: * Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and isl. * Makefile.in: Regenerate. * Makefile.tpl: Set PICFLAG. * configure.ac (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. c++tools/ChangeLog: * Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it. Use pic/libiberty.a if PICFLAG is set. * configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG. (--enable-host-pie): New check. * configure: Regenerate. fixincludes/ChangeLog: * Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic" build of libiberty if PICFLAG is set. * configure.ac: * configure: Regenerate. gcc/ChangeLog: * Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie. Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie. * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this check. * configure: Regenerate. * doc/install.texi: Document --enable-host-pie. gcc/d/ChangeLog: * Make-lang.in: Remove NO_PIE_CFLAGS. intl/ChangeLog: * Makefile.in: Use @PICFLAG@ in COMPILE as well. * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. libcody/ChangeLog: * Makefile.in: Pass LD_PICFLAG to LDFLAGS. * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this check. * configure: Regenerate. libcpp/ChangeLog: * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. libdecnumber/ChangeLog: * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. libiberty/ChangeLog: * configure.ac: Also set shared when enable_host_pie. * configure: Regenerate. zlib/ChangeLog: * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate.
author: Marek Polacek <polacek@redhat.com> 2022-11-10 16:33:03 -0500
committer: Marek Polacek <polacek@redhat.com> 2022-11-22 20:32:18 -0500
commit: 251c72a68af3a8b0638705b73ef120ffdf0053eb (patch)
tree: a187b2e4bcfa9277983d2fa35fb5af088c4a3a87 /fixincludes
parent: d0e4cdb48b75434f27e6874c5b7c386eb167f340 (diff)
download: gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.zip
gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.tar.gz
gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.tar.bz2
3 files changed, 31 insertions, 4 deletions
diff --git a/fixincludes/Makefile.in b/fixincludes/Makefile.in
index 1937dca..990c08e 100644
--- a/fixincludes/Makefile.in
+++ b/fixincludes/Makefile.in
@@ -30,6 +30,8 @@ CC = @CC@
 CFLAGS = @CFLAGS@
 WARN_CFLAGS = @WARN_CFLAGS@ @WARN_PEDANTIC@ @WERROR@
 LDFLAGS = @LDFLAGS@
+PICFLAG = @PICFLAG@
+LD_PICFLAG = @LD_PICFLAG@
 INCLUDES = -I. -I$(srcdir) -I../include -I$(srcdir)/../include
 FIXINC_CFLAGS = -DHAVE_CONFIG_H $(INCLUDES)
 
@@ -73,7 +75,7 @@ default : all
 # Now figure out from those variables how to compile and link.
 
 .c.o:
-	$(CC) -c $(CFLAGS) $(WARN_CFLAGS) $(CPPFLAGS) $(FIXINC_CFLAGS) $<
+	$(CC) -c $(CFLAGS) $(PICFLAG) $(WARN_CFLAGS) $(CPPFLAGS) $(FIXINC_CFLAGS) $<
 
 # The only suffixes we want for implicit rules are .c and .o.
 .SUFFIXES:
@@ -87,7 +89,11 @@ default : all
 ##
 ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 
+ifeq ($(PICFLAG),)
 LIBIBERTY=../libiberty/libiberty.a
+else
+LIBIBERTY=../libiberty/pic/libiberty.a
+endif
 
 ALLOBJ = fixincl.o fixtests.o fixfixes.o server.o procopen.o \
       fixlib.o fixopts.o
@@ -107,15 +113,15 @@ oneprocess : full-stamp
 twoprocess : test-stamp $(AF)
 
 full-stamp : $(ALLOBJ) $(LIBIBERTY)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $(FI) $(ALLOBJ) $(LIBIBERTY)
+	$(CC) $(CFLAGS) $(PICFLAG) $(LDFLAGS) $(LD_PICFLAG) -o $(FI) $(ALLOBJ) $(LIBIBERTY)
 	$(STAMP) $@
 
 test-stamp : $(TESTOBJ) $(LIBIBERTY)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $(FI) $(TESTOBJ) $(LIBIBERTY)
+	$(CC) $(CFLAGS) $(PICFLAG) $(LDFLAGS) $(LD_PICFLAG) -o $(FI) $(TESTOBJ) $(LIBIBERTY)
 	$(STAMP) $@
 
 $(AF): $(FIXOBJ) $(LIBIBERTY)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(FIXOBJ) $(LIBIBERTY)
+	$(CC) $(CFLAGS) $(PICFLAG) $(LDFLAGS) $(LD_PICFLAG) -o $@ $(FIXOBJ) $(LIBIBERTY)
 
 $(ALLOBJ)   : $(HDR)
 fixincl.o   : fixincl.c  $(srcdir)/fixincl.x
diff --git a/fixincludes/configure b/fixincludes/configure
index b3bca66..67a7597 100755
--- a/fixincludes/configure
+++ b/fixincludes/configure
@@ -623,6 +623,8 @@ ac_subst_vars='LTLIBOBJS
 LIBOBJS
 get_gcc_base_ver
 MAINT
+LD_PICFLAG
+PICFLAG
 TARGET
 target_noncanonical
 WERROR
@@ -695,6 +697,7 @@ enable_option_checking
 enable_werror_always
 with_local_prefix
 enable_twoprocess
+enable_host_pie
 enable_maintainer_mode
 with_gcc_major_version_only
 '
@@ -1323,6 +1326,7 @@ Optional Features:
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-werror-always  enable -Werror despite compiler version
   --enable-twoprocess       Use a separate process to apply the fixes
+  --enable-host-pie       build host code as PIE
   --enable-maintainer-mode enable make rules and dependencies not useful
                           (and sometimes confusing) to the casual installer
 
@@ -4835,6 +4839,15 @@ $as_echo "#define SEPARATE_FIX_PROC 1" >>confdefs.h
 
 fi
 
+# Enable --enable-host-pie.
+# Check whether --enable-host-pie was given.
+if test "${enable_host_pie+set}" = set; then :
+  enableval=$enable_host_pie; PICFLAG=-fPIE; LD_PICFLAG=-pie
+fi
+
+
+
+
 case $host in
 	vax-dec-bsd* )
 
diff --git a/fixincludes/configure.ac b/fixincludes/configure.ac
index 14813b9..ec8534f 100644
--- a/fixincludes/configure.ac
+++ b/fixincludes/configure.ac
@@ -68,6 +68,14 @@ if test $TARGET = twoprocess; then
 		  [Define if testing and fixing are done by separate process])
 fi
 
+# Enable --enable-host-pie.
+AC_ARG_ENABLE(host-pie,
+[AS_HELP_STRING([--enable-host-pie],
+       [build host code as PIE])],
+[PICFLAG=-fPIE; LD_PICFLAG=-pie], [])
+AC_SUBST(PICFLAG)
+AC_SUBST(LD_PICFLAG)
+
 case $host in
 	vax-dec-bsd* )
 		AC_DEFINE(exit, xexit, [Define to xexit if the host system does not support atexit])
author	Marek Polacek <polacek@redhat.com>	2022-11-10 16:33:03 -0500
committer	Marek Polacek <polacek@redhat.com>	2022-11-22 20:32:18 -0500
commit	251c72a68af3a8b0638705b73ef120ffdf0053eb (patch)
tree	a187b2e4bcfa9277983d2fa35fb5af088c4a3a87 /fixincludes
parent	d0e4cdb48b75434f27e6874c5b7c386eb167f340 (diff)
download	gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.zip gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.tar.gz gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.tar.bz2