diff options
| author | Marek Polacek <polacek@redhat.com> | 2023-06-22 11:30:01 -0400 |
|---|---|---|
| committer | Marek Polacek <polacek@redhat.com> | 2023-06-22 13:43:32 -0400 |
| commit | 33ebb0dff9bb022f1e0709e0e73faabfc3df7931 (patch) | |
| tree | 857cc8336fcbe426044fe759571d437032fb6b2a /gcc/doc | |
| parent | 4ced8363622b31910cda61796a28fe2cbf70faa7 (diff) | |
| download | gcc-33ebb0dff9bb022f1e0709e0e73faabfc3df7931.zip gcc-33ebb0dff9bb022f1e0709e0e73faabfc3df7931.tar.gz gcc-33ebb0dff9bb022f1e0709e0e73faabfc3df7931.tar.bz2 | |
configure: Implement --enable-host-bind-now
As promised in the --enable-host-pie patch, this patch adds another
configure option, --enable-host-bind-now, which adds -z now when linking
the compiler executables in order to extend hardening. BIND_NOW with RELRO
allows the GOT to be marked RO; this prevents GOT modification attacks.
This option does not affect linking of target libraries; you can use
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
With this patch:
$ readelf -Wd cc1{,plus,obj,gm2} f951 lto1 cpp rust1 gnat1 | grep FLAGS
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
c++tools/ChangeLog:
* configure.ac (--enable-host-bind-now): New check.
* configure: Regenerate.
gcc/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Add
-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-bind-now.
lto-plugin/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Link with
-z,now.
* configure: Regenerate.
Diffstat (limited to 'gcc/doc')
| -rw-r--r-- | gcc/doc/install.texi | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi index a38d293..e099cd0 100644 --- a/gcc/doc/install.texi +++ b/gcc/doc/install.texi @@ -1095,6 +1095,12 @@ protection against Return Oriented Programming (ROP) attacks. in which case @option{-fPIC} is used when compiling, and @option{-pie} when linking. +@item --enable-host-bind-now +Specify that the @emph{host} executables should be linked with the option +@option{-Wl,-z,now}, which means that the dynamic linker will resolve all +symbols when the executables are started, and that in turn allows RELRO to +mark the GOT read-only, resulting in better security. + @item @anchor{with-gnu-as}--with-gnu-as Specify that the compiler should assume that the assembler it finds is the GNU assembler. However, this does not modify |