diff options
| author | Marek Polacek <polacek@redhat.com> | 2022-11-10 16:33:03 -0500 |
|---|---|---|
| committer | Marek Polacek <polacek@redhat.com> | 2022-11-22 20:32:18 -0500 |
| commit | 251c72a68af3a8b0638705b73ef120ffdf0053eb (patch) | |
| tree | a187b2e4bcfa9277983d2fa35fb5af088c4a3a87 /gcc | |
| parent | d0e4cdb48b75434f27e6874c5b7c386eb167f340 (diff) | |
| download | gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.zip gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.tar.gz gcc-251c72a68af3a8b0638705b73ef120ffdf0053eb.tar.bz2 | |
configure: Implement --enable-host-pie
This patch implements the --enable-host-pie configure option which
makes the compiler executables PIE. This can be used to enhance
protection against ROP attacks, and can be viewed as part of a wider
trend to harden binaries.
It is similar to the option --enable-host-shared, except that --e-h-s
won't add -shared to the linker flags whereas --e-h-p will add -pie.
It is different from --enable-default-pie because that option just
adds an implicit -fPIE/-pie when the compiler is invoked, but the
compiler itself isn't PIE.
Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
regressions.
When building the compiler, the build process may use various in-tree
libraries; these need to be built with -fPIE so that it's possible to
use them when building a PIE. For instance, when --with-included-gettext
is in effect, intl object files must be compiled with -fPIE. Similarly,
when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
-fPIE.
I plan to add an option to link with -Wl,-z,now.
ChangeLog:
* Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and
isl.
* Makefile.in: Regenerate.
* Makefile.tpl: Set PICFLAG.
* configure.ac (--enable-host-pie): New check. Set PICFLAG after this
check.
* configure: Regenerate.
c++tools/ChangeLog:
* Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it.
Use pic/libiberty.a if PICFLAG is set.
* configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG.
(--enable-host-pie): New check.
* configure: Regenerate.
fixincludes/ChangeLog:
* Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic"
build of libiberty if PICFLAG is set.
* configure.ac:
* configure: Regenerate.
gcc/ChangeLog:
* Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie.
Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to
ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-pie.
gcc/d/ChangeLog:
* Make-lang.in: Remove NO_PIE_CFLAGS.
intl/ChangeLog:
* Makefile.in: Use @PICFLAG@ in COMPILE as well.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libcody/ChangeLog:
* Makefile.in: Pass LD_PICFLAG to LDFLAGS.
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this
check.
* configure: Regenerate.
libcpp/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libdecnumber/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
libiberty/ChangeLog:
* configure.ac: Also set shared when enable_host_pie.
* configure: Regenerate.
zlib/ChangeLog:
* configure.ac (--enable-host-shared): Don't set PICFLAG here.
(--enable-host-pie): New check. Set PICFLAG after this check.
* configure: Regenerate.
Diffstat (limited to 'gcc')
| -rw-r--r-- | gcc/Makefile.in | 29 | ||||
| -rwxr-xr-x | gcc/configure | 47 | ||||
| -rw-r--r-- | gcc/configure.ac | 36 | ||||
| -rw-r--r-- | gcc/d/Make-lang.in | 2 | ||||
| -rw-r--r-- | gcc/doc/install.texi | 16 |
5 files changed, 91 insertions, 39 deletions
diff --git a/gcc/Makefile.in b/gcc/Makefile.in index 5ad638f..5a78c74 100644 --- a/gcc/Makefile.in +++ b/gcc/Makefile.in @@ -158,6 +158,9 @@ LDFLAGS = @LDFLAGS@ # Should we build position-independent host code? PICFLAG = @PICFLAG@ +# The linker flag for the above. +LD_PICFLAG = @LD_PICFLAG@ + # Flags to determine code coverage. When coverage is disabled, this will # contain the optimization flags, as you normally want code coverage # without optimization. @@ -266,18 +269,17 @@ LINKER = $(CC) LINKER_FLAGS = $(CFLAGS) endif +enable_host_pie = @enable_host_pie@ + # Enable Intel CET on Intel CET enabled host if needed. CET_HOST_FLAGS = @CET_HOST_FLAGS@ COMPILER += $(CET_HOST_FLAGS) -NO_PIE_CFLAGS = @NO_PIE_CFLAGS@ -NO_PIE_FLAG = @NO_PIE_FLAG@ - -# We don't want to compile the compilers with -fPIE, it make PCH fail. -COMPILER += $(NO_PIE_CFLAGS) +# Maybe compile the compilers with -fPIE or -fPIC. +COMPILER += $(PICFLAG) -# Link with -no-pie since we compile the compiler with -fno-PIE. -LINKER += $(NO_PIE_FLAG) +# Link with -pie, or -no-pie, depending on the above. +LINKER += $(LD_PICFLAG) # Like LINKER, but use a mutex for serializing front end links. ifeq (@DO_LINK_MUTEX@,true) @@ -1060,18 +1062,21 @@ ALL_CPPFLAGS = $(INCLUDES) $(CPPFLAGS) ALL_COMPILERFLAGS = $(ALL_CXXFLAGS) # This is the variable to use when using $(LINKER). -ALL_LINKERFLAGS = $(ALL_CXXFLAGS) +ALL_LINKERFLAGS = $(ALL_CXXFLAGS) $(LD_PICFLAG) # Build and host support libraries. -# Use the "pic" build of libiberty if --enable-host-shared, unless we are -# building for mingw. +# Use the "pic" build of libiberty if --enable-host-shared or --enable-host-pie, +# unless we are building for mingw. LIBIBERTY_PICDIR=$(if $(findstring mingw,$(target)),,pic) -ifeq ($(enable_host_shared),yes) +ifneq ($(enable_host_shared)$(enable_host_pie),) LIBIBERTY = ../libiberty/$(LIBIBERTY_PICDIR)/libiberty.a -BUILD_LIBIBERTY = $(build_libobjdir)/libiberty/$(LIBIBERTY_PICDIR)/libiberty.a else LIBIBERTY = ../libiberty/libiberty.a +endif +ifeq ($(enable_host_shared),yes) +BUILD_LIBIBERTY = $(build_libobjdir)/libiberty/$(LIBIBERTY_PICDIR)/libiberty.a +else BUILD_LIBIBERTY = $(build_libobjdir)/libiberty/libiberty.a endif diff --git a/gcc/configure b/gcc/configure index aa09609..f631830 100755 --- a/gcc/configure +++ b/gcc/configure @@ -632,10 +632,10 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS CET_HOST_FLAGS -NO_PIE_FLAG -NO_PIE_CFLAGS -enable_default_pie +LD_PICFLAG PICFLAG +enable_default_pie +enable_host_pie enable_host_shared enable_plugin pluginlibs @@ -1025,6 +1025,7 @@ enable_link_serialization enable_version_specific_runtime_libs enable_plugin enable_host_shared +enable_host_pie enable_libquadmath_support with_linker_hash_style with_diagnostics_color @@ -1787,6 +1788,7 @@ Optional Features: in a compiler-specific directory --enable-plugin enable plugin support --enable-host-shared build host code as shared libraries + --enable-host-pie build host code as PIE --disable-libquadmath-support disable libquadmath support for Fortran --enable-default-pie enable Position Independent Executable as default @@ -19710,7 +19712,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 19713 "configure" +#line 19727 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -19816,7 +19818,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 19819 "configure" +#line 19833 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -31945,13 +31947,17 @@ fi # Enable --enable-host-shared # Check whether --enable-host-shared was given. if test "${enable_host_shared+set}" = set; then : - enableval=$enable_host_shared; PICFLAG=-fPIC -else - PICFLAG= + enableval=$enable_host_shared; fi +# Enable --enable-host-pie +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; +fi + # Check whether --enable-libquadmath-support was given. @@ -32105,10 +32111,6 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $gcc_cv_c_no_fpie" >&5 $as_echo "$gcc_cv_c_no_fpie" >&6; } -if test "$gcc_cv_c_no_fpie" = "yes"; then - NO_PIE_CFLAGS="-fno-PIE" -fi - # Check if -no-pie works. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -no-pie option" >&5 @@ -32133,11 +32135,28 @@ rm -f core conftest.err conftest.$ac_objext \ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $gcc_cv_no_pie" >&5 $as_echo "$gcc_cv_no_pie" >&6; } -if test "$gcc_cv_no_pie" = "yes"; then - NO_PIE_FLAG="-no-pie" + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE +elif test x$gcc_cv_c_no_fpie = xyes; then + PICFLAG=-fno-PIE +else + PICFLAG= +fi + +if test x$enable_host_pie = xyes; then + LD_PICFLAG=-pie +elif test x$gcc_cv_no_pie = xyes; then + LD_PICFLAG=-no-pie +else + LD_PICFLAG= fi + + # Enable Intel CET on Intel CET enabled host if jit is enabled. # Check whether --enable-cet was given. if test "${enable_cet+set}" = set; then : diff --git a/gcc/configure.ac b/gcc/configure.ac index 7c55bff..f5b23b9 100644 --- a/gcc/configure.ac +++ b/gcc/configure.ac @@ -7364,11 +7364,14 @@ fi # Enable --enable-host-shared AC_ARG_ENABLE(host-shared, [AS_HELP_STRING([--enable-host-shared], - [build host code as shared libraries])], -[PICFLAG=-fPIC], [PICFLAG=]) + [build host code as shared libraries])]) AC_SUBST(enable_host_shared) -AC_SUBST(PICFLAG) +# Enable --enable-host-pie +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])]) +AC_SUBST(enable_host_pie) AC_ARG_ENABLE(libquadmath-support, [AS_HELP_STRING([--disable-libquadmath-support], @@ -7490,10 +7493,6 @@ AC_CACHE_CHECK([for -fno-PIE option], [gcc_cv_c_no_fpie=yes], [gcc_cv_c_no_fpie=no]) CXXFLAGS="$saved_CXXFLAGS"]) -if test "$gcc_cv_c_no_fpie" = "yes"; then - NO_PIE_CFLAGS="-fno-PIE" -fi -AC_SUBST([NO_PIE_CFLAGS]) # Check if -no-pie works. AC_CACHE_CHECK([for -no-pie option], @@ -7504,10 +7503,27 @@ AC_CACHE_CHECK([for -no-pie option], [gcc_cv_no_pie=yes], [gcc_cv_no_pie=no]) LDFLAGS="$saved_LDFLAGS"]) -if test "$gcc_cv_no_pie" = "yes"; then - NO_PIE_FLAG="-no-pie" + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE +elif test x$gcc_cv_c_no_fpie = xyes; then + PICFLAG=-fno-PIE +else + PICFLAG= fi -AC_SUBST([NO_PIE_FLAG]) + +if test x$enable_host_pie = xyes; then + LD_PICFLAG=-pie +elif test x$gcc_cv_no_pie = xyes; then + LD_PICFLAG=-no-pie +else + LD_PICFLAG= +fi + +AC_SUBST([PICFLAG]) +AC_SUBST([LD_PICFLAG]) # Enable Intel CET on Intel CET enabled host if jit is enabled. GCC_CET_HOST_FLAGS(CET_HOST_FLAGS) diff --git a/gcc/d/Make-lang.in b/gcc/d/Make-lang.in index 6f9b2e5..dff0649 100644 --- a/gcc/d/Make-lang.in +++ b/gcc/d/Make-lang.in @@ -64,7 +64,7 @@ ALL_DFLAGS = $(DFLAGS-$@) $(GDCFLAGS) -fversion=IN_GCC $(CHECKING_DFLAGS) \ $(PICFLAG) $(ALIASING_FLAGS) $(NOEXCEPTION_DFLAGS) $(COVERAGE_FLAGS) \ $(WARN_DFLAGS) -DCOMPILE.base = $(GDC) $(NO_PIE_CFLAGS) -c $(ALL_DFLAGS) -o $@ +DCOMPILE.base = $(GDC) -c $(ALL_DFLAGS) -o $@ DCOMPILE = $(DCOMPILE.base) -MT $@ -MMD -MP -MF $(@D)/$(DEPDIR)/$(*F).TPo DPOSTCOMPILE = @mv $(@D)/$(DEPDIR)/$(*F).TPo $(@D)/$(DEPDIR)/$(*F).Po DLINKER = $(GDC) $(NO_PIE_FLAG) -lstdc++ diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi index 589c649..b91fbe0 100644 --- a/gcc/doc/install.texi +++ b/gcc/doc/install.texi @@ -1026,14 +1026,26 @@ code. @item --enable-host-shared Specify that the @emph{host} code should be built into position-independent -machine code (with -fPIC), allowing it to be used within shared libraries, -but yielding a slightly slower compiler. +machine code (with @option{-fPIC}), allowing it to be used within shared +libraries, but yielding a slightly slower compiler. This option is required when building the libgccjit.so library. Contrast with @option{--enable-shared}, which affects @emph{target} libraries. +@item --enable-host-pie +Specify that the @emph{host} executables should be built into +position-independent executables (with @option{-fPIE} and @option{-pie}), +yielding a slightly slower compiler (but faster than +@option{--enable-host-shared}). Position-independent executables are loaded +at random addresses each time they are executed, therefore provide additional +protection against Return Oriented Programming (ROP) attacks. + +@option{--enable-host-pie}) may be used with @option{--enable-host-shared}), +in which case @option{-fPIC} is used when compiling, and @option{-pie} when +linking. + @item @anchor{with-gnu-as}--with-gnu-as Specify that the compiler should assume that the assembler it finds is the GNU assembler. However, this does not modify |