diff options
| author | Marek Polacek <polacek@redhat.com> | 2023-06-22 11:30:01 -0400 |
|---|---|---|
| committer | Marek Polacek <polacek@redhat.com> | 2023-06-22 13:43:32 -0400 |
| commit | 33ebb0dff9bb022f1e0709e0e73faabfc3df7931 (patch) | |
| tree | 857cc8336fcbe426044fe759571d437032fb6b2a /gcc | |
| parent | 4ced8363622b31910cda61796a28fe2cbf70faa7 (diff) | |
| download | gcc-33ebb0dff9bb022f1e0709e0e73faabfc3df7931.zip gcc-33ebb0dff9bb022f1e0709e0e73faabfc3df7931.tar.gz gcc-33ebb0dff9bb022f1e0709e0e73faabfc3df7931.tar.bz2 | |
configure: Implement --enable-host-bind-now
As promised in the --enable-host-pie patch, this patch adds another
configure option, --enable-host-bind-now, which adds -z now when linking
the compiler executables in order to extend hardening. BIND_NOW with RELRO
allows the GOT to be marked RO; this prevents GOT modification attacks.
This option does not affect linking of target libraries; you can use
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
With this patch:
$ readelf -Wd cc1{,plus,obj,gm2} f951 lto1 cpp rust1 gnat1 | grep FLAGS
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
c++tools/ChangeLog:
* configure.ac (--enable-host-bind-now): New check.
* configure: Regenerate.
gcc/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Add
-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-bind-now.
lto-plugin/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Link with
-z,now.
* configure: Regenerate.
Diffstat (limited to 'gcc')
| -rwxr-xr-x | gcc/configure | 20 | ||||
| -rw-r--r-- | gcc/configure.ac | 13 | ||||
| -rw-r--r-- | gcc/doc/install.texi | 6 |
3 files changed, 36 insertions, 3 deletions
diff --git a/gcc/configure b/gcc/configure index c99105f..496da71 100755 --- a/gcc/configure +++ b/gcc/configure @@ -635,6 +635,7 @@ CET_HOST_FLAGS LD_PICFLAG PICFLAG enable_default_pie +enable_host_bind_now enable_host_pie enable_host_shared enable_plugin @@ -1031,6 +1032,7 @@ enable_version_specific_runtime_libs enable_plugin enable_host_shared enable_host_pie +enable_host_bind_now enable_libquadmath_support with_linker_hash_style with_diagnostics_color @@ -1794,6 +1796,7 @@ Optional Features: --enable-plugin enable plugin support --enable-host-shared build host code as shared libraries --enable-host-pie build host code as PIE + --enable-host-bind-now link host code as BIND_NOW --disable-libquadmath-support disable libquadmath support for Fortran --enable-default-pie enable Position Independent Executable as default @@ -19847,7 +19850,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 19850 "configure" +#line 19853 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -19953,7 +19956,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 19956 "configure" +#line 19959 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -32100,6 +32103,14 @@ fi +# Enable --enable-host-bind-now +# Check whether --enable-host-bind-now was given. +if test "${enable_host_bind_now+set}" = set; then : + enableval=$enable_host_bind_now; +fi + + + # Check whether --enable-libquadmath-support was given. if test "${enable_libquadmath_support+set}" = set; then : enableval=$enable_libquadmath_support; ENABLE_LIBQUADMATH_SUPPORT=$enableval @@ -32286,6 +32297,8 @@ else PICFLAG= fi + + if test x$enable_host_pie = xyes; then LD_PICFLAG=-pie elif test x$gcc_cv_no_pie = xyes; then @@ -32294,6 +32307,9 @@ else LD_PICFLAG= fi +if test x$enable_host_bind_now = xyes; then + LD_PICFLAG="$LD_PICFLAG -Wl,-z,now" +fi diff --git a/gcc/configure.ac b/gcc/configure.ac index 0428ee4..e91073b 100644 --- a/gcc/configure.ac +++ b/gcc/configure.ac @@ -7425,6 +7425,12 @@ AC_ARG_ENABLE(host-pie, [build host code as PIE])]) AC_SUBST(enable_host_pie) +# Enable --enable-host-bind-now +AC_ARG_ENABLE(host-bind-now, +[AS_HELP_STRING([--enable-host-bind-now], + [link host code as BIND_NOW])]) +AC_SUBST(enable_host_bind_now) + AC_ARG_ENABLE(libquadmath-support, [AS_HELP_STRING([--disable-libquadmath-support], [disable libquadmath support for Fortran])], @@ -7566,6 +7572,8 @@ else PICFLAG= fi +AC_SUBST([PICFLAG]) + if test x$enable_host_pie = xyes; then LD_PICFLAG=-pie elif test x$gcc_cv_no_pie = xyes; then @@ -7574,7 +7582,10 @@ else LD_PICFLAG= fi -AC_SUBST([PICFLAG]) +if test x$enable_host_bind_now = xyes; then + LD_PICFLAG="$LD_PICFLAG -Wl,-z,now" +fi + AC_SUBST([LD_PICFLAG]) # Enable Intel CET on Intel CET enabled host if jit is enabled. diff --git a/gcc/doc/install.texi b/gcc/doc/install.texi index a38d293..e099cd0 100644 --- a/gcc/doc/install.texi +++ b/gcc/doc/install.texi @@ -1095,6 +1095,12 @@ protection against Return Oriented Programming (ROP) attacks. in which case @option{-fPIC} is used when compiling, and @option{-pie} when linking. +@item --enable-host-bind-now +Specify that the @emph{host} executables should be linked with the option +@option{-Wl,-z,now}, which means that the dynamic linker will resolve all +symbols when the executables are started, and that in turn allows RELRO to +mark the GOT read-only, resulting in better security. + @item @anchor{with-gnu-as}--with-gnu-as Specify that the compiler should assume that the assembler it finds is the GNU assembler. However, this does not modify |