From 251c72a68af3a8b0638705b73ef120ffdf0053eb Mon Sep 17 00:00:00 2001 From: Marek Polacek Date: Thu, 10 Nov 2022 16:33:03 -0500 Subject: configure: Implement --enable-host-pie This patch implements the --enable-host-pie configure option which makes the compiler executables PIE. This can be used to enhance protection against ROP attacks, and can be viewed as part of a wider trend to harden binaries. It is similar to the option --enable-host-shared, except that --e-h-s won't add -shared to the linker flags whereas --e-h-p will add -pie. It is different from --enable-default-pie because that option just adds an implicit -fPIE/-pie when the compiler is invoked, but the compiler itself isn't PIE. Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH regressions. When building the compiler, the build process may use various in-tree libraries; these need to be built with -fPIE so that it's possible to use them when building a PIE. For instance, when --with-included-gettext is in effect, intl object files must be compiled with -fPIE. Similarly, when building in-tree gmp, isl, mpfr and mpc, they must be compiled with -fPIE. I plan to add an option to link with -Wl,-z,now. ChangeLog: * Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and isl. * Makefile.in: Regenerate. * Makefile.tpl: Set PICFLAG. * configure.ac (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. c++tools/ChangeLog: * Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it. Use pic/libiberty.a if PICFLAG is set. * configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG. (--enable-host-pie): New check. * configure: Regenerate. fixincludes/ChangeLog: * Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic" build of libiberty if PICFLAG is set. * configure.ac: * configure: Regenerate. gcc/ChangeLog: * Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie. Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie. * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this check. * configure: Regenerate. * doc/install.texi: Document --enable-host-pie. gcc/d/ChangeLog: * Make-lang.in: Remove NO_PIE_CFLAGS. intl/ChangeLog: * Makefile.in: Use @PICFLAG@ in COMPILE as well. * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. libcody/ChangeLog: * Makefile.in: Pass LD_PICFLAG to LDFLAGS. * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this check. * configure: Regenerate. libcpp/ChangeLog: * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. libdecnumber/ChangeLog: * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. libiberty/ChangeLog: * configure.ac: Also set shared when enable_host_pie. * configure: Regenerate. zlib/ChangeLog: * configure.ac (--enable-host-shared): Don't set PICFLAG here. (--enable-host-pie): New check. Set PICFLAG after this check. * configure: Regenerate. --- intl/Makefile.in | 2 +- intl/configure | 24 ++++++++++++++++++++++-- intl/configure.ac | 19 +++++++++++++++++-- 3 files changed, 40 insertions(+), 5 deletions(-) (limited to 'intl') diff --git a/intl/Makefile.in b/intl/Makefile.in index 409d693..5beebdc 100644 --- a/intl/Makefile.in +++ b/intl/Makefile.in @@ -54,7 +54,7 @@ CTAGS = @CTAGS@ ETAGS = @ETAGS@ MKID = @MKID@ -COMPILE = $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(DEFS-$@) $(INCLUDES) +COMPILE = $(CC) -c $(CPPFLAGS) $(CFLAGS) @PICFLAG@ $(DEFS) $(DEFS-$@) $(INCLUDES) HEADERS = \ gmo.h \ diff --git a/intl/configure b/intl/configure index 03f4048..79bb583 100755 --- a/intl/configure +++ b/intl/configure @@ -623,6 +623,8 @@ ac_header_list= ac_subst_vars='LTLIBOBJS LIBOBJS PICFLAG +enable_host_pie +enable_host_shared BISON3_NO BISON3_YES INCINTL @@ -731,6 +733,7 @@ with_libintl_prefix with_libintl_type enable_maintainer_mode enable_host_shared +enable_host_pie ' ac_precious_vars='build_alias host_alias @@ -1356,6 +1359,7 @@ Optional Features: --disable-rpath do not hardcode runtime library paths --enable-maintainer-mode enable rules only needed by maintainers --enable-host-shared build host code as shared libraries + --enable-host-pie build host code as PIE Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -6852,15 +6856,31 @@ fi +# Enable --enable-host-shared. # Check whether --enable-host-shared was given. if test "${enable_host_shared+set}" = set; then : - enableval=$enable_host_shared; PICFLAG=-fPIC + enableval=$enable_host_shared; +fi + + + +# Enable --enable-host-pie. +# Check whether --enable-host-pie was given. +if test "${enable_host_pie+set}" = set; then : + enableval=$enable_host_pie; +fi + + + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE else PICFLAG= fi - ac_config_files="$ac_config_files Makefile config.intl" cat >confcache <<\_ACEOF diff --git a/intl/configure.ac b/intl/configure.ac index 16a740a..81aa831 100644 --- a/intl/configure.ac +++ b/intl/configure.ac @@ -83,10 +83,25 @@ fi AC_SUBST(BISON3_YES) AC_SUBST(BISON3_NO) +# Enable --enable-host-shared. AC_ARG_ENABLE(host-shared, [AS_HELP_STRING([--enable-host-shared], - [build host code as shared libraries])], -[PICFLAG=-fPIC], [PICFLAG=]) + [build host code as shared libraries])]) +AC_SUBST(enable_host_shared) + +# Enable --enable-host-pie. +AC_ARG_ENABLE(host-pie, +[AS_HELP_STRING([--enable-host-pie], + [build host code as PIE])]) +AC_SUBST(enable_host_pie) + +if test x$enable_host_shared = xyes; then + PICFLAG=-fPIC +elif test x$enable_host_pie = xyes; then + PICFLAG=-fPIE +else + PICFLAG= +fi AC_SUBST(PICFLAG) AC_CONFIG_FILES(Makefile config.intl) -- cgit v1.1