Package: gcc-5 Version: 5.3.1-7 Severity: wishlist Tags: patch User: bal...@balintreczey.hu Usertags: hardened1-linux-amd64
Dear GCC Maintainers, I have successfully bootstrapped the hardened1-linux-amd64 [1] port using a set of patches [2]. I'm working towards making the port ready for being accepted to Debian and the attached patches are adding the port support to GCC. The first patch allows cross building GCC to a port enabling PIE by default from a host witout PIE by default. It may be useful on its own. Dpkg support for the port is being discussed in #812782. Accepting this patch would make (re-)bootstrapping the new port easier. Thank you in advance, Balint [1] http://balintreczey.hu/blog/proposing-amd64-hardened-architecture-for-debian/ [2] https://anonscm.debian.org/cgit/users/rbalint/rebootstrap.git/
>From f1d664b0ae440163d85f85ab6f014ad6d7daab4c Mon Sep 17 00:00:00 2001 From: Balint Reczey <bal...@balintreczey.hu> Date: Mon, 25 Jan 2016 17:56:30 +0100 Subject: [PATCH 1/3] Re-enable -fPIC when -fno-PIE is used in bootstrapping --- debian/patches/gcc-configure-pie.diff | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/patches/gcc-configure-pie.diff b/debian/patches/gcc-configure-pie.diff index 7abe92a..f58ccf3 100644 --- a/debian/patches/gcc-configure-pie.diff +++ b/debian/patches/gcc-configure-pie.diff @@ -381,7 +381,7 @@ Index: b/src/gcc/Makefile.in echo INHIBIT_LIBC_CFLAGS = '$(INHIBIT_LIBC_CFLAGS)' >> tmp-libgcc.mvars echo TARGET_SYSTEM_ROOT = '$(TARGET_SYSTEM_ROOT)' >> tmp-libgcc.mvars + if test @enable_default_pie@ = yes; then \ -+ NO_PIE_CFLAGS="-fno-PIE"; \ ++ NO_PIE_CFLAGS="-fno-PIE -fPIC"; \ + else \ + NO_PIE_CFLAGS=; \ + fi; \ -- 2.1.4
>From 568bc9d19bdf9dbe505e7904fdc2ddd22ba9e767 Mon Sep 17 00:00:00 2001 From: Balint Reczey <bal...@balintreczey.hu> Date: Mon, 25 Jan 2016 19:23:23 +0100 Subject: [PATCH 2/3] Add support for hardened1-linux-amd64 architecture --- debian/libasan2.symbols | 4 ++-- debian/rules.defs | 37 ++++++++++++++++++++++--------------- debian/rules2 | 2 +- 3 files changed, 25 insertions(+), 18 deletions(-) diff --git a/debian/libasan2.symbols b/debian/libasan2.symbols index fa170da..23a06a7 100644 --- a/debian/libasan2.symbols +++ b/debian/libasan2.symbols @@ -1,7 +1,7 @@ libasan.so.2 libasan2 #MINVER# #include "libasan.symbols.common" -(arch=!arm64 !alpha !amd64 !ia64 !ppc64 !ppc64el !s390x !sparc64 !kfreebsd-amd64)#include "libasan.symbols.32" -(arch=arm64 alpha amd64 ia64 ppc64 ppc64el s390x sparc64 kfreebsd-amd64)#include "libasan.symbols.64" +(arch=!arm64 !alpha !amd64 !ia64 !ppc64 !ppc64el !s390x !sparc64 !kfreebsd-amd64 !hardened1-linux-amd64)#include "libasan.symbols.32" +(arch=arm64 alpha amd64 ia64 ppc64 ppc64el s390x sparc64 kfreebsd-amd64 hardened1-linux-amd64)#include "libasan.symbols.64" (arch=armel armhf sparc64 x32)#include "libasan.symbols.16" # these are missing on some archs ... (arch=!arm64 !armel !armhf !powerpc !ppc64 !ppc64el !sparc !sparc64)__interceptor_ptrace@Base 4.9 diff --git a/debian/rules.defs b/debian/rules.defs index a108f12..6d775f1 100644 --- a/debian/rules.defs +++ b/debian/rules.defs @@ -418,7 +418,7 @@ multiarch_xarch_map = \ amd64=i386-linux-gnu,x86_64-linux-gnux32 \ armel=arm-linux-gnueabi \ armhf=arm-linux-gnueabihf \ - i386=x86_64-linux-gnu,x86_64-linux-gnux32 \ + i386=x86_64-linux-gnu,x86_64-linux-gnux32,x86_64-linux-gnuhardened1 \ powerpc=powerpc64-linux-gnu \ ppc64=powerpc-linux-gnu \ sparc=sparc64-linux-gnu \ @@ -431,8 +431,9 @@ multiarch_xarch_map = \ mipsn32el=mipsel-linux-gnu,mips64el-linux-gnuabi64 \ mips64=mips-linux-gnu,mips64-linux-gnuabin32 \ mips64el=mipsel-linux-gnu,mips64el-linux-gnuabin32 \ - x32=x86_64-linux-gnu,i386-linux-gnu \ - kfreebsd-amd64=i386-kfreebsd-gnu + x32=x86_64-linux-gnu,i386-linux-gnu, x86_64-linux-gnuhardened1 \ + kfreebsd-amd64=i386-kfreebsd-gnu \ + hardened1-linux-amd64=i386-linux-gnu,x86_64-linux-gnux32 xarch_multiarch_names = $(subst $(COMMA),$(SPACE),$(patsubst $(DEB_TARGET_ARCH)=%,%, \ $(filter $(DEB_TARGET_ARCH)=%,$(multiarch_xarch_map)))) @@ -464,7 +465,8 @@ multilib_multiarch_map = \ mips64el/n32=mips64el-linux-gnuabin32 \ x32/32=i386-linux-gnu \ x32/64=x86_64-linux-gnu \ - kfreebsd-amd64/32=i386-kfreebsd-gnu + kfreebsd-amd64/32=i386-kfreebsd-gnu \ + hardened1-linux-amd64/32=i386-linux-gnu # $(call mlib_to_march,<empty>|32|64|n32|x32|hf|sf) mlib_to_march = $(patsubst $(DEB_TARGET_ARCH)/$(1)=%,%, \ $(filter $(DEB_TARGET_ARCH)/$(1)=%,$(multilib_multiarch_map))) @@ -927,7 +929,7 @@ ifeq ($(with_d)-$(with_separate_gdc),yes-yes) endif ifeq ($(with_d),yes) - libphobos_archs = amd64 armel armhf i386 x32 kfreebsd-amd64 kfreebsd-i386 + libphobos_archs = amd64 hardened1-linux-amd64 armel armhf i386 x32 kfreebsd-amd64 kfreebsd-i386 ifneq (,$(filter $(DEB_TARGET_ARCH), $(libphobos_archs))) with_libphobos := yes endif @@ -1106,7 +1108,7 @@ ifneq (,$(filter $(DEB_TARGET_ARCH),$(gomp_no_archs))) endif # itm -------------------- -itm_archs = amd64 arm64 i386 x32 ppc64 ppc64el +itm_archs = amd64 hardened1-linux-amd64 arm64 i386 x32 ppc64 ppc64el ifneq (,$(filter $(DEB_TARGET_ARCH),$(itm_archs))) with_itm := yes endif @@ -1129,7 +1131,7 @@ endif # asan / sanitizer -------------------- with_asan := with_asan := $(call envfilt, asan, , , $(with_asan)) -asan_archs = amd64 armel armhf arm64 i386 powerpc ppc64 ppc64el x32 sparc sparc64 +asan_archs = amd64 hardened1-linux-amd64 armel armhf arm64 i386 powerpc ppc64 ppc64el x32 sparc sparc64 ifneq (,$(filter $(DEB_TARGET_ARCH),$(asan_archs))) with_asan := yes endif @@ -1137,7 +1139,7 @@ endif # lsan / sanitizer -------------------- with_lsan := with_lsan := $(call envfilt, lsan, , , $(with_lsan)) -lsan_archs = amd64 +lsan_archs = amd64 hardened1-linux-amd64 ifneq (,$(filter $(DEB_TARGET_ARCH),$(lsan_archs))) with_lsan := yes endif @@ -1145,7 +1147,7 @@ endif # tsan / sanitizer -------------------- with_tsan := with_tsan := $(call envfilt, tsan, , , $(with_tsan)) -tsan_archs = amd64 +tsan_archs = amd64 hardened1-linux-amd64 ifneq (,$(filter $(DEB_TARGET_ARCH),$(tsan_archs))) with_tsan := yes endif @@ -1155,7 +1157,7 @@ endif # with_cdev # ubsan / sanitizer -------------------- with_ubsan := with_ubsan := $(call envfilt, ubsan, , , $(with_ubsan)) -ubsan_archs = amd64 armel armhf arm64 i386 powerpc ppc64 ppc64el x32 sparc sparc64 +ubsan_archs = amd64 hardened1-linux-amd64 armel armhf arm64 i386 powerpc ppc64 ppc64el x32 sparc sparc64 ifneq (,$(filter $(DEB_TARGET_ARCH),$(ubsan_archs))) with_ubsan := yes endif @@ -1163,7 +1165,7 @@ endif # libvtv -------------------- with_vtv := with_vtv := $(call envfilt, vtv, , , $(with_vtv)) -vtv_archs = amd64 i386 x32 +vtv_archs = amd64 hardened1-linux-amd64 i386 x32 ifneq (,$(filter $(DEB_TARGET_ARCH),$(vtv_archs))) with_vtv := yes with_libvtv := yes @@ -1175,7 +1177,7 @@ with_libvtv := # libcilkrts -------------------- with_cilkrts := with_cilkrts := $(call envfilt, cilkrts, , , $(with_cilkrts)) -cilkrts_archs = amd64 i386 x32 +cilkrts_archs = amd64 hardened1-linux-amd64 i386 x32 ifneq (,$(filter $(DEB_TARGET_ARCH),$(cilkrts_archs))) with_cilkrts := yes endif @@ -1183,7 +1185,7 @@ endif # libmpx -------------------- with_mpx := with_mpx := $(call envfilt, mpx, , , $(with_mpx)) -mpx_archs = amd64 i386 +mpx_archs = amd64 hardened1-linux-amd64 i386 ifneq (,$(filter $(DEB_TARGET_ARCH),$(mpx_archs))) # requires newer binutils, or else libmpxwrappers isn't built ifeq (,$(filter $(distrelease),squeeze lucid precise)) @@ -1207,7 +1209,7 @@ endif # gold -------------------- # armel with binutils 2.20.51 only -gold_archs = amd64 armel armhf i386 powerpc powerpcspe ppc64 ppc64el sparc sparc64 x32 hurd-i386 +gold_archs = amd64 hardened1-linux-amd64 armel armhf i386 powerpc powerpcspe ppc64 ppc64el sparc sparc64 x32 hurd-i386 ifneq (,$(filter $(DEB_TARGET_ARCH),$(gold_archs))) with_gold := yes endif @@ -1346,6 +1348,11 @@ else #with_lib32gmath := yes #with_libgmathdev := yes endif + ifeq ($(DEB_TARGET_ARCH),hardened1-linux-amd64) + #with_libgccmath := yes + #with_lib32gmath := yes + #with_libgmathdev := yes + endif # hppa64 build ---------------- hppa64_no_snap := no @@ -1593,7 +1600,7 @@ define gen_biarch export TARGET64_MACHINE endif endef -biarch32archs := /amd64/ppc64/kfreebsd-amd64/s390x/sparc64/x32/mipsn32/mipsn32el/mips64/mips64el/ +biarch32archs := /amd64/hardened1-linux-amd64/ppc64/kfreebsd-amd64/s390x/sparc64/x32/mipsn32/mipsn32el/mips64/mips64el/ biarch64archs := /i386/powerpc/sparc/s390/mips/mipsel/mipsn32/mipsn32el/x32/ biarchn32archs := /mips/mipsel/mips64/mips64el/ ifeq ($(derivative),Ubuntu) diff --git a/debian/rules2 b/debian/rules2 index 52c6b31..c8bf542 100644 --- a/debian/rules2 +++ b/debian/rules2 @@ -397,7 +397,7 @@ ifneq (,$(filter $(DEB_TARGET_GNU_TYPE), i486-linux-gnu i586-linux-gnu i686-linu endif endif -ifneq (,$(filter $(DEB_TARGET_GNU_TYPE), x86_64-linux-gnu x86_64-linux-gnux32 x86_64-kfreebsd-gnu s390x-linux-gnu sparc64-linux-gnu)) +ifneq (,$(filter $(DEB_TARGET_GNU_TYPE), x86_64-linux-gnu x86_64-linux-gnuhardened1 x86_64-linux-gnux32 x86_64-kfreebsd-gnu s390x-linux-gnu sparc64-linux-gnu)) ifneq ($(biarch32),yes) CONFARGS += --disable-multilib endif -- 2.1.4
>From edbe56950ee7c8830ca22dcd8bd122a839d27c52 Mon Sep 17 00:00:00 2001 From: Balint Reczey <bal...@balintreczey.hu> Date: Mon, 25 Jan 2016 19:38:30 +0100 Subject: [PATCH 3/3] Set multiarch and multilib dirs for hardened1-linux-amd64 --- .../patches/gcc-multilib-multiarch-hardened1.diff | 22 ++++++++++++++++++++++ debian/rules.patch | 3 +++ 2 files changed, 25 insertions(+) create mode 100644 debian/patches/gcc-multilib-multiarch-hardened1.diff diff --git a/debian/patches/gcc-multilib-multiarch-hardened1.diff b/debian/patches/gcc-multilib-multiarch-hardened1.diff new file mode 100644 index 0000000..2db549f --- /dev/null +++ b/debian/patches/gcc-multilib-multiarch-hardened1.diff @@ -0,0 +1,22 @@ +diff --git a/src/gcc/config/i386/t-linux64 b/src/gcc/config/i386/t-linux64 +index 04d001c..7d34500 100644 +--- a/src/gcc/config/i386/t-linux64 ++++ b/src/gcc/config/i386/t-linux64 +@@ -38,7 +38,7 @@ MULTILIB_OSDIRNAMES = m64=../lib64$(call if_multiarch,:x86_64-linux-gnu) + MULTILIB_OSDIRNAMES+= m32=../lib32$(call if_multiarch,:i386-linux-gnu) + MULTILIB_OSDIRNAMES+= mx32=../lib$(call if_multiarch,:x86_64-linux-gnux32) + else ifneq (,$(findstring x86_64,$(target))) +-MULTILIB_OSDIRNAMES = m64=../lib$(call if_multiarch,:x86_64-linux-gnu) ++MULTILIB_OSDIRNAMES = m64=../lib$(call if_multiarch,:x86_64-linux-gnuhardened1) + MULTILIB_OSDIRNAMES+= m32=../lib32$(call if_multiarch,:i386-linux-gnu) + MULTILIB_OSDIRNAMES+= mx32=../libx32$(call if_multiarch,:x86_64-linux-gnux32) + else +@@ -51,7 +51,7 @@ ifneq (,$(findstring x86_64,$(target))) + ifneq (,$(findstring biarchx32.h,$(tm_include_list))) + MULTIARCH_DIRNAME = $(call if_multiarch,x86_64-linux-gnux32) + else +- MULTIARCH_DIRNAME = $(call if_multiarch,x86_64-linux-gnu) ++ MULTIARCH_DIRNAME = $(call if_multiarch,x86_64-linux-gnuhardened1) + endif + else + MULTIARCH_DIRNAME = $(call if_multiarch,i386-linux-gnu) diff --git a/debian/rules.patch b/debian/rules.patch index 005a964..7294940 100644 --- a/debian/rules.patch +++ b/debian/rules.patch @@ -312,6 +312,9 @@ ifneq (,$(filter $(build_type), build-cross cross-build-cross)) endif endif debian_patches += gcc-multilib-multiarch +ifeq ($(DEB_TARGET_ARCH),hardened1-linux-amd64) + debian_patches += gcc-multilib-multiarch-hardened1 +endif ifneq (,$(filter $(derivative),Ubuntu)) ifeq (,$(filter $(distrelease),dapper hardy intrepid jaunty karmic lucid maverick)) -- 2.1.4