On Tue, Jun 27, 2023 at 01:39:16PM +0200, Martin Jambor wrote:
> Hello,
>
> On Tue, May 16 2023, Marek Polacek via Gcc-patches wrote:
> > As promised in the --enable-host-pie patch, this patch adds another
> > configure option, --enable-host-bind-now, which adds -z now when linking
> > the compiler executables in order to extend hardening. BIND_NOW with RELRO
> > allows the GOT to be marked RO; this prevents GOT modification attacks.
> >
> > This option does not affect linking of target libraries; you can use
> > LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
> >
> > With this patch:
> > $ readelf -Wd cc1{,plus} | grep FLAGS
> > 0x000000000000001e (FLAGS) BIND_NOW
> > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
> > 0x000000000000001e (FLAGS) BIND_NOW
> > 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
> >
> > Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk?
> >
> > c++tools/ChangeLog:
> >
> > * configure.ac (--enable-host-bind-now): New check.
> > * configure: Regenerate.
> >
> > gcc/ChangeLog:
> >
> > * configure.ac (--enable-host-bind-now): New check. Add
> > -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
> > * configure: Regenerate.
> > * doc/install.texi: Document --enable-host-bind-now.
> >
> > lto-plugin/ChangeLog:
> >
> > * configure.ac (--enable-host-bind-now): New check. Link with
> > -z,now.
> > * configure: Regenerate.
>
> Our reconfiguration checking script complains about a missing hunk in
> lto-plugin/Makefile.in:
>
> diff --git a/lto-plugin/Makefile.in b/lto-plugin/Makefile.in
> index cb568e1e09f..f6f5b020ff5 100644
> --- a/lto-plugin/Makefile.in
> +++ b/lto-plugin/Makefile.in
> @@ -298,6 +298,7 @@ datadir = @datadir@
> datarootdir = @datarootdir@
> docdir = @docdir@
> dvidir = @dvidir@
> +enable_host_bind_now = @enable_host_bind_now@
> exec_prefix = @exec_prefix@
> gcc_build_dir = @gcc_build_dir@
> get_gcc_base_ver = @get_gcc_base_ver@
>
>
> I am somewhat puzzled why the line is not missing in any of the other
> Makefile.in files. Can you please check whether that is the only thing
> that is missing (assuming it is actually missing)?
Arg, once again, I'm sorry. I don't know how this happened. It would
be trivial to fix it but since
commit 4a48a38fa99f067b8f3a3d1a5dc7a1e602db351f
Author: Eric Botcazou <ebotca...@adacore.com>
Date: Wed Jun 21 18:19:36 2023 +0200
ada: Fix build of GNAT tools
the build with Ada included fails with --enable-host-pie. So that needs
to be fixed first.
Eric, I'm not asking you to fix that, but I'm curious, what did the
commit above fix? The patch looks correct; I'm just puzzled why I
hadn't seen any build failures.
The --enable-host-pie patch has been a nightmare :(.
Marek
