On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia <hongxu....@windriver.com> wrote: > > On 2018年09月15日 02:02, Andrea Adami wrote: > > ld fails if distro's security-flags are enabled: > > Inject the SECURITY_XFLAGS if security_flags.inc was included. > > > > Fix on i386: ld: discarded output section: `.got.plt' > > > > Signed-off-by: Andrea Adami <andrea.ad...@gmail.com> > > --- > > meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc > > b/meta-initramfs/recipes-devtools/klibc/klibc.inc > > index 3d25e96..837b026 100644 > > --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc > > +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc > > @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \ > > 'KLIBCOPTFLAGS=${TUNE_CCARGS}' \ > > V=1 \ > > " > > -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" > > EXTRA_KLIBCLDFLAGS="-z noexecstack"' > > +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \ > > + 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'" > > > Is it necessary to pass SECURITY_XFLAGS directly? While including > security_flags.inc, > CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS. > Maybe you should make sure to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid > ldflags qa warning. > > [security_flags.inc] > 58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}" > 59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}" > [security_flags.inc] > > > export FIX_ARMV4_EABI_BX = "${FIX_V4BX}" > > KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', > > 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}" > > @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc" > > KLIBC_ARCH_powerpc64 = "ppc64" > > THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})" > > > > -SECURITY_CFLAGS = "-fno-PIE -no-pie" > > -SECURITY_LDFLAGS = "-no-pie" > > +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}" > > The same reason, it is not necessary to test GCCPIE, > > and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = "" > Hi, thanks for reviewing.
It is true the SECURITY_CFLAGS are passed to the compiler. The problem is, klibc has its own arch makefiles (MCONFIG) and the linker is called directly, so if you just append the LDFLAGS like this: EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \ 'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'" you get: i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/static/ipconfig -W l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z noexecstack u sr/klibc/arch/i386/crt0.o --start-group usr/kinit/ipconfig/main.o usr/kinit/ipc onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o usr/k init/ipconfig/bootp_proto.o usr/klibc/libc.a /tmp/build/tmp-musl/work/i586-oe-l inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a -- end-group ; cp -f usr/kinit/ipconfig/static/ipconfig usr/kinit/ipconfig/static/i pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note --strip-al l -R .comment -R .note --strip-all -R .comment -R .note usr/kinit/ipconfig/stati c/ipconfig i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1' Thus I am expliciting the SECURITY_LDFLAGS. Note that this patch, injecting the -pie, does now break build for mips, because the MCONFIG foir mips disables pic. The immediate fix is to remove -pie for mips (standard behavior). Cheers Andrea > > //Hongxu > -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel