Re: [oe] [meta-initramfs][PATCH] klibc: fix build on i386 with GCC and security flags enabled

[Andrea Adami]

please hold on, v2 is coming.

I think -z relro and -z now (data relocation) should be only added if
the distro is using security flags.
BTW I do this check looking at GCCPIE variable, normally evaluated if
security flags are switched on.

Note: all this because the standard SECURITY_LDFLAGS cannot be used:
these start with -Wl but we are talking with the linker directly.

Cheers
Andrea
On Fri, Sep 14, 2018 at 6:46 PM Andrea Adami  wrote:
>
> Disable pie for powerpc as in security_flags.inc.
> Fix on i386: ld: discarded output section: `.got.plt'
>
> Signed-off-by: Andrea Adami 
> ---
>  meta-initramfs/recipes-devtools/klibc/klibc.inc | 10 +++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc 
> b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> index 3d25e96..b3d1568 100644
> --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
>  'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
>   V=1 \
>  "
> -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" 
> EXTRA_KLIBCLDFLAGS="-z noexecstack"'
> +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
> + 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS}'"
>
>  export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
>  KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 
> 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
> @@ -74,5 +75,8 @@ KLIBC_ARCH_powerpc = "ppc"
>  KLIBC_ARCH_powerpc64 = "ppc64"
>  THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
>
> -SECURITY_CFLAGS = "-fno-PIE -no-pie"
> -SECURITY_LDFLAGS = "-no-pie"
> +SECURITY_LDFLAGS = "${@ '-z relro -z now -z noexecstack -pie' if '${GCCPIE}' 
> \
> +   else '-z relro -z now -z noexecstack' }"
> +
> +# SECURITY_CFLAGS for powerpc are disabled in security_flags.inc
> +SECURITY_LDFLAGS_powerpc = "-z relro -z now -z noexecstack"
> --
> 2.7.4
>
-- 
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel

[oe] [meta-initramfs][PATCH] klibc: fix build on i386 with GCC and security flags enabled

[Andrea Adami]

Disable pie for powerpc as in security_flags.inc.
Fix on i386: ld: discarded output section: `.got.plt'

Signed-off-by: Andrea Adami 
---
 meta-initramfs/recipes-devtools/klibc/klibc.inc | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc 
b/meta-initramfs/recipes-devtools/klibc/klibc.inc
index 3d25e96..b3d1568 100644
--- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
+++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
@@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
 'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
  V=1 \
 "
-EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z 
noexecstack"'
+EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
+ 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS}'"
 
 export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
 KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 
'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
@@ -74,5 +75,8 @@ KLIBC_ARCH_powerpc = "ppc"
 KLIBC_ARCH_powerpc64 = "ppc64"
 THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
 
-SECURITY_CFLAGS = "-fno-PIE -no-pie"
-SECURITY_LDFLAGS = "-no-pie"
+SECURITY_LDFLAGS = "${@ '-z relro -z now -z noexecstack -pie' if '${GCCPIE}' \
+   else '-z relro -z now -z noexecstack' }"
+
+# SECURITY_CFLAGS for powerpc are disabled in security_flags.inc
+SECURITY_LDFLAGS_powerpc = "-z relro -z now -z noexecstack"
-- 
2.7.4

-- 
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel