Re: [oe] [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled
On Sat, Sep 15, 2018 at 1:30 PM Hongxu Jia wrote:
>
> On 2018年09月15日 18:58, Andrea Adami wrote:
> > On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia
> > wrote:
> >> On 2018年09月15日 02:02, Andrea Adami wrote:
> >>> ld fails if distro's security-flags are enabled:
> >>> Inject the SECURITY_XFLAGS if security_flags.inc was included.
> >>>
> >>> Fix on i386: ld: discarded output section: `.got.plt'
> >>>
> >>> Signed-off-by: Andrea Adami
> >>> ---
> >>>meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
> >>>1 file changed, 3 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> >>> b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> >>> index 3d25e96..837b026 100644
> >>> --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> >>> +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> >>> @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
> >>>'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
> >>> V=1 \
> >>>"
> >>> -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack"
> >>> EXTRA_KLIBCLDFLAGS="-z noexecstack"'
> >>> +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS}
> >>> -Wa,--noexecstack' \
> >>> + 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
> >>>
> >> Is it necessary to pass SECURITY_XFLAGS directly? While including
> >> security_flags.inc,
> >> CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
> >> Maybe you should make sure to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
> >> ldflags qa warning.
> >>
> >> [security_flags.inc]
> >>58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> >>59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> >> [security_flags.inc]
> >>
> >>>export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
> >>>KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n',
> >>> 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
> >>> @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
> >>>KLIBC_ARCH_powerpc64 = "ppc64"
> >>>THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
> >>>
> >>> -SECURITY_CFLAGS = "-fno-PIE -no-pie"
> >>> -SECURITY_LDFLAGS = "-no-pie"
> >>> +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
> >> The same reason, it is not necessary to test GCCPIE,
> >>
> >> and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""
> >>
> > Hi,
> > thanks for reviewing.
> >
> > It is true the SECURITY_CFLAGS are passed to the compiler.
> > The problem is, klibc has its own arch makefiles (MCONFIG) and the
> > linker is called directly, so if you just append the LDFLAGS like
> > this:
> >
> > EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \
> > 'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'"
> >
> > you get:
> >
> >i586-oe-linux-musl-ld.bfd -m elf_i386 -o
> > usr/kinit/ipconfig/static/ipconfig -W
> > l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z
> > noexecstack u
> > sr/klibc/arch/i386/crt0.o --start-group usr/kinit/ipconfig/main.o
> > usr/kinit/ipc
> > onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o
> > usr/k
> > init/ipconfig/bootp_proto.o usr/klibc/libc.a
> > /tmp/build/tmp-musl/work/i586-oe-l
> > inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a
> > --
> > end-group ; cp -f usr/kinit/ipconfig/static/ipconfig
> > usr/kinit/ipconfig/static/i
> > pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note
> > --strip-al
> > l -R .comment -R .note --strip-all -R .comment -R .note
> > usr/kinit/ipconfig/stati
> > c/ipconfig
> > i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1'
> >
> > Thus I am expliciting the SECURITY_LDFLAGS.
> >
> > Note that this patch, injecting the -pie, does now break build for mips,
> > because the MCONFIG foir mips disables pic.
> > The immediate fix is to remove -pie for mips (standard behavior).
>
> OK, thanks for the explain
>
> //Hongxu
Hi,
with a following patch more archs were fixed when building with security flags.
I ended up appending both SECURITY_CFLAGS and SECURITY_LDFLAGS and I
only have to special-case the mips/mips64 which at the time of klibc
(10yrs ago) if you read the kernel was expecting pic code in userspace
but here in klibc I see pic disabled in the makefiles...
Maybe Khem can test runtime...my only mips is a DTB decoder (well,
with a bit of motivation I could do that, it's OpenPli).
Cheers
Andrea
>
> > Cheers
> > Andrea
> >
> >
> >> //Hongxu
> >>
>
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Re: [oe] [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled
On 2018年09月15日 18:58, Andrea Adami wrote:
On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia wrote:
On 2018年09月15日 02:02, Andrea Adami wrote:
ld fails if distro's security-flags are enabled:
Inject the SECURITY_XFLAGS if security_flags.inc was included.
Fix on i386: ld: discarded output section: `.got.plt'
Signed-off-by: Andrea Adami
---
meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc
b/meta-initramfs/recipes-devtools/klibc/klibc.inc
index 3d25e96..837b026 100644
--- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
+++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
@@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
V=1 \
"
-EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z
noexecstack"'
+EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
+ 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
Is it necessary to pass SECURITY_XFLAGS directly? While including
security_flags.inc,
CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
Maybe you should make sure to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
ldflags qa warning.
[security_flags.inc]
58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
[security_flags.inc]
export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n',
'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
@@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
KLIBC_ARCH_powerpc64 = "ppc64"
THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
-SECURITY_CFLAGS = "-fno-PIE -no-pie"
-SECURITY_LDFLAGS = "-no-pie"
+SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
The same reason, it is not necessary to test GCCPIE,
and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""
Hi,
thanks for reviewing.
It is true the SECURITY_CFLAGS are passed to the compiler.
The problem is, klibc has its own arch makefiles (MCONFIG) and the
linker is called directly, so if you just append the LDFLAGS like
this:
EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \
'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'"
you get:
i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/static/ipconfig
-W
l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z noexecstack u
sr/klibc/arch/i386/crt0.o --start-group usr/kinit/ipconfig/main.o usr/kinit/ipc
onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o usr/k
init/ipconfig/bootp_proto.o usr/klibc/libc.a /tmp/build/tmp-musl/work/i586-oe-l
inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a --
end-group ; cp -f usr/kinit/ipconfig/static/ipconfig usr/kinit/ipconfig/static/i
pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note --strip-al
l -R .comment -R .note --strip-all -R .comment -R .note usr/kinit/ipconfig/stati
c/ipconfig
i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1'
Thus I am expliciting the SECURITY_LDFLAGS.
Note that this patch, injecting the -pie, does now break build for mips,
because the MCONFIG foir mips disables pic.
The immediate fix is to remove -pie for mips (standard behavior).
OK, thanks for the explain
//Hongxu
Cheers
Andrea
//Hongxu
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Re: [oe] [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled
On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia wrote:
>
> On 2018年09月15日 02:02, Andrea Adami wrote:
> > ld fails if distro's security-flags are enabled:
> > Inject the SECURITY_XFLAGS if security_flags.inc was included.
> >
> > Fix on i386: ld: discarded output section: `.got.plt'
> >
> > Signed-off-by: Andrea Adami
> > ---
> > meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > index 3d25e96..837b026 100644
> > --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
> > 'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
> >V=1 \
> > "
> > -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack"
> > EXTRA_KLIBCLDFLAGS="-z noexecstack"'
> > +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
> > + 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
> >
> Is it necessary to pass SECURITY_XFLAGS directly? While including
> security_flags.inc,
> CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
> Maybe you should make sure to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
> ldflags qa warning.
>
> [security_flags.inc]
> 58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> 59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> [security_flags.inc]
>
> > export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
> > KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n',
> > 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
> > @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
> > KLIBC_ARCH_powerpc64 = "ppc64"
> > THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
> >
> > -SECURITY_CFLAGS = "-fno-PIE -no-pie"
> > -SECURITY_LDFLAGS = "-no-pie"
> > +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
>
> The same reason, it is not necessary to test GCCPIE,
>
> and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""
>
Hi,
thanks for reviewing.
It is true the SECURITY_CFLAGS are passed to the compiler.
The problem is, klibc has its own arch makefiles (MCONFIG) and the
linker is called directly, so if you just append the LDFLAGS like
this:
EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \
'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'"
you get:
i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/static/ipconfig -W
l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z noexecstack u
sr/klibc/arch/i386/crt0.o --start-group usr/kinit/ipconfig/main.o usr/kinit/ipc
onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o usr/k
init/ipconfig/bootp_proto.o usr/klibc/libc.a /tmp/build/tmp-musl/work/i586-oe-l
inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a --
end-group ; cp -f usr/kinit/ipconfig/static/ipconfig usr/kinit/ipconfig/static/i
pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note --strip-al
l -R .comment -R .note --strip-all -R .comment -R .note usr/kinit/ipconfig/stati
c/ipconfig
i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1'
Thus I am expliciting the SECURITY_LDFLAGS.
Note that this patch, injecting the -pie, does now break build for mips,
because the MCONFIG foir mips disables pic.
The immediate fix is to remove -pie for mips (standard behavior).
Cheers
Andrea
>
> //Hongxu
>
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Re: [oe] [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled
On 2018年09月15日 02:02, Andrea Adami wrote:
ld fails if distro's security-flags are enabled:
Inject the SECURITY_XFLAGS if security_flags.inc was included.
Fix on i386: ld: discarded output section: `.got.plt'
Signed-off-by: Andrea Adami
---
meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc
b/meta-initramfs/recipes-devtools/klibc/klibc.inc
index 3d25e96..837b026 100644
--- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
+++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
@@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
V=1 \
"
-EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z
noexecstack"'
+EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
+ 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
Is it necessary to pass SECURITY_XFLAGS directly? While including
security_flags.inc,
CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
Maybe you should make sure to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
ldflags qa warning.
[security_flags.inc]
58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
[security_flags.inc]
export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n',
'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
@@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
KLIBC_ARCH_powerpc64 = "ppc64"
THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
-SECURITY_CFLAGS = "-fno-PIE -no-pie"
-SECURITY_LDFLAGS = "-no-pie"
+SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
The same reason, it is not necessary to test GCCPIE,
and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""
//Hongxu
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled
ld fails if distro's security-flags are enabled:
Inject the SECURITY_XFLAGS if security_flags.inc was included.
Fix on i386: ld: discarded output section: `.got.plt'
Signed-off-by: Andrea Adami
---
meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc
b/meta-initramfs/recipes-devtools/klibc/klibc.inc
index 3d25e96..837b026 100644
--- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
+++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
@@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
V=1 \
"
-EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z
noexecstack"'
+EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
+ 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n',
'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
@@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
KLIBC_ARCH_powerpc64 = "ppc64"
THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
-SECURITY_CFLAGS = "-fno-PIE -no-pie"
-SECURITY_LDFLAGS = "-no-pie"
+SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
--
2.7.4
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
