On Wed, Dec 07, 2022 at 03:49:43PM -0500, Tom Rini wrote: > We borrow from the Linux Kernel 0d362be5b142 ("Makefile: link with -z > noexecstack --no-warn-rwx-segments") here to disable the RWX segment
Reviewed-by: Nick Desaulniers <ndesaulni...@google.com> > linking warnings. We do not also bring in -z noexecstack as that > requires auditing and using ".note.GNU-stack" on assembly functions > which do need this feature. Further, we now introduce KBUILD_EFILDFLAGS It took me a second to realize this is kbuild flags for the linker for EFI. Looked like a type of KBUILD_FIELD_FLAGS initially to me. > so that we can also pass --no-warn-rwx-segments when linking EFI > applications, and those do explicitly pass -z execstack. > > Cc: Heinrich Schuchardt <xypron.g...@gmx.de> > Cc: Ilias Apalodimas <ilias.apalodi...@linaro.org> > Signed-off-by: Tom Rini <tr...@konsulko.com> > --- > Makefile | 2 ++ > scripts/Makefile.lib | 6 ++++-- > 2 files changed, 6 insertions(+), 2 deletions(-) > > diff --git a/Makefile b/Makefile > index 11efc4180414..839733836d9b 100644 > --- a/Makefile > +++ b/Makefile > @@ -806,6 +806,8 @@ KBUILD_CPPFLAGS += $(KCPPFLAGS) > KBUILD_AFLAGS += $(KAFLAGS) > KBUILD_CFLAGS += $(KCFLAGS) > > +KBUILD_LDFLAGS += $(call ld-option,--no-warn-rwx-segments) > + > KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g) > > # Use UBOOTINCLUDE when you must reference the include/ directory. > diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib > index 8e13bf2b986d..ac45a8847859 100644 > --- a/scripts/Makefile.lib > +++ b/scripts/Makefile.lib > @@ -425,9 +425,11 @@ cmd_efi_objcopy = $(OBJCOPY) -j .header -j .text -j > .sdata -j .data -j \ > $(obj)/%.efi: $(obj)/%_efi.so > $(call cmd,efi_objcopy) > > +KBUILD_EFILDFLAGS = -nostdlib -zexecstack -znocombreloc -znorelro > +KBUILD_EFILDFLAGS += $(call ld-option,--no-warn-rwx-segments) > quiet_cmd_efi_ld = LD $@ > -cmd_efi_ld = $(LD) -nostdlib -zexecstack -znocombreloc -T $(EFI_LDS_PATH) \ > - -shared -Bsymbolic -znorelro -s $^ -o $@ > +cmd_efi_ld = $(LD) $(KBUILD_EFILDFLAGS) -T $(EFI_LDS_PATH) \ > + -shared -Bsymbolic -s $^ -o $@ > > EFI_LDS_PATH = $(srctree)/arch/$(ARCH)/lib/$(EFI_LDS) > > -- > 2.25.1 > >