On 11/10/22 19:53, Marek Polacek via Gcc-patches wrote:
This is a rebased version of the patch I posted in February: <https://gcc.gnu.org/pipermail/gcc-patches/2022-February/590201.html>. Fortunately it is much simpler than the patch implementing --enable-host-pie. I've converted the install.texi part into configuration.rst, otherwise there are no changes to the original version. With --enable-host-bind-now --enable-host-pie: $ readelf -Wd ./gcc/cc1 ./gcc/cc1plus | grep FLAGS 0x000000000000001e (FLAGS) BIND_NOW 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE 0x000000000000001e (FLAGS) BIND_NOW 0x000000006ffffffb (FLAGS_1) Flags: NOW PIE Bootstrapped/regtested on x86_64-pc-linux-gnu, ok for trunk? -- >8 -- As promised in the --enable-host-pie patch, this patch adds another configure option, --enable-host-bind-now, which adds -z now when linking the compiler executables in order to extend hardening. BIND_NOW with RELRO allows the GOT to be marked RO; this prevents GOT modification attacks. This option does not affect linking of target libraries; you can use LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW. c++tools/ChangeLog: * configure.ac (--enable-host-bind-now): New check. * configure: Regenerate. gcc/ChangeLog: * configure.ac (--enable-host-bind-now): New check. Add -Wl,-z,now to LD_PICFLAG if --enable-host-bind-now. * configure: Regenerate. * doc/install/configuration.rst: Document --enable-host-bind-now. lto-plugin/ChangeLog: * configure.ac (--enable-host-bind-now): New check. Link with -z,now. * configure: Regenerate. ---
OK. Glad to see this finally get to resolution. While I'm largely in agreement with Jakub that PIE doesn't provide a major security benefit for the compiler, it seems better to not have the compiler be special WRT security options.
Jeff
