On Sat, Sep 15, 2018 at 1:30 PM Hongxu Jia <[email protected]> wrote: > > On 2018年09月15日 18:58, Andrea Adami wrote: > > On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia <[email protected]> > > wrote: > >> On 2018年09月15日 02:02, Andrea Adami wrote: > >>> ld fails if distro's security-flags are enabled: > >>> Inject the SECURITY_XFLAGS if security_flags.inc was included. > >>> > >>> Fix on i386: ld: discarded output section: `.got.plt' > >>> > >>> Signed-off-by: Andrea Adami <[email protected]> > >>> --- > >>> meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++--- > >>> 1 file changed, 3 insertions(+), 3 deletions(-) > >>> > >>> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc > >>> b/meta-initramfs/recipes-devtools/klibc/klibc.inc > >>> index 3d25e96..837b026 100644 > >>> --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc > >>> +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc > >>> @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \ > >>> 'KLIBCOPTFLAGS=${TUNE_CCARGS}' \ > >>> V=1 \ > >>> " > >>> -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" > >>> EXTRA_KLIBCLDFLAGS="-z noexecstack"' > >>> +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} > >>> -Wa,--noexecstack' \ > >>> + 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'" > >>> > >> Is it necessary to pass SECURITY_XFLAGS directly? While including > >> security_flags.inc, > >> CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS. > >> Maybe you should make sure to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid > >> ldflags qa warning. > >> > >> [security_flags.inc] > >> 58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}" > >> 59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}" > >> [security_flags.inc] > >> > >>> export FIX_ARMV4_EABI_BX = "${FIX_V4BX}" > >>> KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', > >>> 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}" > >>> @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc" > >>> KLIBC_ARCH_powerpc64 = "ppc64" > >>> THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})" > >>> > >>> -SECURITY_CFLAGS = "-fno-PIE -no-pie" > >>> -SECURITY_LDFLAGS = "-no-pie" > >>> +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}" > >> The same reason, it is not necessary to test GCCPIE, > >> > >> and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = "" > >> > > Hi, > > thanks for reviewing. > > > > It is true the SECURITY_CFLAGS are passed to the compiler. > > The problem is, klibc has its own arch makefiles (MCONFIG) and the > > linker is called directly, so if you just append the LDFLAGS like > > this: > > > > EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \ > > 'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'" > > > > you get: > > > > i586-oe-linux-musl-ld.bfd -m elf_i386 -o > > usr/kinit/ipconfig/static/ipconfig -W > > l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z > > noexecstack u > > sr/klibc/arch/i386/crt0.o --start-group usr/kinit/ipconfig/main.o > > usr/kinit/ipc > > onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o > > usr/k > > init/ipconfig/bootp_proto.o usr/klibc/libc.a > > /tmp/build/tmp-musl/work/i586-oe-l > > inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a > > -- > > end-group ; cp -f usr/kinit/ipconfig/static/ipconfig > > usr/kinit/ipconfig/static/i > > pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note > > --strip-al > > l -R .comment -R .note --strip-all -R .comment -R .note > > usr/kinit/ipconfig/stati > > c/ipconfig > > i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1' > > > > Thus I am expliciting the SECURITY_LDFLAGS. > > > > Note that this patch, injecting the -pie, does now break build for mips, > > because the MCONFIG foir mips disables pic. > > The immediate fix is to remove -pie for mips (standard behavior). > > OK, thanks for the explain > > //Hongxu
Hi, with a following patch more archs were fixed when building with security flags. I ended up appending both SECURITY_CFLAGS and SECURITY_LDFLAGS and I only have to special-case the mips/mips64 which at the time of klibc (10yrs ago) if you read the kernel was expecting pic code in userspace but here in klibc I see pic disabled in the makefiles... Maybe Khem can test runtime...my only mips is a DTB decoder (well, with a bit of motivation I could do that, it's OpenPli). Cheers Andrea > > > Cheers > > Andrea > > > > > >> //Hongxu > >> > -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
