Compiling Yara with Position Independent Code (PIC) flag

[dmw]

I'm attempting to compile libyara.a into an Intel SGX application wherein I 
can run yara rules in an enclave.  Its compiled in Eclipse 2018-2019.  I 
used the default procedure to create the libyara baseline:

./configure
make
make install

The problem is that the compile/linking produces the following errors:

11:34:02 **** Build of configuration Intel(R) SGX Simulation Debug for 
project non_sgx_empty_proj ****
make SGX_DEBUG=1 SGX_MODE=SIM -f sgx/Makefile all 
make -C ./sgx/enclave_yara_enclave  -f sgx_u.mk all;
make[1]: Entering directory 
`/home/developer/eclipse-workspace/non_sgx_empty_proj/sgx/enclave_yara_enclave'
GEN  =>  untrusted/yara_enclave_u.c
CC   <=  untrusted/yara_enclave_u.c
CXX  <=  untrusted/sample.c
LINK =>  sample
make[1]: Leaving directory 
`/home/developer/eclipse-workspace/non_sgx_empty_proj/sgx/enclave_yara_enclave'
make -C ./sgx/enclave_yara_enclave    -f sgx_t.mk all;
make[1]: Entering directory 
`/home/developer/eclipse-workspace/non_sgx_empty_proj/sgx/enclave_yara_enclave'
GEN  =>  trusted/yara_enclave_t.c
CC   <=  trusted/yara_enclave_t.c
CC  <=  trusted/yara_enclave.c
/usr/bin/ld: /usr/local/lib/libyara.a(tests.o): relocation R_X86_64_32 
against `.rodata.str1.1' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(pe.o): relocation R_X86_64_32 against 
`.rodata.str1.1' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(elf.o): relocation R_X86_64_32 
against `.rodata.str1.1' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(math.o): relocation R_X86_64_32 
against `.rodata.str1.1' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(time.o): relocation R_X86_64_32 
against `.rodata.str1.1' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(pe_utils.o): relocation R_X86_64_32 
against `.rodata.str1.1' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(cuckoo.o): relocation R_X86_64_32 
against `.rodata.str1.1' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(magic.o): relocation R_X86_64_32S 
against undefined hidden symbol `cached_mime_types' can not be used when 
making a shared object
make[1]: Leaving directory 
`/home/developer/eclipse-workspace/non_sgx_empty_proj/sgx/enclave_yara_enclave'
/usr/bin/ld: /usr/local/lib/libyara.a(hash.o): relocation R_X86_64_32 
against `.rodata.str1.1' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(dotnet.o): relocation R_X86_64_32 
against `.rodata' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(grammar.o): relocation R_X86_64_32S 
against `.rodata' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(ahocorasick.o): relocation 
R_X86_64_32 against `.rodata.str1.8' can not be used when making a shared 
object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(arena.o): relocation R_X86_64_32 
against `.rodata' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(atoms.o): relocation R_X86_64_32S 
against `.rodata' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(bitmask.o): relocation R_X86_64_32 
against `.rodata' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(compiler.o): relocation R_X86_64_32 
against hidden symbol `yr_object_destroy' can not be used when making a 
shared object
/usr/bin/ld: /usr/local/lib/libyara.a(exec.o): relocation R_X86_64_32S 
against `.rodata' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(lt1-hash.o): relocation R_X86_64_32S 
against hidden symbol `byte_to_int32' can not be used when making a shared 
object
/usr/bin/ld: /usr/local/lib/libyara.a(hex_grammar.o): relocation 
R_X86_64_32S against `.rodata' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(hex_lexer.o): relocation R_X86_64_32 
against undefined hidden symbol `yr_recovery_state_key' can not be used 
when making a shared object
/usr/bin/ld: /usr/local/lib/libyara.a(lexer.o): relocation R_X86_64_32 
against `.rodata.str1.8' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(libyara.o): relocation R_X86_64_32S 
against undefined hidden symbol `yr_altercase' can not be used when making 
a shared object
/usr/bin/ld: /usr/local/lib/libyara.a(modules.o): relocation R_X86_64_32 
against hidden symbol `yr_modules_table' can not be used when making a 
shared object
/usr/bin/ld: /usr/local/lib/libyara.a(object.o): relocation R_X86_64_32S 
against `.rodata' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(parser.o): relocation R_X86_64_32 
against `.rodata' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(proc.o): relocation R_X86_64_32S 
against symbol `yr_process_get_first_memory_block' can not be used when 
making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(re.o): relocation R_X86_64_32S 
against `.rodata' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(re_grammar.o): relocation 
R_X86_64_32S against `.rodata' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(re_lexer.o): relocation R_X86_64_32 
against `.rodata.str1.8' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(rules.o): relocation R_X86_64_32S 
against `.text' can not be used when making a shared object; recompile with 
-fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(scan.o): relocation R_X86_64_32 
against `.rodata' can not be used when making a shared object; recompile 
with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(scanner.o): relocation R_X86_64_32S 
against undefined hidden symbol `exc_jmp_buf' can not be used when making a 
shared object
/usr/bin/ld: /usr/local/lib/libyara.a(linux.o): relocation R_X86_64_32 
against `.rodata.str1.1' can not be used when making a shared object; 
recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
make[1]: *** [yara_enclave.so] Error 1
make: *** [all] Error 2

11:34:02 Build Failed. 36 errors, 0 warnings. (took 369ms)

I started reading more about Position Independent Code and looked at the 
yara Makefile to insert -fPIC in the flags area, but I probably did that 
incorrectly.  Do these errors mean I need to recompile yara to generate 
position independent code?  If so, what should I modify in the 
makefile/build process to produce a position independent version?

The auto-generated SGX makefile which produced the errors is below.  Note 
that all I've done is attach yara references at the end of 
"Yara_enclave_Link_Flags" with:    

-L/usr/local/lib \
-Wl,--whole-archive -lyara

***********************************************************************************************************************************************************************************
######## Intel(R) SGX SDK Settings ########
SGX_SDK ?= /opt/intel/sgxsdk
SGX_MODE ?= SIM
SGX_ARCH ?= x64

ifeq ($(shell getconf LONG_BIT), 32)
    SGX_ARCH := x86
else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
    SGX_ARCH := x86
endif

ifeq ($(SGX_ARCH), x86)
    SGX_COMMON_CFLAGS := -m32
    SGX_LIBRARY_PATH := $(SGX_SDK)/lib
    SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign
    SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r
else
    SGX_COMMON_CFLAGS := -m64
    SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
    SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign
    SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r
endif

ifeq ($(SGX_DEBUG), 1)
ifeq ($(SGX_PRERELEASE), 1)
$(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
endif
endif

ifeq ($(SGX_DEBUG), 1)
        SGX_COMMON_CFLAGS += -O0 -g
else
        SGX_COMMON_CFLAGS += -O2
endif

ifneq ($(SGX_MODE), HW)
    Trts_Library_Name := sgx_trts_sim
    Service_Library_Name := sgx_tservice_sim
else
    Trts_Library_Name := sgx_trts
    Service_Library_Name := sgx_tservice
endif

Crypto_Library_Name := sgx_tcrypto

Yara_enclave_C_Files := trusted/yara_enclave.c 
Yara_enclave_Include_Paths := -IInclude -Itrusted -I$(SGX_SDK)/include 
-I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx -I/usr/local/include

Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11
Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden 
-fpie -fstack-protector $(Yara_enclave_Include_Paths) -fno-builtin-printf 
-I. 
Yara_enclave_C_Flags := $(Flags_Just_For_C) $(Common_C_Cpp_Flags)

Yara_enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined 
-nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
    -Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
    -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l$(Crypto_Library_Name) 
-l$(Service_Library_Name) -Wl,--end-group \
    -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
    -Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
    -Wl,--defsym,__ImageBase=0 \
    -Wl,--version-script=trusted/yara_enclave.lds \
    -L/usr/local/lib \
    -Wl,--whole-archive -lyara

Yara_enclave_C_Objects := $(Yara_enclave_C_Files:.c=.o)

ifeq ($(SGX_MODE), HW)
ifneq ($(SGX_DEBUG), 1)
ifneq ($(SGX_PRERELEASE), 1)
Build_Mode = HW_RELEASE
endif
endif
endif


.PHONY: all run

ifeq ($(Build_Mode), HW_RELEASE)
all: yara_enclave.so
    @echo "Build enclave yara_enclave.so [$(Build_Mode)|$(SGX_ARCH)] 
success!"
    @echo
    @echo 
"*********************************************************************************************************************************************************"
    @echo "PLEASE NOTE: In this mode, please sign the yara_enclave.so first 
using Two Step Sign mechanism before you run the app to launch and access 
the enclave."
    @echo 
"*********************************************************************************************************************************************************"
    @echo
else
all: yara_enclave.signed.so
endif

run: all
ifneq ($(Build_Mode), HW_RELEASE)
    @$(CURDIR)/app
    @echo "RUN  =>  app [$(SGX_MODE)|$(SGX_ARCH), OK]"
endif


######## yara_enclave Objects ########

trusted/yara_enclave_t.c: $(SGX_EDGER8R) ./trusted/yara_enclave.edl
    @cd ./trusted && $(SGX_EDGER8R) --trusted ../trusted/yara_enclave.edl 
--search-path ../trusted --search-path $(SGX_SDK)/include
    @echo "GEN  =>  $@"

trusted/yara_enclave_t.o: ./trusted/yara_enclave_t.c
    @$(CC) $(Yara_enclave_C_Flags) -c $< -o $@
    @echo "CC   <=  $<"

trusted/%.o: trusted/%.c
    @$(CC) $(Yara_enclave_C_Flags) -c $< -o $@
    @echo "CC  <=  $<"

yara_enclave.so: trusted/yara_enclave_t.o $(Yara_enclave_C_Objects)
    @$(CXX) $^ -o $@ $(Yara_enclave_Link_Flags)
    @echo "LINK =>  $@"

yara_enclave.signed.so: yara_enclave.so
    @$(SGX_ENCLAVE_SIGNER) sign -key trusted/yara_enclave_private.pem 
-enclave yara_enclave.so -out $@ -config trusted/yara_enclave.config.xml
    @echo "SIGN =>  $@"
clean:
    @rm -f yara_enclave.* trusted/yara_enclave_t.*  
$(Yara_enclave_C_Objects)

******************************
*****************************************************************************************************************************************************

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.