diff options
| author | Marek Polacek <polacek@redhat.com> | 2023-06-22 11:30:01 -0400 |
|---|---|---|
| committer | Marek Polacek <polacek@redhat.com> | 2023-06-22 13:43:32 -0400 |
| commit | 33ebb0dff9bb022f1e0709e0e73faabfc3df7931 (patch) | |
| tree | 857cc8336fcbe426044fe759571d437032fb6b2a /lto-plugin | |
| parent | 4ced8363622b31910cda61796a28fe2cbf70faa7 (diff) | |
configure: Implement --enable-host-bind-now
As promised in the --enable-host-pie patch, this patch adds another
configure option, --enable-host-bind-now, which adds -z now when linking
the compiler executables in order to extend hardening. BIND_NOW with RELRO
allows the GOT to be marked RO; this prevents GOT modification attacks.
This option does not affect linking of target libraries; you can use
LDFLAGS_FOR_TARGET=-Wl,-z,relro,-z,now to enable RELRO/BIND_NOW.
With this patch:
$ readelf -Wd cc1{,plus,obj,gm2} f951 lto1 cpp rust1 gnat1 | grep FLAGS
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
c++tools/ChangeLog:
* configure.ac (--enable-host-bind-now): New check.
* configure: Regenerate.
gcc/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Add
-Wl,-z,now to LD_PICFLAG if --enable-host-bind-now.
* configure: Regenerate.
* doc/install.texi: Document --enable-host-bind-now.
lto-plugin/ChangeLog:
* configure.ac (--enable-host-bind-now): New check. Link with
-z,now.
* configure: Regenerate.
Diffstat (limited to 'lto-plugin')
| -rwxr-xr-x | lto-plugin/configure | 20 | ||||
| -rw-r--r-- | lto-plugin/configure.ac | 11 |
2 files changed, 29 insertions, 2 deletions
diff --git a/lto-plugin/configure b/lto-plugin/configure index d522bd24c95..675b9cfa522 100755 --- a/lto-plugin/configure +++ b/lto-plugin/configure @@ -663,6 +663,7 @@ accel_dir_suffix gcc_build_dir CET_HOST_FLAGS ac_lto_plugin_ldflags +enable_host_bind_now ac_lto_plugin_warn_cflags EGREP GREP @@ -778,6 +779,7 @@ enable_maintainer_mode with_libiberty enable_dependency_tracking enable_largefile +enable_host_bind_now enable_cet with_gcc_major_version_only enable_shared @@ -1425,6 +1427,7 @@ Optional Features: --disable-dependency-tracking speeds up one-time build --disable-largefile omit support for large files + --enable-host-bind-now link host code as BIND_NOW --enable-cet enable Intel CET in host libraries [default=auto] --enable-shared[=PKGS] build shared libraries [default=yes] --enable-static[=PKGS] build static libraries [default=yes] @@ -5669,6 +5672,19 @@ if test "x$have_static_libgcc" = xyes; then ac_lto_plugin_ldflags="-Wc,-static-libgcc" fi +# Enable --enable-host-bind-now +# Check whether --enable-host-bind-now was given. +if test "${enable_host_bind_now+set}" = set; then : + enableval=$enable_host_bind_now; +fi + + + +if test x$enable_host_bind_now = xyes; then + ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now" +fi + + # Check whether --enable-cet was given. if test "${enable_cet+set}" = set; then : @@ -12134,7 +12150,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12137 "configure" +#line 12153 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12240,7 +12256,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12243 "configure" +#line 12259 "configure" #include "confdefs.h" #if HAVE_DLFCN_H diff --git a/lto-plugin/configure.ac b/lto-plugin/configure.ac index 0a7202782ae..84f2a60b480 100644 --- a/lto-plugin/configure.ac +++ b/lto-plugin/configure.ac @@ -25,6 +25,17 @@ LDFLAGS="$saved_LDFLAGS" if test "x$have_static_libgcc" = xyes; then ac_lto_plugin_ldflags="-Wc,-static-libgcc" fi + +# Enable --enable-host-bind-now +AC_ARG_ENABLE(host-bind-now, +[AS_HELP_STRING([--enable-host-bind-now], + [link host code as BIND_NOW])]) +AC_SUBST(enable_host_bind_now) + +if test x$enable_host_bind_now = xyes; then + ac_lto_plugin_ldflags="$ac_lto_plugin_ldflags -Wl,-z,now" +fi + AC_SUBST(ac_lto_plugin_ldflags) GCC_CET_HOST_FLAGS(CET_HOST_FLAGS) |