[Buildroot] [RFC 3/3] toolchain/toolchain-wrapper: add BR2_RELRO_FULL support

Matthew Weber matthew.weber at rockwellcollins.com
Tue Aug 21 12:40:00 UTC 2018 

Jan,
On Tue, Aug 21, 2018 at 2:53 AM Jan Kundrát <jan.kundrat at cesnet.cz> wrote:
>
> On úterý 14. srpna 2018 6:26:43 CEST, Matt Weber wrote:
> > Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
> > ---
> >  toolchain/toolchain-wrapper.c | 19 ++++++++++++++++++-
> >  1 file changed, 18 insertions(+), 1 deletion(-)
> >
> > diff --git a/toolchain/toolchain-wrapper.c b/toolchain/toolchain-wrapper.c
> > index c5eb813..d36771c 100644
> > --- a/toolchain/toolchain-wrapper.c
> > +++ b/toolchain/toolchain-wrapper.c
> > @@ -49,8 +49,9 @@ static char _date_[sizeof("-D__DATE__=\"MMM DD YYYY\"")];
> >   *   -D__TIME__=
> >   *   -D__DATE__=
> >   *   -Wno-builtin-macro-redefined
> > + *      -fPIE
>
> nit: this looks like a whitespace error (one too many spaces)
>
> >   */
> > -#define EXCLUSIVE_ARGS       6
> > +#define EXCLUSIVE_ARGS       7
> >
> >  static char *predef_args[] = {
> >  #ifdef BR_CCACHE
> > @@ -363,6 +364,22 @@ int main(int argc, char **argv)
> >               *cur++ = "-Wno-builtin-macro-redefined";
> >       }
> >
> > +#ifdef BR2_RELRO_FULL
> > +     /* Combinations of PIE and pic */
> > +     for (i = 1; i < argc; i++) {
> > +             if (!strcmp(argv[i], "-r") ||
> > +                 !strcmp(argv[i], "-fpie") ||
> > +                 !strcmp(argv[i], "-fPIE") ||
> > +                 !strcmp(argv[i], "-fpic") ||
> > +                 !strcmp(argv[i], "-fPIC") ||
> > +                 !strcmp(argv[i], "-fno-pic"))
> > +                     break;
> > +     }
> > +
> > +     if (i == argc)
> > +             *cur++ = "-fPIE";
> > +#endif
> > +
> >       paranoid_wrapper = getenv("BR_COMPILER_PARANOID_UNSAFE_PATH");
> >       if (paranoid_wrapper && strlen(paranoid_wrapper) > 0)
> >               paranoid = 1;
>
> I needed some more patches to build with the following hardening settings:
>
> BR2_SSP_STRONG=y
> BR2_RELRO_FULL=y
> BR2_FORTIFY_SOURCE_2=y
>
> - https://patchwork.ozlabs.org/patch/865166/
> - https://patchwork.ozlabs.org/patch/865168/ (this one need changes so that
> it touches packages/libzlib/ now)
>
> Then my build failed when building util-linux, see the attached log.

Thanks for the feedback.  Sorry this topic has some loose ends at this
point with a couple un-applied patches and this RFC.

I'll send out a full patchset this week once I get past some
external/internal toolchain symlnk issues with *.br_real.

If you wouldn't mind sharing your defconfig, I'll give it a test
before I sent out the next series.

Matt

More information about the buildroot mailing list