[Buildroot] [PATCH 4/4] toolchain: allow PIC/PIE without RELRO
Arnout Vandecappelle
arnout at mind.be
Tue Mar 12 00:36:12 UTC 2019
On 11/03/2019 07:48, yann.morin at orange.com wrote:
> From: "Yann E. MORIN" <yann.morin at orange.com>
>
> In commit 7484c1c3b806 (toolchain/toolchain-wrapper: add BR2_RELRO_),
> we added the PIC/PIE flags, but based on the RELRO_FULL condition.
>
> It is however totally possible to do a PIC/PIE executable without
> RELRO_FULL, as it is also valid to do a PIC/PIE build with RELRO_PARTIAL.
>
> Add a new option that now governs the PIC/PIE flags.
>
> Note: it is unknown if RELRO_FULL really needs PIC/PIE or not, so we
> keep the current situation, where RELRO-FULL forces PIC/PIE compilation.
I just checked on my host, and a simple test program compiled with -no-pie
-Wl,-z,relro -Wl,-z,now does work, so indeed the two seem to be independent.
I guess it's historical accident that the global full relro and PIE are
typically introduced together. From what I understand, they are pretty much
independent.
Regards,
Arnout
>
> Signed-off-by: "Yann E. MORIN" <yann.morin at orange.com>
> Cc: Matt Weber <matthew.weber at rockwellcollins.com>
> Cc: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
> Cc: Thomas De Schampheleire <thomas.de_schampheleire at nokia.com>
> ---
> Config.in | 8 ++++++++
> toolchain/toolchain-wrapper.c | 2 +-
> toolchain/toolchain-wrapper.mk | 4 ++++
> 3 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/Config.in b/Config.in
> index d5a0460f98..31fea3ab34 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -712,6 +712,13 @@ endmenu
>
> comment "Security Hardening Options"
>
> +config BR2_PIC_PIE
> + bool "Build code with PIC/PIE"
> + depends on BR2_SHARED_LIBS
> + help
> + Generate Position-Independent Code (PIC) and link
> + Position-Independent Executables (PIE).
> +
> choice
> bool "Stack Smashing Protection"
> default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
> @@ -794,6 +801,7 @@ config BR2_RELRO_PARTIAL
>
> config BR2_RELRO_FULL
> bool "Full"
> + select BR2_PIC_PIE
> help
> This option includes the partial configuration, but also marks
> the GOT as read-only at the cost of initialization time during
> diff --git a/toolchain/toolchain-wrapper.c b/toolchain/toolchain-wrapper.c
> index d605a7d648..a38f827786 100644
> --- a/toolchain/toolchain-wrapper.c
> +++ b/toolchain/toolchain-wrapper.c
> @@ -370,7 +370,7 @@ int main(int argc, char **argv)
> *cur++ = "-Wno-builtin-macro-redefined";
> }
>
> -#ifdef BR2_RELRO_FULL
> +#ifdef BR2_PIC_PIE
> /* Patterned after Fedora/Gentoo hardening approaches.
> * https://fedoraproject.org/wiki/Changes/Harden_All_Packages
> * https://wiki.gentoo.org/wiki/Hardened/Toolchain#Position_Independent_Executables_.28PIEs.29
> diff --git a/toolchain/toolchain-wrapper.mk b/toolchain/toolchain-wrapper.mk
> index e48e765a8e..67cec5c1cf 100644
> --- a/toolchain/toolchain-wrapper.mk
> +++ b/toolchain/toolchain-wrapper.mk
> @@ -45,6 +45,10 @@ ifeq ($(BR2_CCACHE_USE_BASEDIR),y)
> TOOLCHAIN_WRAPPER_ARGS += -DBR_CCACHE_BASEDIR='"$(BASE_DIR)"'
> endif
>
> +ifeq ($(BR2_PIC_PIE),y)
> +TOOLCHAIN_WRAPPER_ARGS += -DBR2_PIC_PIE
> +endif
> +
> ifeq ($(BR2_RELRO_PARTIAL),y)
> TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_PARTIAL
> else ifeq ($(BR2_RELRO_FULL),y)
>
More information about the buildroot
mailing list