On Sun, Nov 20, 2022 at 08:06:55AM -0700, Jeff Law wrote: > > On 11/10/22 19:52, Marek Polacek via Gcc-patches wrote: > > This is a rebased version of the patch I posted in March: > > <https://gcc.gnu.org/pipermail/gcc-patches/2022-March/591239.html> > > which Alex sort of approved here: > > <https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592360.html> > > but it was too late to commit the patch in GCC 12. > > > > There are no changes except that I've converted the documentation > > part into the ReST format, and of course regenerated configure. > > > > With --enable-host-pie enabled: > > $ file ./gcc/cc1 ./gcc/cc1plus > > ./gcc/cc1: ELF 64-bit LSB pie executable, x86-64, version 1 > > (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, > > for GNU/Linux 3.2.0, with debug_info, not stripped > > ./gcc/cc1plus: ELF 64-bit LSB pie executable, x86-64, version 1 > > (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, > > for GNU/Linux 3.2.0, with debug_info, not stripped > > > > Bootstrapped/regtested on x86_64-pc-linux-gnu w/ and w/o --enable-host-pie, > > ok for trunk? > > > > -- >8 -- > > > > This patch implements the --enable-host-pie configure option which > > makes the compiler executables PIE. This can be used to enhance > > protection against ROP attacks, and can be viewed as part of a wider > > trend to harden binaries. > > > > It is similar to the option --enable-host-shared, except that --e-h-s > > won't add -shared to the linker flags whereas --e-h-p will add -pie. > > It is different from --enable-default-pie because that option just > > adds an implicit -fPIE/-pie when the compiler is invoked, but the > > compiler itself isn't PIE. > > > > Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH > > regressions. > > > > When building the compiler, the build process may use various in-tree > > libraries; these need to be built with -fPIE so that it's possible to > > use them when building a PIE. For instance, when --with-included-gettext > > is in effect, intl object files must be compiled with -fPIE. Similarly, > > when building in-tree gmp, isl, mpfr and mpc, they must be compiled with > > -fPIE. > > > > I plan to add an option to link with -Wl,-z,now. > > > > ChangeLog: > > > > * Makefile.def: Pass $(PICFLAG) to AM_CFLAGS for gmp, mpfr, mpc, and > > isl. > > * Makefile.in: Regenerate. > > * Makefile.tpl: Set PICFLAG. > > * configure.ac (--enable-host-pie): New check. Set PICFLAG after this > > check. > > * configure: Regenerate. > > > > c++tools/ChangeLog: > > > > * Makefile.in: Rename PIEFLAG to PICFLAG. Set LD_PICFLAG. Use it. > > Use pic/libiberty.a if PICFLAG is set. > > * configure.ac (--enable-default-pie): Set PICFLAG instead of PIEFLAG. > > (--enable-host-pie): New check. > > * configure: Regenerate. > > > > fixincludes/ChangeLog: > > > > * Makefile.in: Set and use PICFLAG and LD_PICFLAG. Use the "pic" > > build of libiberty if PICFLAG is set. > > * configure.ac: > > * configure: Regenerate. > > > > gcc/ChangeLog: > > > > * Makefile.in: Set LD_PICFLAG. Use it. Set enable_host_pie. > > Remove NO_PIE_CFLAGS and NO_PIE_FLAG. Pass LD_PICFLAG to > > ALL_LINKERFLAGS. Use the "pic" build of libiberty if --enable-host-pie. > > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > > (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this > > check. > > * configure: Regenerate. > > * doc/install/configuration.rst: Document --enable-host-pie. > > > > gcc/d/ChangeLog: > > > > * Make-lang.in: Remove NO_PIE_CFLAGS. > > > > intl/ChangeLog: > > > > * Makefile.in: Use @PICFLAG@ in COMPILE as well. > > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > > (--enable-host-pie): New check. Set PICFLAG after this check. > > * configure: Regenerate. > > > > libcody/ChangeLog: > > > > * Makefile.in: Pass LD_PICFLAG to LDFLAGS. > > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > > (--enable-host-pie): New check. Set PICFLAG and LD_PICFLAG after this > > check. > > * configure: Regenerate. > > > > libcpp/ChangeLog: > > > > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > > (--enable-host-pie): New check. Set PICFLAG after this check. > > * configure: Regenerate. > > > > libdecnumber/ChangeLog: > > > > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > > (--enable-host-pie): New check. Set PICFLAG after this check. > > * configure: Regenerate. > > > > libiberty/ChangeLog: > > > > * configure.ac: Also set shared when enable_host_pie. > > * configure: Regenerate. > > > > zlib/ChangeLog: > > > > * configure.ac (--enable-host-shared): Don't set PICFLAG here. > > (--enable-host-pie): New check. Set PICFLAG after this check. > > * configure: Regenerate. > > OK.
Thanks! Unfortunately, even though I'd retested the patch before pushing, it seemed to break the build on gcc-debian-amd64: https://builder.sourceware.org/buildbot/#/builders/154/builds/2160/steps/4/logs/stdio so I've reverted both patches. Sigh. Marek
