On Thu, Apr 27, 2017 at 10:57 PM, <timo.te...@gmail.com> wrote: > > We in Alpine Linux would like to ship Go so that it defaults to PIE > buildmode. We acknowledge that Go generally produces safer code, but we > still consider it to be viable protection when linking in C (or other) code > to Go applications. If the external code has security issues, it is an > additional security measure to have main binary PIE built as without that > the ASLR is not fully effective. It is also long standing Alpine Linux > policy to ship PIE builds if possible. > > For Go 1.7 we just used the following patch: > https://git.alpinelinux.org/cgit/aports/plain/community/go/default-buildmode-pie.patch > and it seems to work. > > We are in progress to upgrade to Go 1.8.1, but the same patch no longer > works. During the bootstrap build it fails with: >> >> ##### Building go_bootstrap for host, linux/amd64. >> ... >> go/parser >> go/doc >> go/build >> cmd/go >> 2017/04/28 05:52:33 cannot handle R_TLS_IE (sym >> sync/atomic.(*Value).Store) when linking internally >> go tool dist: FAILED: >> /home/tteras/aports/community/go/src/go/pkg/tool/linux_amd64/link -o >> /home/tteras/aports/community/go/src/go/pkg/tool/linux_amd64/go_bootstrap >> /tmp/go-tool-dist-538310359/cmd/go/_go_.a: exit status 1 > > > This seems to be related to using the internal linker. Apparently it is > tried regardless of PIE mode. Any suggestions how to fix this (other than > the obvious use regular exe build mode)?
It sounds like you are running into some version of https://golang.org/issue/18968. But to be honest I don't understand what is forcing internal link mode. The linker defaults to using external link mode with PIE. Using -linkmode=internal will override that, but I don't see where any explicit -linkmode=internal would come from. And come to think of it the error seems to be happening at the wrong time. The go_bootstrap build is built with the existing toolchain, not the new one. I'm not sure what is happening. > I also tried the following patch, but it did not help: > > --- go.orig/src/cmd/link/internal/ld/config.go 2017-04-07 > 16:54:08.000000000 +0000 > +++ go/src/cmd/link/internal/ld/config.go 2017-04-27 13:44:30.878077639 > +0000 > @@ -195,12 +195,8 @@ > case BuildmodeCShared: > return true, "buildmode=c-shared" > case BuildmodePIE: > - switch obj.GOOS + "/" + obj.GOARCH { > - case "linux/amd64": > - default: > - // Internal linking does not support TLS_IE. > - return true, "buildmode=pie" > - } > + // Internal linking does not support TLS_IE. > + return true, "buildmode=pie" > case BuildmodePlugin: > return true, "buildmode=plugin" > case BuildmodeShared: No, I wouldn't expect that to help, because the code that calls mustLinkExternal already has an override to force external linking mode for PIE. Something is passing -linkmode=internal but I'm not sure what. I assume you are not setting GO_EXTLINK_ENABLED in the environment. > I am wondering how the default buildmode could be changed to PIE natively. > Perhaps a build time configuration (environment) option for the default > build mode could be added? Yes, perhaps. Ian -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
