[meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled

[meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled

[Andrea Adami]

ld fails if distro's security-flags are enabled:
Inject the SECURITY_XFLAGS if security_flags.inc was included.

Fix on i386: ld: discarded output section: `.got.plt'

Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
---
 meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc
index 3d25e96..837b026 100644
--- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
+++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
@@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
                 'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
                  V=1 \
                 "
-EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z noexecstack"'
+EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
+                 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
 
 export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
 KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
@@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
 KLIBC_ARCH_powerpc64 = "ppc64"
 THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
 
-SECURITY_CFLAGS = "-fno-PIE -no-pie"
-SECURITY_LDFLAGS = "-no-pie"
+SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
-- 
2.7.4

Re: [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled

[Hongxu Jia]

On 2018年09月15日 02:02, Andrea Adami wrote:
> ld fails if distro's security-flags are enabled:
> Inject the SECURITY_XFLAGS if security_flags.inc was included.
>
> Fix on i386: ld: discarded output section: `.got.plt'
>
> Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
> ---
>   meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> index 3d25e96..837b026 100644
> --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
>                   'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
>                    V=1 \
>                   "
> -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z noexecstack"'
> +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
> +                 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
>   
Is it necessary to pass SECURITY_XFLAGS directly? While including 
security_flags.inc,
CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
Maybe you should make sure  to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
ldflags qa warning.

[security_flags.inc]
  58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
  59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
[security_flags.inc]

>   export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
>   KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
> @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
>   KLIBC_ARCH_powerpc64 = "ppc64"
>   THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
>   
> -SECURITY_CFLAGS = "-fno-PIE -no-pie"
> -SECURITY_LDFLAGS = "-no-pie"
> +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"

The same reason, it is not necessary to test GCCPIE,

and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""


//Hongxu

Re: [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled

[Andrea Adami]

On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
> On 2018年09月15日 02:02, Andrea Adami wrote:
> > ld fails if distro's security-flags are enabled:
> > Inject the SECURITY_XFLAGS if security_flags.inc was included.
> >
> > Fix on i386: ld: discarded output section: `.got.plt'
> >
> > Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
> > ---
> >   meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
> >   1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > index 3d25e96..837b026 100644
> > --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
> >                   'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
> >                    V=1 \
> >                   "
> > -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z noexecstack"'
> > +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
> > +                 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
> >
> Is it necessary to pass SECURITY_XFLAGS directly? While including
> security_flags.inc,
> CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
> Maybe you should make sure  to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
> ldflags qa warning.
>
> [security_flags.inc]
>   58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
>   59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> [security_flags.inc]
>
> >   export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
> >   KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
> > @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
> >   KLIBC_ARCH_powerpc64 = "ppc64"
> >   THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
> >
> > -SECURITY_CFLAGS = "-fno-PIE -no-pie"
> > -SECURITY_LDFLAGS = "-no-pie"
> > +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
>
> The same reason, it is not necessary to test GCCPIE,
>
> and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""
>
Hi,
thanks for reviewing.

It is true the SECURITY_CFLAGS are passed to the compiler.
The problem is, klibc has its own arch makefiles (MCONFIG) and the
linker is called directly, so if you just append the LDFLAGS like
this:

EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \
                 'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'"

you get:

  i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/static/ipconfig -W
l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z noexecstack u
sr/klibc/arch/i386/crt0.o --start-group  usr/kinit/ipconfig/main.o usr/kinit/ipc
onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o usr/k
init/ipconfig/bootp_proto.o  usr/klibc/libc.a /tmp/build/tmp-musl/work/i586-oe-l
inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a --
end-group ; cp -f usr/kinit/ipconfig/static/ipconfig usr/kinit/ipconfig/static/i
pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note --strip-al
l -R .comment -R .note --strip-all -R .comment -R .note usr/kinit/ipconfig/stati
c/ipconfig
i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1'

Thus I am expliciting the SECURITY_LDFLAGS.

Note that this patch, injecting the -pie, does now break build for mips,
because the MCONFIG foir mips disables pic.
The immediate fix is to remove -pie for mips (standard behavior).

Cheers
Andrea


>
> //Hongxu
>

Re: [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled

[Hongxu Jia]

On 2018年09月15日 18:58, Andrea Adami wrote:
> On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> On 2018年09月15日 02:02, Andrea Adami wrote:
>>> ld fails if distro's security-flags are enabled:
>>> Inject the SECURITY_XFLAGS if security_flags.inc was included.
>>>
>>> Fix on i386: ld: discarded output section: `.got.plt'
>>>
>>> Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
>>> ---
>>>    meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
>>>    1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc
>>> index 3d25e96..837b026 100644
>>> --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
>>> +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
>>> @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
>>>                    'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
>>>                     V=1 \
>>>                    "
>>> -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z noexecstack"'
>>> +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
>>> +                 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
>>>
>> Is it necessary to pass SECURITY_XFLAGS directly? While including
>> security_flags.inc,
>> CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
>> Maybe you should make sure  to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
>> ldflags qa warning.
>>
>> [security_flags.inc]
>>    58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
>>    59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
>> [security_flags.inc]
>>
>>>    export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
>>>    KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
>>> @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
>>>    KLIBC_ARCH_powerpc64 = "ppc64"
>>>    THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
>>>
>>> -SECURITY_CFLAGS = "-fno-PIE -no-pie"
>>> -SECURITY_LDFLAGS = "-no-pie"
>>> +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
>> The same reason, it is not necessary to test GCCPIE,
>>
>> and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""
>>
> Hi,
> thanks for reviewing.
>
> It is true the SECURITY_CFLAGS are passed to the compiler.
> The problem is, klibc has its own arch makefiles (MCONFIG) and the
> linker is called directly, so if you just append the LDFLAGS like
> this:
>
> EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \
>                   'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'"
>
> you get:
>
>    i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/static/ipconfig -W
> l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z noexecstack u
> sr/klibc/arch/i386/crt0.o --start-group  usr/kinit/ipconfig/main.o usr/kinit/ipc
> onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o usr/k
> init/ipconfig/bootp_proto.o  usr/klibc/libc.a /tmp/build/tmp-musl/work/i586-oe-l
> inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a --
> end-group ; cp -f usr/kinit/ipconfig/static/ipconfig usr/kinit/ipconfig/static/i
> pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note --strip-al
> l -R .comment -R .note --strip-all -R .comment -R .note usr/kinit/ipconfig/stati
> c/ipconfig
> i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1'
>
> Thus I am expliciting the SECURITY_LDFLAGS.
>
> Note that this patch, injecting the -pie, does now break build for mips,
> because the MCONFIG foir mips disables pic.
> The immediate fix is to remove -pie for mips (standard behavior).

OK, thanks for the explain

//Hongxu

> Cheers
> Andrea
>
>
>> //Hongxu
>>

Re: [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled

[Andrea Adami]

On Sat, Sep 15, 2018 at 1:30 PM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
> On 2018年09月15日 18:58, Andrea Adami wrote:
> > On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
> >> On 2018年09月15日 02:02, Andrea Adami wrote:
> >>> ld fails if distro's security-flags are enabled:
> >>> Inject the SECURITY_XFLAGS if security_flags.inc was included.
> >>>
> >>> Fix on i386: ld: discarded output section: `.got.plt'
> >>>
> >>> Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
> >>> ---
> >>>    meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
> >>>    1 file changed, 3 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> >>> index 3d25e96..837b026 100644
> >>> --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> >>> +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> >>> @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
> >>>                    'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
> >>>                     V=1 \
> >>>                    "
> >>> -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z noexecstack"'
> >>> +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
> >>> +                 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
> >>>
> >> Is it necessary to pass SECURITY_XFLAGS directly? While including
> >> security_flags.inc,
> >> CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
> >> Maybe you should make sure  to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
> >> ldflags qa warning.
> >>
> >> [security_flags.inc]
> >>    58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> >>    59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> >> [security_flags.inc]
> >>
> >>>    export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
> >>>    KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
> >>> @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
> >>>    KLIBC_ARCH_powerpc64 = "ppc64"
> >>>    THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
> >>>
> >>> -SECURITY_CFLAGS = "-fno-PIE -no-pie"
> >>> -SECURITY_LDFLAGS = "-no-pie"
> >>> +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
> >> The same reason, it is not necessary to test GCCPIE,
> >>
> >> and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""
> >>
> > Hi,
> > thanks for reviewing.
> >
> > It is true the SECURITY_CFLAGS are passed to the compiler.
> > The problem is, klibc has its own arch makefiles (MCONFIG) and the
> > linker is called directly, so if you just append the LDFLAGS like
> > this:
> >
> > EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \
> >                   'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'"
> >
> > you get:
> >
> >    i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/static/ipconfig -W
> > l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z noexecstack u
> > sr/klibc/arch/i386/crt0.o --start-group  usr/kinit/ipconfig/main.o usr/kinit/ipc
> > onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o usr/k
> > init/ipconfig/bootp_proto.o  usr/klibc/libc.a /tmp/build/tmp-musl/work/i586-oe-l
> > inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a --
> > end-group ; cp -f usr/kinit/ipconfig/static/ipconfig usr/kinit/ipconfig/static/i
> > pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note --strip-al
> > l -R .comment -R .note --strip-all -R .comment -R .note usr/kinit/ipconfig/stati
> > c/ipconfig
> > i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1'
> >
> > Thus I am expliciting the SECURITY_LDFLAGS.
> >
> > Note that this patch, injecting the -pie, does now break build for mips,
> > because the MCONFIG foir mips disables pic.
> > The immediate fix is to remove -pie for mips (standard behavior).
>
> OK, thanks for the explain
>
> //Hongxu

Hi,

with a following patch more archs were fixed when building with security flags.
I ended up appending both SECURITY_CFLAGS and SECURITY_LDFLAGS and I
only have to special-case the mips/mips64 which at the time of klibc
(10yrs ago) if you read the kernel was expecting pic code in userspace
but here in klibc I see pic disabled in the makefiles...
Maybe Khem can test runtime...my only mips is a DTB decoder (well,
with a bit of motivation I could do that, it's OpenPli).

Cheers
Andrea


>
> > Cheers
> > Andrea
> >
> >
> >> //Hongxu
> >>
>