* [Buildroot] [RFC for-next] package/gcc: enable secureplt for powerpc64
@ 2021-05-17 20:13 Romain Naour
2021-05-18 12:05 ` Yann E. MORIN
0 siblings, 1 reply; 4+ messages in thread
From: Romain Naour @ 2021-05-17 20:13 UTC (permalink / raw)
To: buildroot
GCC support enabling secureplt for powerpc64.
From [1]
"PowerPC has two PLT models: BSS-PLT and Secure-PLT. BSS-PLT uses
runtime code generation to generate the PLT stubs. Secure-PLT was
introduced with GCC 4.1 and Binutils 2.17 (base has GCC 4.2.1 and
Binutils 2.17), and is a more secure PLT format, using a read-only
linkage table, with the dynamic linker populating a non-executable
index table."
This option is always enabled by glibc testing script
called build-many-glibcs.py [1]. This script exist since
glibc 2.25.
Runtime tested with qemu_ppc64_e5500_defconfig.
[1] https://reviews.freebsd.org/D20598
[2] https://sourceware.org/git/?p=glibc.git;a=blob;f=scripts/build-many-glibcs.py;h=9c08ab7b326e6385abb835eb32dd143952a71942;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l345
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Matt Weber <matthew.weber@collins.com>
---
While looking at ppc secureplt issue with BR2_PIC_PIE, I noticed
that gcc --enable-secureplt option was only used for BR2_powerpc
although it's also available for powerpc64.
I don't have a powerpc64 hardware for real testing.
Test welcome.
---
package/gcc/gcc.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/gcc/gcc.mk b/package/gcc/gcc.mk
index 5e419f7ede..ed9b93e50f 100644
--- a/package/gcc/gcc.mk
+++ b/package/gcc/gcc.mk
@@ -231,7 +231,7 @@ endif
# Set default to Secure-PLT to prevent run-time
# generation of PLT stubs (supports RELRO and
# SELinux non-exemem capabilities)
-ifeq ($(BR2_powerpc),y)
+ifeq ($(BR2_powerpc)$(BR2_powerpc64),y)
HOST_GCC_COMMON_CONF_OPTS += --enable-secureplt
endif
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [RFC for-next] package/gcc: enable secureplt for powerpc64
2021-05-17 20:13 [Buildroot] [RFC for-next] package/gcc: enable secureplt for powerpc64 Romain Naour
@ 2021-05-18 12:05 ` Yann E. MORIN
2021-05-18 13:20 ` [Buildroot] [External] " Weber, Matthew L Collins
0 siblings, 1 reply; 4+ messages in thread
From: Yann E. MORIN @ 2021-05-18 12:05 UTC (permalink / raw)
To: buildroot
Romain, All,
On 2021-05-17 22:13 +0200, Romain Naour spake thusly:
> GCC support enabling secureplt for powerpc64.
>
> From [1]
> "PowerPC has two PLT models: BSS-PLT and Secure-PLT. BSS-PLT uses
> runtime code generation to generate the PLT stubs. Secure-PLT was
> introduced with GCC 4.1 and Binutils 2.17 (base has GCC 4.2.1 and
> Binutils 2.17), and is a more secure PLT format, using a read-only
gcc 4.1 and binutils 2.17 are really old, now; everything and everyone
has better than that nowadays.
> linkage table, with the dynamic linker populating a non-executable
> index table."
>
> This option is always enabled by glibc testing script
> called build-many-glibcs.py [1]. This script exist since
> glibc 2.25.
>
> Runtime tested with qemu_ppc64_e5500_defconfig.
Good enough for me.
> [1] https://reviews.freebsd.org/D20598
> [2] https://sourceware.org/git/?p=glibc.git;a=blob;f=scripts/build-many-glibcs.py;h=9c08ab7b326e6385abb835eb32dd143952a71942;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l345
>
> Signed-off-by: Romain Naour <romain.naour@gmail.com>
> Cc: Matt Weber <matthew.weber@collins.com>
Applied to next, thanks.
Regards,
Yann E. MORIN.
> ---
>
> While looking at ppc secureplt issue with BR2_PIC_PIE, I noticed
> that gcc --enable-secureplt option was only used for BR2_powerpc
> although it's also available for powerpc64.
>
> I don't have a powerpc64 hardware for real testing.
> Test welcome.
> ---
> package/gcc/gcc.mk | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/gcc/gcc.mk b/package/gcc/gcc.mk
> index 5e419f7ede..ed9b93e50f 100644
> --- a/package/gcc/gcc.mk
> +++ b/package/gcc/gcc.mk
> @@ -231,7 +231,7 @@ endif
> # Set default to Secure-PLT to prevent run-time
> # generation of PLT stubs (supports RELRO and
> # SELinux non-exemem capabilities)
> -ifeq ($(BR2_powerpc),y)
> +ifeq ($(BR2_powerpc)$(BR2_powerpc64),y)
> HOST_GCC_COMMON_CONF_OPTS += --enable-secureplt
> endif
>
> --
> 2.31.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [External] Re: [RFC for-next] package/gcc: enable secureplt for powerpc64
2021-05-18 12:05 ` Yann E. MORIN
@ 2021-05-18 13:20 ` Weber, Matthew L Collins
2021-05-18 13:39 ` Yann E. MORIN
0 siblings, 1 reply; 4+ messages in thread
From: Weber, Matthew L Collins @ 2021-05-18 13:20 UTC (permalink / raw)
To: buildroot
All,
> -----Original Message-----
> From: Yann E. MORIN <yann.morin.1998@free.fr>
> Sent: Tuesday, May 18, 2021 7:06 AM
> To: Romain Naour <romain.naour@gmail.com>
> Cc: buildroot at buildroot.org; Weber, Matthew L Collins
> <Matthew.Weber@collins.com>
> Subject: [External] Re: [Buildroot] [RFC for-next] package/gcc: enable
> secureplt for powerpc64
>
> Romain, All,
>
> On 2021-05-17 22:13 +0200, Romain Naour spake thusly:
> > GCC support enabling secureplt for powerpc64.
> >
> > From [1]
> > "PowerPC has two PLT models: BSS-PLT and Secure-PLT. BSS-PLT uses
> > runtime code generation to generate the PLT stubs. Secure-PLT was
> > introduced with GCC 4.1 and Binutils 2.17 (base has GCC 4.2.1 and
> > Binutils 2.17), and is a more secure PLT format, using a read-only
[snip]
> > linkage table, with the dynamic linker populating a non-executable
> > index table."
Interestingly, when doing SElinux policy, we didn't observe similar behavior with memory execute requests on PowerPC64 vs PowerPC. Without this option, we observed regular memory execute (access request) audits on PowerPC, and we couldn't cleanly write policy without really opening things up.
> >
> > This option is always enabled by glibc testing script called
> > build-many-glibcs.py [1]. This script exist since glibc 2.25.
> >
> > Runtime tested with qemu_ppc64_e5500_defconfig.
>
> Good enough for me.
Agree, the runtime test in QEMU should cover any lack of hardware testing. I've successfully moved kernels between emulation and devkits for this arch.
Reviewed-by: Matt Weber <matthew.weber@collins.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [External] Re: [RFC for-next] package/gcc: enable secureplt for powerpc64
2021-05-18 13:20 ` [Buildroot] [External] " Weber, Matthew L Collins
@ 2021-05-18 13:39 ` Yann E. MORIN
0 siblings, 0 replies; 4+ messages in thread
From: Yann E. MORIN @ 2021-05-18 13:39 UTC (permalink / raw)
To: buildroot
Matthew, All,
On 2021-05-18 13:20 +0000, Weber, Matthew L Collins via buildroot spake thusly:
> > -----Original Message-----
> > From: Yann E. MORIN <yann.morin.1998@free.fr>
> > Sent: Tuesday, May 18, 2021 7:06 AM
> > To: Romain Naour <romain.naour@gmail.com>
> > Cc: buildroot at buildroot.org; Weber, Matthew L Collins
> > <Matthew.Weber@collins.com>
> > Subject: [External] Re: [Buildroot] [RFC for-next] package/gcc: enable
> > secureplt for powerpc64
> >
> > Romain, All,
> >
> > On 2021-05-17 22:13 +0200, Romain Naour spake thusly:
> > > GCC support enabling secureplt for powerpc64.
> > >
> > > From [1]
> > > "PowerPC has two PLT models: BSS-PLT and Secure-PLT. BSS-PLT uses
> > > runtime code generation to generate the PLT stubs. Secure-PLT was
> > > introduced with GCC 4.1 and Binutils 2.17 (base has GCC 4.2.1 and
> > > Binutils 2.17), and is a more secure PLT format, using a read-only
> [snip]
> > > linkage table, with the dynamic linker populating a non-executable
> > > index table."
> Interestingly, when doing SElinux policy, we didn't observe similar
> behavior with memory execute requests on PowerPC64 vs PowerPC. Without
> this option, we observed regular memory execute (access request)
> audits on PowerPC, and we couldn't cleanly write policy without really
> opening things up.
> > > This option is always enabled by glibc testing script called
> > > build-many-glibcs.py [1]. This script exist since glibc 2.25.
> > >
> > > Runtime tested with qemu_ppc64_e5500_defconfig.
> >
> > Good enough for me.
> Agree, the runtime test in QEMU should cover any lack of hardware
> testing. I've successfully moved kernels between emulation and
> devkits for this arch.
>
> Reviewed-by: Matt Weber <matthew.weber@collins.com>
Already applied, so your rev-tag will not be recorded, sorry... But
still, this is good to read a positive feedback nonetheless. Thanks!
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-18 13:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-17 20:13 [Buildroot] [RFC for-next] package/gcc: enable secureplt for powerpc64 Romain Naour
2021-05-18 12:05 ` Yann E. MORIN
2021-05-18 13:20 ` [Buildroot] [External] " Weber, Matthew L Collins
2021-05-18 13:39 ` Yann E. MORIN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.