[Buildroot] [PATCH 1/4] toolchain: set the ssp gcc option in kconfig

[Buildroot] [PATCH 1/4] toolchain: set the ssp gcc option in kconfig

[yann.morin at orange.com]

From: "Yann E. MORIN" <yann.morin@orange.com>

Currently, we repeat all the SSP level selection deep down to the
toolchain wrapper itself, where we eventually translate it to the
actual SSP option to use. This is a bit redundant.

Additionally, we will want to check that the toolchain actually
supports that option (for those toolchain where it was backported).

So, move the translation into kconfig.

Since that new option does have neither a prompt, nor a default
value for SSP_NONE, it will not be set unless it actually contains
a non-empty string, so it will never be "" and we can skip the usual
qstrip-then-quote-anyway dance.

Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
 Config.in                      |  6 ++++++
 toolchain/toolchain-wrapper.c  | 10 ++--------
 toolchain/toolchain-wrapper.mk |  8 ++------
 3 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/Config.in b/Config.in
index d58d8dc04a..757ad1ca40 100644
--- a/Config.in
+++ b/Config.in
@@ -764,6 +764,12 @@ config BR2_SSP_ALL
 
 endchoice
 
+config BR2_SSP_OPTION
+	string
+	default "-fstack-protector"        if BR2_SSP_REGULAR
+	default "-fstack-protector-strong" if BR2_SSP_STRONG
+	default "-fstack-protector-all"    if BR2_SSP_ALL
+
 comment "Stack Smashing Protection needs a toolchain w/ SSP"
 	depends on !BR2_TOOLCHAIN_HAS_SSP
 
diff --git a/toolchain/toolchain-wrapper.c b/toolchain/toolchain-wrapper.c
index e9c5cd9d32..d605a7d648 100644
--- a/toolchain/toolchain-wrapper.c
+++ b/toolchain/toolchain-wrapper.c
@@ -98,14 +98,8 @@ static char *predef_args[] = {
 #if defined(BR_MIPS_TARGET_BIG_ENDIAN) || defined(BR_ARC_TARGET_BIG_ENDIAN)
 	"-EB",
 #endif
-#ifdef BR_SSP_REGULAR
-	"-fstack-protector",
-#endif
-#ifdef BR_SSP_STRONG
-	"-fstack-protector-strong",
-#endif
-#ifdef BR_SSP_ALL
-	"-fstack-protector-all",
+#ifdef BR_SSP_OPTION
+	BR_SSP_OPTION,
 #endif
 #ifdef BR_ADDITIONAL_CFLAGS
 	BR_ADDITIONAL_CFLAGS
diff --git a/toolchain/toolchain-wrapper.mk b/toolchain/toolchain-wrapper.mk
index 613f5f6c56..e48e765a8e 100644
--- a/toolchain/toolchain-wrapper.mk
+++ b/toolchain/toolchain-wrapper.mk
@@ -51,12 +51,8 @@ else ifeq ($(BR2_RELRO_FULL),y)
 TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_FULL
 endif
 
-ifeq ($(BR2_SSP_REGULAR),y)
-TOOLCHAIN_WRAPPER_ARGS += -DBR_SSP_REGULAR
-else ifeq ($(BR2_SSP_STRONG),y)
-TOOLCHAIN_WRAPPER_ARGS += -DBR_SSP_STRONG
-else ifeq ($(BR2_SSP_ALL),y)
-TOOLCHAIN_WRAPPER_ARGS += -DBR_SSP_ALL
+ifneq ($(BR2_SSP_OPTION),)
+TOOLCHAIN_WRAPPER_ARGS += -DBR_SSP_OPTION='$(BR2_SSP_OPTION)'
 endif
 
 define TOOLCHAIN_WRAPPER_BUILD
-- 
2.17.1


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

[Buildroot] [PATCH 2/4] toolchain: check the SSP option is known

[yann.morin at orange.com]

From: "Yann E. MORIN" <yann.morin@orange.com>

Some toolchain vendors may have backported those options to older gcc
versions, and we have no way to know, so we have to check that the
user's selection is acceptable.

Extend the macro that currently checks for SSP in the toolchain, with
a new test that the actual SSP option is recognised and accepted.

Note that the SSP option is either totaly empty, or an already-quoted
string, so we can safely and easily assign it to a shell variable to
test and use it.

Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
 toolchain/helpers.mk                                   | 8 ++++++++
 toolchain/toolchain-external/pkg-toolchain-external.mk | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/toolchain/helpers.mk b/toolchain/helpers.mk
index e5520c00c3..ba097e83cf 100644
--- a/toolchain/helpers.mk
+++ b/toolchain/helpers.mk
@@ -415,6 +415,7 @@ check_unusable_toolchain = \
 # Check if the toolchain has SSP (stack smashing protector) support
 #
 # $1: cross-gcc path
+# $2: gcc ssp option
 #
 check_toolchain_ssp = \
 	__CROSS_CC=$(strip $1) ; \
@@ -427,6 +428,13 @@ check_toolchain_ssp = \
 		echo "SSP support not available in this toolchain, please disable BR2_TOOLCHAIN_EXTERNAL_HAS_SSP" ; \
 		exit 1 ; \
 	fi ; \
+	__SSP_OPTION=$(2); \
+	if [ -n "$${__SSP_OPTION}" ] ; then \
+		if ! echo 'void main(){}' | $${__CROSS_CC} -Werror $${__SSP_OPTION} -x c - -o $(BUILD_DIR)/.br-toolchain-test.tmp >/dev/null 2>&1 ; then \
+			echo "SSP option $${__SSP_OPTION} not available in this toolchain, please select another SSP level" ; \
+			exit 1 ; \
+		fi; \
+	fi; \
 	rm -f $(BUILD_DIR)/.br-toolchain-test.tmp*
 
 #
diff --git a/toolchain/toolchain-external/pkg-toolchain-external.mk b/toolchain/toolchain-external/pkg-toolchain-external.mk
index db3570d96f..00cbd7b17a 100644
--- a/toolchain/toolchain-external/pkg-toolchain-external.mk
+++ b/toolchain/toolchain-external/pkg-toolchain-external.mk
@@ -549,7 +549,7 @@ define $(2)_CONFIGURE_CMDS
 	else \
 		$$(call check_glibc,$$$${SYSROOT_DIR}) ; \
 	fi
-	$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC))
+	$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC),$(BR2_SSP_OPTION))
 endef
 
 $(2)_TOOLCHAIN_WRAPPER_ARGS += $$(TOOLCHAIN_EXTERNAL_TOOLCHAIN_WRAPPER_ARGS)
-- 
2.17.1


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

[Buildroot] [PATCH 3/4] toolchain: -fstack-protector-strong can be back-ported

[yann.morin at orange.com]

From: "Yann E. MORIN" <yann.morin@orange.com>

Currently, use of -fstack-protector-strong is only available for gcc
starting with 4.9, on the assumption that it appeared with that version.

Although this is true, it happens that quite a few vendors will have
back-ported -fstack-protector-strong to older gcc versions (at least 4.8
seen in the wild).

Remove the guard against gcc>=4.9, and expand the help text.

Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>

---
Notes:

We could have changed the guard to something like:
    depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || BR2_TOOLCHAIN_EXTERNAL

However, the latest gcc we support in the internal toolchain *is*
gcc-4.9, so the condition would have always been true. Hence, we just
drop the condition.
---
 Config.in | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Config.in b/Config.in
index 757ad1ca40..d5a0460f98 100644
--- a/Config.in
+++ b/Config.in
@@ -746,14 +746,14 @@ config BR2_SSP_REGULAR
 
 config BR2_SSP_STRONG
 	bool "-fstack-protector-strong"
-	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
 	help
 	  Like -fstack-protector but includes additional functions to be
 	  protected - those that have local array definitions, or have
 	  references to local frame addresses.
 
-comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9"
-	depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+	  -fstack-protector-strong officially appeared in gcc 4.9, but
+	  some vendors have backported -fstack-protector-strong to older
+	  versions of gcc.
 
 config BR2_SSP_ALL
 	bool "-fstack-protector-all"
-- 
2.17.1


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

[Buildroot] [PATCH 4/4] toolchain: allow PIC/PIE without RELRO

[yann.morin at orange.com]

From: "Yann E. MORIN" <yann.morin@orange.com>

In commit 7484c1c3b806 (toolchain/toolchain-wrapper: add BR2_RELRO_),
we added the PIC/PIE flags, but based on the RELRO_FULL condition.

It is however totally possible to do a PIC/PIE executable without
RELRO_FULL, as it is also valid to do a PIC/PIE build with RELRO_PARTIAL.

Add a new option that now governs the PIC/PIE flags.

Note: it is unknown if RELRO_FULL really needs PIC/PIE or not, so we
keep the current situation, where RELRO-FULL forces PIC/PIE compilation.

Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
---
 Config.in                      | 8 ++++++++
 toolchain/toolchain-wrapper.c  | 2 +-
 toolchain/toolchain-wrapper.mk | 4 ++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/Config.in b/Config.in
index d5a0460f98..31fea3ab34 100644
--- a/Config.in
+++ b/Config.in
@@ -712,6 +712,13 @@ endmenu
 
 comment "Security Hardening Options"
 
+config BR2_PIC_PIE
+	bool "Build code with PIC/PIE"
+	depends on BR2_SHARED_LIBS
+	help
+	  Generate Position-Independent Code (PIC) and link
+	  Position-Independent Executables (PIE).
+
 choice
 	bool "Stack Smashing Protection"
 	default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
@@ -794,6 +801,7 @@ config BR2_RELRO_PARTIAL
 
 config BR2_RELRO_FULL
 	bool "Full"
+	select BR2_PIC_PIE
 	help
 	  This option includes the partial configuration, but also marks
 	  the GOT as read-only at the cost of initialization time during
diff --git a/toolchain/toolchain-wrapper.c b/toolchain/toolchain-wrapper.c
index d605a7d648..a38f827786 100644
--- a/toolchain/toolchain-wrapper.c
+++ b/toolchain/toolchain-wrapper.c
@@ -370,7 +370,7 @@ int main(int argc, char **argv)
 		*cur++ = "-Wno-builtin-macro-redefined";
 	}
 
-#ifdef BR2_RELRO_FULL
+#ifdef BR2_PIC_PIE
 	/* Patterned after Fedora/Gentoo hardening approaches.
 	 * https://fedoraproject.org/wiki/Changes/Harden_All_Packages
 	 * https://wiki.gentoo.org/wiki/Hardened/Toolchain#Position_Independent_Executables_.28PIEs.29
diff --git a/toolchain/toolchain-wrapper.mk b/toolchain/toolchain-wrapper.mk
index e48e765a8e..67cec5c1cf 100644
--- a/toolchain/toolchain-wrapper.mk
+++ b/toolchain/toolchain-wrapper.mk
@@ -45,6 +45,10 @@ ifeq ($(BR2_CCACHE_USE_BASEDIR),y)
 TOOLCHAIN_WRAPPER_ARGS += -DBR_CCACHE_BASEDIR='"$(BASE_DIR)"'
 endif
 
+ifeq ($(BR2_PIC_PIE),y)
+TOOLCHAIN_WRAPPER_ARGS += -DBR2_PIC_PIE
+endif
+
 ifeq ($(BR2_RELRO_PARTIAL),y)
 TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_PARTIAL
 else ifeq ($(BR2_RELRO_FULL),y)
-- 
2.17.1


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

[Buildroot] [PATCH 1/4] toolchain: set the ssp gcc option in kconfig

[Arnout Vandecappelle]

On 11/03/2019 07:48, yann.morin at orange.com wrote:
[snip]
> diff --git a/toolchain/toolchain-wrapper.mk b/toolchain/toolchain-wrapper.mk
> index 613f5f6c56..e48e765a8e 100644
> --- a/toolchain/toolchain-wrapper.mk
> +++ b/toolchain/toolchain-wrapper.mk
> @@ -51,12 +51,8 @@ else ifeq ($(BR2_RELRO_FULL),y)
>  TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_FULL
>  endif
>  
> -ifeq ($(BR2_SSP_REGULAR),y)
> -TOOLCHAIN_WRAPPER_ARGS += -DBR_SSP_REGULAR
> -else ifeq ($(BR2_SSP_STRONG),y)
> -TOOLCHAIN_WRAPPER_ARGS += -DBR_SSP_STRONG
> -else ifeq ($(BR2_SSP_ALL),y)
> -TOOLCHAIN_WRAPPER_ARGS += -DBR_SSP_ALL
> +ifneq ($(BR2_SSP_OPTION),)
> +TOOLCHAIN_WRAPPER_ARGS += -DBR_SSP_OPTION='$(BR2_SSP_OPTION)'
>  endif

 I try to mention this every time someone touches the toolchain wrapper:

 I'd really like to use the BR_ADDITIONAL_CFLAGS instead, by changing the
definition in the .mk file to something like:

TOOLCHAIN_WRAPPER_OPTS = \
        $(call qstrip,$(BR2_TARGET_OPTIMIZATION)) \
	$(call qstrip,$(BR2_SSP_OPTION))

TOOLCHAIN_WRAPPER_ARGS += \
 	-DBR_ADDITIONAL_CFLAGS='$(foreach f,$(TOOLCHAIN_WRAPPER_OPTS),"$(f)"$(comma))'

(note that I preferred the qstrip instead of the ifdef here, and adding quotes
explicitly in the foreach, but you may want to implement it differently).

 Regards,
 Arnout

[Buildroot] [PATCH 2/4] toolchain: check the SSP option is known

[Arnout Vandecappelle]

On 11/03/2019 07:48, yann.morin at orange.com wrote:
> From: "Yann E. MORIN" <yann.morin@orange.com>
> 
> Some toolchain vendors may have backported those options to older gcc
> versions, and we have no way to know, so we have to check that the
> user's selection is acceptable.
> 
> Extend the macro that currently checks for SSP in the toolchain, with
> a new test that the actual SSP option is recognised and accepted.
> 
> Note that the SSP option is either totaly empty, or an already-quoted
> string, so we can safely and easily assign it to a shell variable to
> test and use it.

 I notice that in vlc.mk, we have

ax_cv_check_cflags___fstack_protector_strong=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no)

without an actual check that stack-protector=strong really is available... Maybe
we need BR2_TOOLCHAIN_HAS_SSP_STRONG after all?

 Regards,
 Arnout

> 
> Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
> Cc: Matt Weber <matthew.weber@rockwellcollins.com>
> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> ---
>  toolchain/helpers.mk                                   | 8 ++++++++
>  toolchain/toolchain-external/pkg-toolchain-external.mk | 2 +-
>  2 files changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/toolchain/helpers.mk b/toolchain/helpers.mk
> index e5520c00c3..ba097e83cf 100644
> --- a/toolchain/helpers.mk
> +++ b/toolchain/helpers.mk
> @@ -415,6 +415,7 @@ check_unusable_toolchain = \
>  # Check if the toolchain has SSP (stack smashing protector) support
>  #
>  # $1: cross-gcc path
> +# $2: gcc ssp option
>  #
>  check_toolchain_ssp = \
>  	__CROSS_CC=$(strip $1) ; \
> @@ -427,6 +428,13 @@ check_toolchain_ssp = \
>  		echo "SSP support not available in this toolchain, please disable BR2_TOOLCHAIN_EXTERNAL_HAS_SSP" ; \
>  		exit 1 ; \
>  	fi ; \
> +	__SSP_OPTION=$(2); \
> +	if [ -n "$${__SSP_OPTION}" ] ; then \
> +		if ! echo 'void main(){}' | $${__CROSS_CC} -Werror $${__SSP_OPTION} -x c - -o $(BUILD_DIR)/.br-toolchain-test.tmp >/dev/null 2>&1 ; then \
> +			echo "SSP option $${__SSP_OPTION} not available in this toolchain, please select another SSP level" ; \
> +			exit 1 ; \
> +		fi; \
> +	fi; \
>  	rm -f $(BUILD_DIR)/.br-toolchain-test.tmp*
>  
>  #
> diff --git a/toolchain/toolchain-external/pkg-toolchain-external.mk b/toolchain/toolchain-external/pkg-toolchain-external.mk
> index db3570d96f..00cbd7b17a 100644
> --- a/toolchain/toolchain-external/pkg-toolchain-external.mk
> +++ b/toolchain/toolchain-external/pkg-toolchain-external.mk
> @@ -549,7 +549,7 @@ define $(2)_CONFIGURE_CMDS
>  	else \
>  		$$(call check_glibc,$$$${SYSROOT_DIR}) ; \
>  	fi
> -	$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC))
> +	$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC),$(BR2_SSP_OPTION))
>  endef
>  
>  $(2)_TOOLCHAIN_WRAPPER_ARGS += $$(TOOLCHAIN_EXTERNAL_TOOLCHAIN_WRAPPER_ARGS)
> 

[Buildroot] [PATCH 4/4] toolchain: allow PIC/PIE without RELRO

[Arnout Vandecappelle]

On 11/03/2019 07:48, yann.morin at orange.com wrote:
> From: "Yann E. MORIN" <yann.morin@orange.com>
> 
> In commit 7484c1c3b806 (toolchain/toolchain-wrapper: add BR2_RELRO_),
> we added the PIC/PIE flags, but based on the RELRO_FULL condition.
> 
> It is however totally possible to do a PIC/PIE executable without
> RELRO_FULL, as it is also valid to do a PIC/PIE build with RELRO_PARTIAL.
> 
> Add a new option that now governs the PIC/PIE flags.
> 
> Note: it is unknown if RELRO_FULL really needs PIC/PIE or not, so we
> keep the current situation, where RELRO-FULL forces PIC/PIE compilation.

 I just checked on my host, and a simple test program compiled with -no-pie
-Wl,-z,relro -Wl,-z,now does work, so indeed the two seem to be independent.

 I guess it's historical accident that the global full relro and PIE are
typically introduced together. From what I understand, they are pretty much
independent.

 Regards,
 Arnout

> 
> Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
> Cc: Matt Weber <matthew.weber@rockwellcollins.com>
> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> ---
>  Config.in                      | 8 ++++++++
>  toolchain/toolchain-wrapper.c  | 2 +-
>  toolchain/toolchain-wrapper.mk | 4 ++++
>  3 files changed, 13 insertions(+), 1 deletion(-)
> 
> diff --git a/Config.in b/Config.in
> index d5a0460f98..31fea3ab34 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -712,6 +712,13 @@ endmenu
>  
>  comment "Security Hardening Options"
>  
> +config BR2_PIC_PIE
> +	bool "Build code with PIC/PIE"
> +	depends on BR2_SHARED_LIBS
> +	help
> +	  Generate Position-Independent Code (PIC) and link
> +	  Position-Independent Executables (PIE).
> +
>  choice
>  	bool "Stack Smashing Protection"
>  	default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
> @@ -794,6 +801,7 @@ config BR2_RELRO_PARTIAL
>  
>  config BR2_RELRO_FULL
>  	bool "Full"
> +	select BR2_PIC_PIE
>  	help
>  	  This option includes the partial configuration, but also marks
>  	  the GOT as read-only at the cost of initialization time during
> diff --git a/toolchain/toolchain-wrapper.c b/toolchain/toolchain-wrapper.c
> index d605a7d648..a38f827786 100644
> --- a/toolchain/toolchain-wrapper.c
> +++ b/toolchain/toolchain-wrapper.c
> @@ -370,7 +370,7 @@ int main(int argc, char **argv)
>  		*cur++ = "-Wno-builtin-macro-redefined";
>  	}
>  
> -#ifdef BR2_RELRO_FULL
> +#ifdef BR2_PIC_PIE
>  	/* Patterned after Fedora/Gentoo hardening approaches.
>  	 * https://fedoraproject.org/wiki/Changes/Harden_All_Packages
>  	 * https://wiki.gentoo.org/wiki/Hardened/Toolchain#Position_Independent_Executables_.28PIEs.29
> diff --git a/toolchain/toolchain-wrapper.mk b/toolchain/toolchain-wrapper.mk
> index e48e765a8e..67cec5c1cf 100644
> --- a/toolchain/toolchain-wrapper.mk
> +++ b/toolchain/toolchain-wrapper.mk
> @@ -45,6 +45,10 @@ ifeq ($(BR2_CCACHE_USE_BASEDIR),y)
>  TOOLCHAIN_WRAPPER_ARGS += -DBR_CCACHE_BASEDIR='"$(BASE_DIR)"'
>  endif
>  
> +ifeq ($(BR2_PIC_PIE),y)
> +TOOLCHAIN_WRAPPER_ARGS += -DBR2_PIC_PIE
> +endif
> +
>  ifeq ($(BR2_RELRO_PARTIAL),y)
>  TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_PARTIAL
>  else ifeq ($(BR2_RELRO_FULL),y)
> 

[Buildroot] [PATCH 1/4] toolchain: set the ssp gcc option in kconfig

[yann.morin at orange.com]

Arnout, All,

On 2019-03-12 01:02 +0100, Arnout Vandecappelle spake thusly:
> On 11/03/2019 07:48, yann.morin at orange.com wrote:
> [snip]
[--SNIP--]
> > +ifneq ($(BR2_SSP_OPTION),)
> > +TOOLCHAIN_WRAPPER_ARGS += -DBR_SSP_OPTION='$(BR2_SSP_OPTION)'
> >  endif
>  I'd really like to use the BR_ADDITIONAL_CFLAGS instead, by changing the
> definition in the .mk file to something like:
> 
> TOOLCHAIN_WRAPPER_OPTS = \
>         $(call qstrip,$(BR2_TARGET_OPTIMIZATION)) \
> 	$(call qstrip,$(BR2_SSP_OPTION))
> 
> TOOLCHAIN_WRAPPER_ARGS += \
>  	-DBR_ADDITIONAL_CFLAGS='$(foreach f,$(TOOLCHAIN_WRAPPER_OPTS),"$(f)"$(comma))'

OK, will do.

> (note that I preferred the qstrip instead of the ifdef here, and adding quotes
> explicitly in the foreach, but you may want to implement it differently).

Yeah, I tried to avoid the qstriop-then-strip-anyway dance, but it is
indeed nicer the way you wrote it.

Thanks!

Regards,
Yann E. MORIN.

-- 
                                        ____________
.-----------------.--------------------:       _    :------------------.
|  Yann E. MORIN  | Real-Time Embedded |    __/ )   | /"\ ASCII RIBBON |
| +33 534.541.179 | Software  Designer |  _/ - /'   | \ / CAMPAIGN     |
| +33 638.411.245 '--------------------: (_    `--, |  X  AGAINST      |
|      yann.morin (at) orange.com      |_="    ,--' | / \ HTML MAIL    |
'--------------------------------------:______/_____:------------------'


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

[Buildroot] [PATCH 2/4] toolchain: check the SSP option is known

[yann.morin at orange.com]

Arnout, All,

On 2019-03-12 01:25 +0100, Arnout Vandecappelle spake thusly:
> On 11/03/2019 07:48, yann.morin at orange.com wrote:
> > From: "Yann E. MORIN" <yann.morin@orange.com>
> > Extend the macro that currently checks for SSP in the toolchain, with
> > a new test that the actual SSP option is recognised and accepted.
[--SNIP--]
>  I notice that in vlc.mk, we have
> 
> ax_cv_check_cflags___fstack_protector_strong=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no)

It should probably be changed to:   $(if $(BR2_SSP_STRONG),yes,no)

I'll check what vlc really wants it for (e.g. strong, all, regular?),
fix and send a patch.

> without an actual check that stack-protector=strong really is available... Maybe
> we need BR2_TOOLCHAIN_HAS_SSP_STRONG after all?

I really pondered doing it that way, but I decided against, because:

  - our internal toolchain infra only supports gcc >= 4.9, so it has SSP
    strong

  - of the external pre-built toolchains, only the codesourcery-arm one
    has a gcc-4.8 which lacks SSP strong (and I use that in the cover
    letter to explain how to test my changes), all the others have a
    gcc >= 4.9

So, we'd have to add this _HAS_SSP_STRONG for a single case.

Now, the vlc case, fixed as I suggest above, would be covered by this
configure-test.

Regards,
Yann E. MORIN.

> > Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
> > Cc: Matt Weber <matthew.weber@rockwellcollins.com>
> > Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> > Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> > ---
> >  toolchain/helpers.mk                                   | 8 ++++++++
> >  toolchain/toolchain-external/pkg-toolchain-external.mk | 2 +-
> >  2 files changed, 9 insertions(+), 1 deletion(-)
> > 
> > diff --git a/toolchain/helpers.mk b/toolchain/helpers.mk
> > index e5520c00c3..ba097e83cf 100644
> > --- a/toolchain/helpers.mk
> > +++ b/toolchain/helpers.mk
> > @@ -415,6 +415,7 @@ check_unusable_toolchain = \
> >  # Check if the toolchain has SSP (stack smashing protector) support
> >  #
> >  # $1: cross-gcc path
> > +# $2: gcc ssp option
> >  #
> >  check_toolchain_ssp = \
> >  	__CROSS_CC=$(strip $1) ; \
> > @@ -427,6 +428,13 @@ check_toolchain_ssp = \
> >  		echo "SSP support not available in this toolchain, please disable BR2_TOOLCHAIN_EXTERNAL_HAS_SSP" ; \
> >  		exit 1 ; \
> >  	fi ; \
> > +	__SSP_OPTION=$(2); \
> > +	if [ -n "$${__SSP_OPTION}" ] ; then \
> > +		if ! echo 'void main(){}' | $${__CROSS_CC} -Werror $${__SSP_OPTION} -x c - -o $(BUILD_DIR)/.br-toolchain-test.tmp >/dev/null 2>&1 ; then \
> > +			echo "SSP option $${__SSP_OPTION} not available in this toolchain, please select another SSP level" ; \
> > +			exit 1 ; \
> > +		fi; \
> > +	fi; \
> >  	rm -f $(BUILD_DIR)/.br-toolchain-test.tmp*
> >  
> >  #
> > diff --git a/toolchain/toolchain-external/pkg-toolchain-external.mk b/toolchain/toolchain-external/pkg-toolchain-external.mk
> > index db3570d96f..00cbd7b17a 100644
> > --- a/toolchain/toolchain-external/pkg-toolchain-external.mk
> > +++ b/toolchain/toolchain-external/pkg-toolchain-external.mk
> > @@ -549,7 +549,7 @@ define $(2)_CONFIGURE_CMDS
> >  	else \
> >  		$$(call check_glibc,$$$${SYSROOT_DIR}) ; \
> >  	fi
> > -	$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC))
> > +	$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC),$(BR2_SSP_OPTION))
> >  endef
> >  
> >  $(2)_TOOLCHAIN_WRAPPER_ARGS += $$(TOOLCHAIN_EXTERNAL_TOOLCHAIN_WRAPPER_ARGS)
> > 

-- 
                                        ____________
.-----------------.--------------------:       _    :------------------.
|  Yann E. MORIN  | Real-Time Embedded |    __/ )   | /"\ ASCII RIBBON |
| +33 534.541.179 | Software  Designer |  _/ - /'   | \ / CAMPAIGN     |
| +33 638.411.245 '--------------------: (_    `--, |  X  AGAINST      |
|      yann.morin (at) orange.com      |_="    ,--' | / \ HTML MAIL    |
'--------------------------------------:______/_____:------------------'


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

[Buildroot] [PATCH 4/4] toolchain: allow PIC/PIE without RELRO

[yann.morin at orange.com]

Arnout, All,

On 2019-03-12 01:36 +0100, Arnout Vandecappelle spake thusly:
> On 11/03/2019 07:48, yann.morin at orange.com wrote:
> > From: "Yann E. MORIN" <yann.morin@orange.com>
> > 
> > Note: it is unknown if RELRO_FULL really needs PIC/PIE or not, so we
> > keep the current situation, where RELRO-FULL forces PIC/PIE compilation.
> 
>  I just checked on my host, and a simple test program compiled with -no-pie
> -Wl,-z,relro -Wl,-z,now does work, so indeed the two seem to be independent.

Still, I'd prefer tokeep the select to keep the current behaviour. We
can drop it later on if someone has a need for it.

>  I guess it's historical accident that the global full relro and PIE are
> typically introduced together. From what I understand, they are pretty much
> independent.

I talked with Matt on IRC about this the other day, and his reasoning
for doing so as it is was to mimick the way done on distros (Debian,
FC?), so it is not a complete accident either. ;-)

Regards,
Yann E. MORIN.

>  Regards,
>  Arnout
> 
> > 
> > Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
> > Cc: Matt Weber <matthew.weber@rockwellcollins.com>
> > Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> > Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> > ---
> >  Config.in                      | 8 ++++++++
> >  toolchain/toolchain-wrapper.c  | 2 +-
> >  toolchain/toolchain-wrapper.mk | 4 ++++
> >  3 files changed, 13 insertions(+), 1 deletion(-)
> > 
> > diff --git a/Config.in b/Config.in
> > index d5a0460f98..31fea3ab34 100644
> > --- a/Config.in
> > +++ b/Config.in
> > @@ -712,6 +712,13 @@ endmenu
> >  
> >  comment "Security Hardening Options"
> >  
> > +config BR2_PIC_PIE
> > +	bool "Build code with PIC/PIE"
> > +	depends on BR2_SHARED_LIBS
> > +	help
> > +	  Generate Position-Independent Code (PIC) and link
> > +	  Position-Independent Executables (PIE).
> > +
> >  choice
> >  	bool "Stack Smashing Protection"
> >  	default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
> > @@ -794,6 +801,7 @@ config BR2_RELRO_PARTIAL
> >  
> >  config BR2_RELRO_FULL
> >  	bool "Full"
> > +	select BR2_PIC_PIE
> >  	help
> >  	  This option includes the partial configuration, but also marks
> >  	  the GOT as read-only at the cost of initialization time during
> > diff --git a/toolchain/toolchain-wrapper.c b/toolchain/toolchain-wrapper.c
> > index d605a7d648..a38f827786 100644
> > --- a/toolchain/toolchain-wrapper.c
> > +++ b/toolchain/toolchain-wrapper.c
> > @@ -370,7 +370,7 @@ int main(int argc, char **argv)
> >  		*cur++ = "-Wno-builtin-macro-redefined";
> >  	}
> >  
> > -#ifdef BR2_RELRO_FULL
> > +#ifdef BR2_PIC_PIE
> >  	/* Patterned after Fedora/Gentoo hardening approaches.
> >  	 * https://fedoraproject.org/wiki/Changes/Harden_All_Packages
> >  	 * https://wiki.gentoo.org/wiki/Hardened/Toolchain#Position_Independent_Executables_.28PIEs.29
> > diff --git a/toolchain/toolchain-wrapper.mk b/toolchain/toolchain-wrapper.mk
> > index e48e765a8e..67cec5c1cf 100644
> > --- a/toolchain/toolchain-wrapper.mk
> > +++ b/toolchain/toolchain-wrapper.mk
> > @@ -45,6 +45,10 @@ ifeq ($(BR2_CCACHE_USE_BASEDIR),y)
> >  TOOLCHAIN_WRAPPER_ARGS += -DBR_CCACHE_BASEDIR='"$(BASE_DIR)"'
> >  endif
> >  
> > +ifeq ($(BR2_PIC_PIE),y)
> > +TOOLCHAIN_WRAPPER_ARGS += -DBR2_PIC_PIE
> > +endif
> > +
> >  ifeq ($(BR2_RELRO_PARTIAL),y)
> >  TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_PARTIAL
> >  else ifeq ($(BR2_RELRO_FULL),y)
> > 

-- 
                                        ____________
.-----------------.--------------------:       _    :------------------.
|  Yann E. MORIN  | Real-Time Embedded |    __/ )   | /"\ ASCII RIBBON |
| +33 534.541.179 | Software  Designer |  _/ - /'   | \ / CAMPAIGN     |
| +33 638.411.245 '--------------------: (_    `--, |  X  AGAINST      |
|      yann.morin (at) orange.com      |_="    ,--' | / \ HTML MAIL    |
'--------------------------------------:______/_____:------------------'


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

[Buildroot] [PATCH 2/4] toolchain: check the SSP option is known

[yann.morin at orange.com]

Arnout, All,

On 2019-03-12 07:18 +0100, MORIN Yann TGI/OLS spake thusly:
> On 2019-03-12 01:25 +0100, Arnout Vandecappelle spake thusly:
[--SNIP--]
> >  I notice that in vlc.mk, we have
> > ax_cv_check_cflags___fstack_protector_strong=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no)
> I'll check what vlc really wants it for (e.g. strong, all, regular?),
> fix and send a patch.

So, vlc already depends on gcc >= 4.9 anyway, so there will always have
support for fstack-protctor-strong, and this legacy wart can be removed
now, I guess.

I'll send the patch.

Regards,
Yann E. MORIN.

-- 
                                        ____________
.-----------------.--------------------:       _    :------------------.
|  Yann E. MORIN  | Real-Time Embedded |    __/ )   | /"\ ASCII RIBBON |
| +33 534.541.179 | Software  Designer |  _/ - /'   | \ / CAMPAIGN     |
| +33 638.411.245 '--------------------: (_    `--, |  X  AGAINST      |
|      yann.morin (at) orange.com      |_="    ,--' | / \ HTML MAIL    |
'--------------------------------------:______/_____:------------------'


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

[Buildroot] [PATCH 2/4] toolchain: check the SSP option is known

[Arnout Vandecappelle]

On 12/03/2019 07:41, yann.morin at orange.com wrote:
> Arnout, All,
> 
> On 2019-03-12 07:18 +0100, MORIN Yann TGI/OLS spake thusly:
>> On 2019-03-12 01:25 +0100, Arnout Vandecappelle spake thusly:
> [--SNIP--]
>>>  I notice that in vlc.mk, we have
>>> ax_cv_check_cflags___fstack_protector_strong=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no)
>> I'll check what vlc really wants it for (e.g. strong, all, regular?),
>> fix and send a patch.
> 
> So, vlc already depends on gcc >= 4.9 anyway, so there will always have
> support for fstack-protctor-strong, and this legacy wart can be removed
> now, I guess.

 Not at all! gcc >= 4.9 doesn't guarantee SSP availability, only that if SSP is
available, then -fstack-protector=strong will work. So the check is correct
because vlc depends on gcc >= 4.9.

 Regards,
 Arnout

[Buildroot] [PATCH 1/4] toolchain: set the ssp gcc option in kconfig

[Arnout Vandecappelle]

On 12/03/2019 07:06, yann.morin at orange.com wrote:
> Arnout, All,
> 
> On 2019-03-12 01:02 +0100, Arnout Vandecappelle spake thusly:
>> On 11/03/2019 07:48, yann.morin at orange.com wrote:
>> [snip]
> [--SNIP--]
>>> +ifneq ($(BR2_SSP_OPTION),)
>>> +TOOLCHAIN_WRAPPER_ARGS += -DBR_SSP_OPTION='$(BR2_SSP_OPTION)'
>>>  endif
>>  I'd really like to use the BR_ADDITIONAL_CFLAGS instead, by changing the
>> definition in the .mk file to something like:
>>
>> TOOLCHAIN_WRAPPER_OPTS = \
>>         $(call qstrip,$(BR2_TARGET_OPTIMIZATION)) \
>> 	$(call qstrip,$(BR2_SSP_OPTION))
>>
>> TOOLCHAIN_WRAPPER_ARGS += \
>>  	-DBR_ADDITIONAL_CFLAGS='$(foreach f,$(TOOLCHAIN_WRAPPER_OPTS),"$(f)"$(comma))'
> 
> OK, will do.

 Note that we don't have a runtime test for BR2_TRGET_OPTIMIZATION so some
manual testing will be needed.


>> (note that I preferred the qstrip instead of the ifdef here, and adding quotes
>> explicitly in the foreach, but you may want to implement it differently).
> 
> Yeah, I tried to avoid the qstriop-then-strip-anyway dance, but it is
> indeed nicer the way you wrote it.

 I like the qstrip-then-quote dance, because it makes things consistent.

 Note that this is a very special case because we want to quote each
space-separated option here; in general we actually want to make sure the spaces
are quoted when we do a qstrip-then-quote dance.

 Regards,
 Arnout

[Buildroot] [PATCH 2/4] toolchain: check the SSP option is known

[Arnout Vandecappelle]

On 12/03/2019 07:18, yann.morin at orange.com wrote:
> Arnout, All,
> 
> On 2019-03-12 01:25 +0100, Arnout Vandecappelle spake thusly:
>> On 11/03/2019 07:48, yann.morin at orange.com wrote:
>>> From: "Yann E. MORIN" <yann.morin@orange.com>
>>> Extend the macro that currently checks for SSP in the toolchain, with
>>> a new test that the actual SSP option is recognised and accepted.
> [--SNIP--]
>>  I notice that in vlc.mk, we have
>>
>> ax_cv_check_cflags___fstack_protector_strong=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no)
> 
> It should probably be changed to:   $(if $(BR2_SSP_STRONG),yes,no)
> 
> I'll check what vlc really wants it for (e.g. strong, all, regular?),
> fix and send a patch.
> 
>> without an actual check that stack-protector=strong really is available... Maybe
>> we need BR2_TOOLCHAIN_HAS_SSP_STRONG after all?
> 
> I really pondered doing it that way, but I decided against, because:
> 
>   - our internal toolchain infra only supports gcc >= 4.9, so it has SSP
>     strong
> 
>   - of the external pre-built toolchains, only the codesourcery-arm one
>     has a gcc-4.8 which lacks SSP strong (and I use that in the cover
>     letter to explain how to test my changes), all the others have a
>     gcc >= 4.9
> 
> So, we'd have to add this _HAS_SSP_STRONG for a single case.

 Hm, somehow I missed that in your commit message :-P

 Regards,
 Arnout

> 
> Now, the vlc case, fixed as I suggest above, would be covered by this
> configure-test.
> 
> Regards,
> Yann E. MORIN.
> 
>>> Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
>>> Cc: Matt Weber <matthew.weber@rockwellcollins.com>
>>> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>>> Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
>>> ---
>>>  toolchain/helpers.mk                                   | 8 ++++++++
>>>  toolchain/toolchain-external/pkg-toolchain-external.mk | 2 +-
>>>  2 files changed, 9 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/toolchain/helpers.mk b/toolchain/helpers.mk
>>> index e5520c00c3..ba097e83cf 100644
>>> --- a/toolchain/helpers.mk
>>> +++ b/toolchain/helpers.mk
>>> @@ -415,6 +415,7 @@ check_unusable_toolchain = \
>>>  # Check if the toolchain has SSP (stack smashing protector) support
>>>  #
>>>  # $1: cross-gcc path
>>> +# $2: gcc ssp option
>>>  #
>>>  check_toolchain_ssp = \
>>>  	__CROSS_CC=$(strip $1) ; \
>>> @@ -427,6 +428,13 @@ check_toolchain_ssp = \
>>>  		echo "SSP support not available in this toolchain, please disable BR2_TOOLCHAIN_EXTERNAL_HAS_SSP" ; \
>>>  		exit 1 ; \
>>>  	fi ; \
>>> +	__SSP_OPTION=$(2); \
>>> +	if [ -n "$${__SSP_OPTION}" ] ; then \
>>> +		if ! echo 'void main(){}' | $${__CROSS_CC} -Werror $${__SSP_OPTION} -x c - -o $(BUILD_DIR)/.br-toolchain-test.tmp >/dev/null 2>&1 ; then \
>>> +			echo "SSP option $${__SSP_OPTION} not available in this toolchain, please select another SSP level" ; \
>>> +			exit 1 ; \
>>> +		fi; \
>>> +	fi; \
>>>  	rm -f $(BUILD_DIR)/.br-toolchain-test.tmp*
>>>  
>>>  #
>>> diff --git a/toolchain/toolchain-external/pkg-toolchain-external.mk b/toolchain/toolchain-external/pkg-toolchain-external.mk
>>> index db3570d96f..00cbd7b17a 100644
>>> --- a/toolchain/toolchain-external/pkg-toolchain-external.mk
>>> +++ b/toolchain/toolchain-external/pkg-toolchain-external.mk
>>> @@ -549,7 +549,7 @@ define $(2)_CONFIGURE_CMDS
>>>  	else \
>>>  		$$(call check_glibc,$$$${SYSROOT_DIR}) ; \
>>>  	fi
>>> -	$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC))
>>> +	$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC),$(BR2_SSP_OPTION))
>>>  endef
>>>  
>>>  $(2)_TOOLCHAIN_WRAPPER_ARGS += $$(TOOLCHAIN_EXTERNAL_TOOLCHAIN_WRAPPER_ARGS)
>>>
> 

[Buildroot] [PATCH 4/4] toolchain: allow PIC/PIE without RELRO

[Arnout Vandecappelle]

On 12/03/2019 07:22, yann.morin at orange.com wrote:
> Arnout, All,
> 
> On 2019-03-12 01:36 +0100, Arnout Vandecappelle spake thusly:
>> On 11/03/2019 07:48, yann.morin at orange.com wrote:
>>> From: "Yann E. MORIN" <yann.morin@orange.com>
>>>
>>> Note: it is unknown if RELRO_FULL really needs PIC/PIE or not, so we
>>> keep the current situation, where RELRO-FULL forces PIC/PIE compilation.
>>
>>  I just checked on my host, and a simple test program compiled with -no-pie
>> -Wl,-z,relro -Wl,-z,now does work, so indeed the two seem to be independent.
> 
> Still, I'd prefer tokeep the select to keep the current behaviour. We
> can drop it later on if someone has a need for it.
> 
>>  I guess it's historical accident that the global full relro and PIE are
>> typically introduced together. From what I understand, they are pretty much
>> independent.
> 
> I talked with Matt on IRC about this the other day, and his reasoning
> for doing so as it is was to mimick the way done on distros (Debian,
> FC?), so it is not a complete accident either. ;-)

 That's what I meant: it's historical accident that Fedora [1] and Debian [2]
started enabling -z,now and -pie at the same time. On their respective wiki
pages that discuss enabling these things, they are in fact treated separately.

 Regards,
 Arnout

[1] https://fedoraproject.org/wiki/Security_Features_Matrix#Userspace_Hardening
[2] https://wiki.debian.org/Hardening#User_Space

[Buildroot] [PATCH 2/4] toolchain: check the SSP option is known

[yann.morin at orange.com]

Arnout, All,

On 2019-03-12 09:49 +0100, Arnout Vandecappelle spake thusly:
> On 12/03/2019 07:41, yann.morin at orange.com wrote:
> > Arnout, All,
> > 
> > On 2019-03-12 07:18 +0100, MORIN Yann TGI/OLS spake thusly:
> >> On 2019-03-12 01:25 +0100, Arnout Vandecappelle spake thusly:
> > [--SNIP--]
> >>>  I notice that in vlc.mk, we have
> >>> ax_cv_check_cflags___fstack_protector_strong=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no)
> >> I'll check what vlc really wants it for (e.g. strong, all, regular?),
> >> fix and send a patch.
> > 
> > So, vlc already depends on gcc >= 4.9 anyway, so there will always have
> > support for fstack-protctor-strong, and this legacy wart can be removed
> > now, I guess.
> 
>  Not at all! gcc >= 4.9 doesn't guarantee SSP availability, only that if SSP is
> available, then -fstack-protector=strong will work. So the check is correct
> because vlc depends on gcc >= 4.9.

Ah, yes, I see now. That's because SSP is a shared feature between the
compiler and the C library, right?

So that check does indeed make sense as it is, even though it is not
really obvious...

Thanks!

Regards,
Yann E. MORIN.

-- 
                                        ____________
.-----------------.--------------------:       _    :------------------.
|  Yann E. MORIN  | Real-Time Embedded |    __/ )   | /"\ ASCII RIBBON |
| +33 534.541.179 | Software  Designer |  _/ - /'   | \ / CAMPAIGN     |
| +33 638.411.245 '--------------------: (_    `--, |  X  AGAINST      |
|      yann.morin (at) orange.com      |_="    ,--' | / \ HTML MAIL    |
'--------------------------------------:______/_____:------------------'


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

[Buildroot] [PATCH 2/4] toolchain: check the SSP option is known

[yann.morin at orange.com]

Arnout, All,

On 2019-03-12 09:53 +0100, Arnout Vandecappelle spake thusly:
> On 12/03/2019 07:18, yann.morin at orange.com wrote:
> > Arnout, All,
> > 
> > On 2019-03-12 01:25 +0100, Arnout Vandecappelle spake thusly:
> >> On 11/03/2019 07:48, yann.morin at orange.com wrote:
> >>> From: "Yann E. MORIN" <yann.morin@orange.com>
> >>> Extend the macro that currently checks for SSP in the toolchain, with
> >>> a new test that the actual SSP option is recognised and accepted.
> > [--SNIP--]
> >>  I notice that in vlc.mk, we have
> >>
> >> ax_cv_check_cflags___fstack_protector_strong=$(if $(BR2_TOOLCHAIN_HAS_SSP),yes,no)
> > 
> > It should probably be changed to:   $(if $(BR2_SSP_STRONG),yes,no)
> > 
> > I'll check what vlc really wants it for (e.g. strong, all, regular?),
> > fix and send a patch.
> > 
> >> without an actual check that stack-protector=strong really is available... Maybe
> >> we need BR2_TOOLCHAIN_HAS_SSP_STRONG after all?
> > 
> > I really pondered doing it that way, but I decided against, because:
> > 
> >   - our internal toolchain infra only supports gcc >= 4.9, so it has SSP
> >     strong
> > 
> >   - of the external pre-built toolchains, only the codesourcery-arm one
> >     has a gcc-4.8 which lacks SSP strong (and I use that in the cover
> >     letter to explain how to test my changes), all the others have a
> >     gcc >= 4.9
> > 
> > So, we'd have to add this _HAS_SSP_STRONG for a single case.
> 
>  Hm, somehow I missed that in your commit message :-P

ACK, I'll add it to the commit message before submitting v2.

Regards,
Yann E. MORIN.

>  Regards,
>  Arnout
> 
> > 
> > Now, the vlc case, fixed as I suggest above, would be covered by this
> > configure-test.
> > 
> > Regards,
> > Yann E. MORIN.
> > 
> >>> Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
> >>> Cc: Matt Weber <matthew.weber@rockwellcollins.com>
> >>> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> >>> Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> >>> ---
> >>>  toolchain/helpers.mk                                   | 8 ++++++++
> >>>  toolchain/toolchain-external/pkg-toolchain-external.mk | 2 +-
> >>>  2 files changed, 9 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/toolchain/helpers.mk b/toolchain/helpers.mk
> >>> index e5520c00c3..ba097e83cf 100644
> >>> --- a/toolchain/helpers.mk
> >>> +++ b/toolchain/helpers.mk
> >>> @@ -415,6 +415,7 @@ check_unusable_toolchain = \
> >>>  # Check if the toolchain has SSP (stack smashing protector) support
> >>>  #
> >>>  # $1: cross-gcc path
> >>> +# $2: gcc ssp option
> >>>  #
> >>>  check_toolchain_ssp = \
> >>>  	__CROSS_CC=$(strip $1) ; \
> >>> @@ -427,6 +428,13 @@ check_toolchain_ssp = \
> >>>  		echo "SSP support not available in this toolchain, please disable BR2_TOOLCHAIN_EXTERNAL_HAS_SSP" ; \
> >>>  		exit 1 ; \
> >>>  	fi ; \
> >>> +	__SSP_OPTION=$(2); \
> >>> +	if [ -n "$${__SSP_OPTION}" ] ; then \
> >>> +		if ! echo 'void main(){}' | $${__CROSS_CC} -Werror $${__SSP_OPTION} -x c - -o $(BUILD_DIR)/.br-toolchain-test.tmp >/dev/null 2>&1 ; then \
> >>> +			echo "SSP option $${__SSP_OPTION} not available in this toolchain, please select another SSP level" ; \
> >>> +			exit 1 ; \
> >>> +		fi; \
> >>> +	fi; \
> >>>  	rm -f $(BUILD_DIR)/.br-toolchain-test.tmp*
> >>>  
> >>>  #
> >>> diff --git a/toolchain/toolchain-external/pkg-toolchain-external.mk b/toolchain/toolchain-external/pkg-toolchain-external.mk
> >>> index db3570d96f..00cbd7b17a 100644
> >>> --- a/toolchain/toolchain-external/pkg-toolchain-external.mk
> >>> +++ b/toolchain/toolchain-external/pkg-toolchain-external.mk
> >>> @@ -549,7 +549,7 @@ define $(2)_CONFIGURE_CMDS
> >>>  	else \
> >>>  		$$(call check_glibc,$$$${SYSROOT_DIR}) ; \
> >>>  	fi
> >>> -	$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC))
> >>> +	$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC),$(BR2_SSP_OPTION))
> >>>  endef
> >>>  
> >>>  $(2)_TOOLCHAIN_WRAPPER_ARGS += $$(TOOLCHAIN_EXTERNAL_TOOLCHAIN_WRAPPER_ARGS)
> >>>
> > 

-- 
                                        ____________
.-----------------.--------------------:       _    :------------------.
|  Yann E. MORIN  | Real-Time Embedded |    __/ )   | /"\ ASCII RIBBON |
| +33 534.541.179 | Software  Designer |  _/ - /'   | \ / CAMPAIGN     |
| +33 638.411.245 '--------------------: (_    `--, |  X  AGAINST      |
|      yann.morin (at) orange.com      |_="    ,--' | / \ HTML MAIL    |
'--------------------------------------:______/_____:------------------'


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

[Buildroot] [PATCH 4/4] toolchain: allow PIC/PIE without RELRO

[Matthew Weber]

All,
On Tue, Mar 12, 2019 at 3:57 AM Arnout Vandecappelle <arnout@mind.be> wrote:
>
>
>
> On 12/03/2019 07:22, yann.morin at orange.com wrote:
> > Arnout, All,
> >
> > On 2019-03-12 01:36 +0100, Arnout Vandecappelle spake thusly:
> >> On 11/03/2019 07:48, yann.morin at orange.com wrote:
> >>> From: "Yann E. MORIN" <yann.morin@orange.com>
> >>>
> >>> Note: it is unknown if RELRO_FULL really needs PIC/PIE or not, so we
> >>> keep the current situation, where RELRO-FULL forces PIC/PIE compilation.
> >>
> >>  I just checked on my host, and a simple test program compiled with -no-pie
> >> -Wl,-z,relro -Wl,-z,now does work, so indeed the two seem to be independent.
> >
> > Still, I'd prefer tokeep the select to keep the current behaviour. We
> > can drop it later on if someone has a need for it.
> >
> >>  I guess it's historical accident that the global full relro and PIE are
> >> typically introduced together. From what I understand, they are pretty much
> >> independent.
> >
> > I talked with Matt on IRC about this the other day, and his reasoning
> > for doing so as it is was to mimick the way done on distros (Debian,
> > FC?), so it is not a complete accident either. ;-)
>
>  That's what I meant: it's historical accident that Fedora [1] and Debian [2]
> started enabling -z,now and -pie at the same time. On their respective wiki
> pages that discuss enabling these things, they are in fact treated separately.
>

Yep, sent a note on the v2 patch. I think we should drop the PIC/PIE
select from RELRO FULL....

>  Regards,
>  Arnout
>
> [1] https://fedoraproject.org/wiki/Security_Features_Matrix#Userspace_Hardening
> [2] https://wiki.debian.org/Hardening#User_Space
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot



-- 

Matthew Weber | Pr. Software Engineer | Commercial Avionics

COLLINS AEROSPACE

400 Collins Road NE, Cedar Rapids, Iowa 52498, USA

Tel: +1 319 295 7349 | FAX: +1 319 263 6099

matthew.weber at collins.com | collinsaerospace.com



CONFIDENTIALITY WARNING: This message may contain proprietary and/or
privileged information of Collins Aerospace and its affiliated
companies. If you are not the intended recipient, please 1) Do not
disclose, copy, distribute or use this message or its contents. 2)
Advise the sender by return email. 3) Delete all copies (including all
attachments) from your computer. Your cooperation is greatly
appreciated.


Any export restricted material should be shared using my
matthew.weber at corp.rockwellcollins.com address.