* [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze
@ 2021-08-20 22:53 Romain Naour
2021-08-20 22:59 ` Giulio Benetti
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Romain Naour @ 2021-08-20 22:53 UTC (permalink / raw)
To: buildroot; +Cc: Romain Naour, Giulio Benetti, Thomas Petazzoni
As reported by Toolchain-builder project [1], the system doesn't
boot when Fortify Source is enabled for glibc based toolchain
(the init process hang).
Also, hardening features may not be wanted or possible for such
slow soft-core cpus [2].
[1] https://gitlab.com/bootlin/toolchains-builder/-/jobs/1467624500
[2] http://lists.busybox.net/pipermail/buildroot/2021-June/312416.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
---
With BR2_RELRO_PARTIAL enabled, the system boot.
---
Config.in | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/Config.in b/Config.in
index 2ef5d407e4..84f7fa6e8d 100644
--- a/Config.in
+++ b/Config.in
@@ -853,9 +853,16 @@ endchoice
comment "RELocation Read Only (RELRO) needs shared libraries"
depends on !BR2_SHARED_LIBS
+config BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
+ bool
+ default y
+ # Microblaze glibc toolchains don't work with Fortify Source enabled
+ depends on !BR2_microblaze
+
choice
bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
default BR2_FORTIFY_SOURCE_1
+ depends on BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
depends on BR2_TOOLCHAIN_USES_GLIBC
depends on !BR2_OPTIMIZE_0
help
--
2.31.1
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze
2021-08-20 22:53 [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze Romain Naour
@ 2021-08-20 22:59 ` Giulio Benetti
2021-08-20 23:09 ` Giulio Benetti
2021-08-23 21:09 ` Arnout Vandecappelle
2021-09-06 15:36 ` Peter Korsgaard
2 siblings, 1 reply; 7+ messages in thread
From: Giulio Benetti @ 2021-08-20 22:59 UTC (permalink / raw)
To: Romain Naour, buildroot; +Cc: Thomas Petazzoni
Hi Romain, All,
On 8/21/21 12:53 AM, Romain Naour wrote:
> As reported by Toolchain-builder project [1], the system doesn't
> boot when Fortify Source is enabled for glibc based toolchain
> (the init process hang).
>
> Also, hardening features may not be wanted or possible for such
> slow soft-core cpus [2].
>
> [1] https://gitlab.com/bootlin/toolchains-builder/-/jobs/1467624500
> [2] http://lists.busybox.net/pipermail/buildroot/2021-June/312416.html
>
> Signed-off-by: Romain Naour <romain.naour@gmail.com>
> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
> ---
> With BR2_RELRO_PARTIAL enabled, the system boot.
> ---
> Config.in | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/Config.in b/Config.in
> index 2ef5d407e4..84f7fa6e8d 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -853,9 +853,16 @@ endchoice
> comment "RELocation Read Only (RELRO) needs shared libraries"
> depends on !BR2_SHARED_LIBS
>
> +config BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
> + bool
> + default y
> + # Microblaze glibc toolchains don't work with Fortify Source enabled > + depends on !BR2_microblaze
here you say it doesn't work with glibc toolchains, so you could add
'&& !BR2_TOOLCHAIN_USES_GLIBC'. I think it's worth if it works with
uclibc and musl.
What do you think about it?
Best regards
--
Giulio Benetti
Benetti Engineering sas
> +
> choice
> bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
> default BR2_FORTIFY_SOURCE_1
> + depends on BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
> depends on BR2_TOOLCHAIN_USES_GLIBC
> depends on !BR2_OPTIMIZE_0
> help
>
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze
2021-08-20 22:59 ` Giulio Benetti
@ 2021-08-20 23:09 ` Giulio Benetti
2021-08-21 12:46 ` Romain Naour
0 siblings, 1 reply; 7+ messages in thread
From: Giulio Benetti @ 2021-08-20 23:09 UTC (permalink / raw)
To: Romain Naour, buildroot; +Cc: Thomas Petazzoni
On 8/21/21 12:59 AM, Giulio Benetti wrote:
> Hi Romain, All,
>
> On 8/21/21 12:53 AM, Romain Naour wrote:
>> As reported by Toolchain-builder project [1], the system doesn't
>> boot when Fortify Source is enabled for glibc based toolchain
>> (the init process hang).
>>
>> Also, hardening features may not be wanted or possible for such
>> slow soft-core cpus [2].
>>
>> [1] https://gitlab.com/bootlin/toolchains-builder/-/jobs/1467624500
>> [2] http://lists.busybox.net/pipermail/buildroot/2021-June/312416.html
>>
>> Signed-off-by: Romain Naour <romain.naour@gmail.com>
>> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>> Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
>> ---
>> With BR2_RELRO_PARTIAL enabled, the system boot.
>> ---
>> Config.in | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/Config.in b/Config.in
>> index 2ef5d407e4..84f7fa6e8d 100644
>> --- a/Config.in
>> +++ b/Config.in
>> @@ -853,9 +853,16 @@ endchoice
>> comment "RELocation Read Only (RELRO) needs shared libraries"
>> depends on !BR2_SHARED_LIBS
>>
>> +config BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
>> + bool
>> + default y
>> + # Microblaze glibc toolchains don't work with Fortify Source enabled > + depends on !BR2_microblaze
>
> here you say it doesn't work with glibc toolchains, so you could add
> '&& !BR2_TOOLCHAIN_USES_GLIBC'. I think it's worth if it works with
> uclibc and musl.
Of course between parenthesis like:
```
depends on (!BR2_microblaze && !BR2_TOOLCHAIN_USES_GLIBC)
```
otherwise every toolchain which uses glibc doesn't use Fortify anymore.
> What do you think about it?
>
> Best regards
>
--
Giulio Benetti
Benetti Engineering sas
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze
2021-08-20 23:09 ` Giulio Benetti
@ 2021-08-21 12:46 ` Romain Naour
2021-08-21 13:42 ` Giulio Benetti
0 siblings, 1 reply; 7+ messages in thread
From: Romain Naour @ 2021-08-21 12:46 UTC (permalink / raw)
To: Giulio Benetti, buildroot; +Cc: Thomas Petazzoni
Hello Giulio,
Le 21/08/2021 à 01:09, Giulio Benetti a écrit :
> On 8/21/21 12:59 AM, Giulio Benetti wrote:
>> Hi Romain, All,
>>
>> On 8/21/21 12:53 AM, Romain Naour wrote:
>>> As reported by Toolchain-builder project [1], the system doesn't
>>> boot when Fortify Source is enabled for glibc based toolchain
>>> (the init process hang).
>>>
>>> Also, hardening features may not be wanted or possible for such
>>> slow soft-core cpus [2].
>>>
>>> [1] https://gitlab.com/bootlin/toolchains-builder/-/jobs/1467624500
>>> [2] http://lists.busybox.net/pipermail/buildroot/2021-June/312416.html
>>>
>>> Signed-off-by: Romain Naour <romain.naour@gmail.com>
>>> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>>> Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
>>> ---
>>> With BR2_RELRO_PARTIAL enabled, the system boot.
>>> ---
>>> Config.in | 7 +++++++
>>> 1 file changed, 7 insertions(+)
>>>
>>> diff --git a/Config.in b/Config.in
>>> index 2ef5d407e4..84f7fa6e8d 100644
>>> --- a/Config.in
>>> +++ b/Config.in
>>> @@ -853,9 +853,16 @@ endchoice
>>> comment "RELocation Read Only (RELRO) needs shared libraries"
>>> depends on !BR2_SHARED_LIBS
>>> +config BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
>>> + bool
>>> + default y
>>> + # Microblaze glibc toolchains don't work with Fortify Source enabled >
>>> + depends on !BR2_microblaze
>>
>> here you say it doesn't work with glibc toolchains, so you could add
>> '&& !BR2_TOOLCHAIN_USES_GLIBC'. I think it's worth if it works with
>> uclibc and musl.
>
> Of course between parenthesis like:
> ```
> depends on (!BR2_microblaze && !BR2_TOOLCHAIN_USES_GLIBC)
> ```
> otherwise every toolchain which uses glibc doesn't use Fortify anymore.
>
>> What do you think about it?
Fortify Source is disabled for the same reason as for PIC/PIE even for uClibc-ng
or musl:
https://git.buildroot.net/buildroot/commit/?id=d120f844604da2295bb7bd8fc6c1f4efbe8b5792
I want to avoid the maintenance burden on such platform.
Best regards,
Romain
>>
>> Best regards
>>
>
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze
2021-08-21 12:46 ` Romain Naour
@ 2021-08-21 13:42 ` Giulio Benetti
0 siblings, 0 replies; 7+ messages in thread
From: Giulio Benetti @ 2021-08-21 13:42 UTC (permalink / raw)
To: Romain Naour; +Cc: Thomas Petazzoni, buildroot
> Il giorno 21 ago 2021, alle ore 14:47, Romain Naour <romain.naour@gmail.com> ha scritto:
>
> Hello Giulio,
>
>> Le 21/08/2021 à 01:09, Giulio Benetti a écrit :
>>> On 8/21/21 12:59 AM, Giulio Benetti wrote:
>>> Hi Romain, All,
>>>
>>> On 8/21/21 12:53 AM, Romain Naour wrote:
>>>> As reported by Toolchain-builder project [1], the system doesn't
>>>> boot when Fortify Source is enabled for glibc based toolchain
>>>> (the init process hang).
>>>>
>>>> Also, hardening features may not be wanted or possible for such
>>>> slow soft-core cpus [2].
>>>>
>>>> [1] https://gitlab.com/bootlin/toolchains-builder/-/jobs/1467624500
>>>> [2] http://lists.busybox.net/pipermail/buildroot/2021-June/312416.html
>>>>
>>>> Signed-off-by: Romain Naour <romain.naour@gmail.com>
>>>> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>>>> Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
>>>> ---
>>>> With BR2_RELRO_PARTIAL enabled, the system boot.
>>>> ---
>>>> Config.in | 7 +++++++
>>>> 1 file changed, 7 insertions(+)
>>>>
>>>> diff --git a/Config.in b/Config.in
>>>> index 2ef5d407e4..84f7fa6e8d 100644
>>>> --- a/Config.in
>>>> +++ b/Config.in
>>>> @@ -853,9 +853,16 @@ endchoice
>>>> comment "RELocation Read Only (RELRO) needs shared libraries"
>>>> depends on !BR2_SHARED_LIBS
>>>> +config BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
>>>> + bool
>>>> + default y
>>>> + # Microblaze glibc toolchains don't work with Fortify Source enabled >
>>>> + depends on !BR2_microblaze
>>>
>>> here you say it doesn't work with glibc toolchains, so you could add
>>> '&& !BR2_TOOLCHAIN_USES_GLIBC'. I think it's worth if it works with
>>> uclibc and musl.
>>
>> Of course between parenthesis like:
>> ```
>> depends on (!BR2_microblaze && !BR2_TOOLCHAIN_USES_GLIBC)
>> ```
>> otherwise every toolchain which uses glibc doesn't use Fortify anymore.
>>
>>> What do you think about it?
>
> Fortify Source is disabled for the same reason as for PIC/PIE even for uClibc-ng
> or musl:
>
> https://git.buildroot.net/buildroot/commit/?id=d120f844604da2295bb7bd8fc6c1f4efbe8b5792
>
> I want to avoid the maintenance burden on such platform.
Ah ok, I’ve understood wrongly by the comment mentioning glibc only.
No problem then.
Best regards
Giulio Benetti
>
> Best regards,
> Romain
>
>>>
>>> Best regards
>>>
>>
>
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze
2021-08-20 22:53 [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze Romain Naour
2021-08-20 22:59 ` Giulio Benetti
@ 2021-08-23 21:09 ` Arnout Vandecappelle
2021-09-06 15:36 ` Peter Korsgaard
2 siblings, 0 replies; 7+ messages in thread
From: Arnout Vandecappelle @ 2021-08-23 21:09 UTC (permalink / raw)
To: Romain Naour, buildroot; +Cc: Giulio Benetti, Thomas Petazzoni
On 21/08/2021 00:53, Romain Naour wrote:
> As reported by Toolchain-builder project [1], the system doesn't
> boot when Fortify Source is enabled for glibc based toolchain
> (the init process hang).
>
> Also, hardening features may not be wanted or possible for such
> slow soft-core cpus [2].
>
> [1] https://gitlab.com/bootlin/toolchains-builder/-/jobs/1467624500
> [2] http://lists.busybox.net/pipermail/buildroot/2021-June/312416.html
>
> Signed-off-by: Romain Naour <romain.naour@gmail.com>
> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Applied to master, thanks. I reworded the commit message to avoid Giulio's
confusion.
Also, I added a dependency on BR2_FORTIFY_SOURCE_ARCH_SUPPORTS in the comment
that glibc and optimisation are needed.
Regards,
Arnout
> ---
> With BR2_RELRO_PARTIAL enabled, the system boot.
> ---
> Config.in | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/Config.in b/Config.in
> index 2ef5d407e4..84f7fa6e8d 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -853,9 +853,16 @@ endchoice
> comment "RELocation Read Only (RELRO) needs shared libraries"
> depends on !BR2_SHARED_LIBS
>
> +config BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
> + bool
> + default y
> + # Microblaze glibc toolchains don't work with Fortify Source enabled
> + depends on !BR2_microblaze
> +
> choice
> bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
> default BR2_FORTIFY_SOURCE_1
> + depends on BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
> depends on BR2_TOOLCHAIN_USES_GLIBC
> depends on !BR2_OPTIMIZE_0
> help
>
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze
2021-08-20 22:53 [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze Romain Naour
2021-08-20 22:59 ` Giulio Benetti
2021-08-23 21:09 ` Arnout Vandecappelle
@ 2021-09-06 15:36 ` Peter Korsgaard
2 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2021-09-06 15:36 UTC (permalink / raw)
To: Romain Naour; +Cc: Giulio Benetti, Thomas Petazzoni, buildroot
>>>>> "Romain" == Romain Naour <romain.naour@gmail.com> writes:
> As reported by Toolchain-builder project [1], the system doesn't
> boot when Fortify Source is enabled for glibc based toolchain
> (the init process hang).
> Also, hardening features may not be wanted or possible for such
> slow soft-core cpus [2].
> [1] https://gitlab.com/bootlin/toolchains-builder/-/jobs/1467624500
> [2] http://lists.busybox.net/pipermail/buildroot/2021-June/312416.html
> Signed-off-by: Romain Naour <romain.naour@gmail.com>
> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Committed to 2021.02.x and 2021.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-09-06 15:37 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-20 22:53 [Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze Romain Naour
2021-08-20 22:59 ` Giulio Benetti
2021-08-20 23:09 ` Giulio Benetti
2021-08-21 12:46 ` Romain Naour
2021-08-21 13:42 ` Giulio Benetti
2021-08-23 21:09 ` Arnout Vandecappelle
2021-09-06 15:36 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.