* [PATCH 01/10] gcc: Introduce a knob to configure gcc to default to PIE
2017-06-28 16:04 [PATCH 00/10] Rework GCC PIE and security flags (take 2) Khem Raj
@ 2017-06-28 16:04 ` Khem Raj
2017-06-28 16:04 ` [PATCH 02/10] security_flags.inc: Delete pinnings for SECURITY_NO_PIE_CFLAGS Khem Raj
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Khem Raj @ 2017-06-28 16:04 UTC (permalink / raw)
To: openembedded-core
GCCPIE flag which is empty by default adds "--enable-default-pie"
configure option for harderned distros
We do not require to add -fpie -pie flag externally anymore
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/conf/distro/include/security_flags.inc | 4 +++-
meta/recipes-devtools/gcc/gcc-configure-common.inc | 3 +++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index 38164d08b8..f2eb224a77 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -5,6 +5,8 @@
# From a Yocto Project perspective, this file is included and tested
# in the DISTRO="poky-lsb" configuration.
+GCCPIE ?= "--enable-default-pie"
+
# _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
# -O0 which then results in a compiler warning.
lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
@@ -12,7 +14,7 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE
# Error on use of format strings that represent possible security problems
SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
-SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
+SECURITY_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc b/meta/recipes-devtools/gcc/gcc-configure-common.inc
index 63fa1d9686..e2ce234aa1 100644
--- a/meta/recipes-devtools/gcc/gcc-configure-common.inc
+++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc
@@ -22,6 +22,8 @@ EXTRA_OECONF_INITIAL ?= ""
GCCMULTILIB ?= "--disable-multilib"
GCCTHREADS ?= "posix"
+GCCPIE ??= ""
+
EXTRA_OECONF = "\
${@['--enable-clocale=generic', ''][d.getVar('USE_NLS') != 'no']} \
--with-gnu-ld \
@@ -29,6 +31,7 @@ EXTRA_OECONF = "\
--enable-languages=${LANGUAGES} \
--enable-threads=${GCCTHREADS} \
${GCCMULTILIB} \
+ ${GCCPIE} \
--enable-c99 \
--enable-long-long \
--enable-symvers=gnu \
--
2.13.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH 02/10] security_flags.inc: Delete pinnings for SECURITY_NO_PIE_CFLAGS
2017-06-28 16:04 [PATCH 00/10] Rework GCC PIE and security flags (take 2) Khem Raj
2017-06-28 16:04 ` [PATCH 01/10] gcc: Introduce a knob to configure gcc to default to PIE Khem Raj
@ 2017-06-28 16:04 ` Khem Raj
2017-06-28 16:04 ` [PATCH 03/10] distutils, setuptools: Delete use of SECURITY_NO_PIE_CFLAGS Khem Raj
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Khem Raj @ 2017-06-28 16:04 UTC (permalink / raw)
To: openembedded-core
GCC is configured correctly to pass PIE cflags/ldflags
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/conf/distro/include/security_flags.inc | 81 +++++++----------------------
1 file changed, 20 insertions(+), 61 deletions(-)
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index f2eb224a77..64122d4ebe 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -1,4 +1,4 @@
-# Setup extra CFLAGS and LDFLAGS which have 'security' benefits. These
+# Setup extra CFLAGS and LDFLAGS which have 'security' benefits. These
# don't work universally, there are recipes which can't use one, the other
# or both so a blacklist is maintained here. The idea would be over
# time to reduce this list to nothing.
@@ -14,87 +14,43 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE
# Error on use of format strings that represent possible security problems
SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
-SECURITY_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
+# Inject pie flags into compiler flags if not configured with gcc itself
+# especially useful with external toolchains
+SECURITY_PIE_CFLAGS ?= "${@'' if '${GCCPIE}' else '-pie -fPIE'}"
+
+SECURITY_NOPIE_CFLAGS ?= "-no-pie -fno-PIE"
+
+SECURITY_CFLAGS ?= "-fstack-protector-strong ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro"
# powerpc does not get on with pie for reasons not looked into as yet
-SECURITY_CFLAGS_powerpc = "-fstack-protector-strong ${lcl_maybe_fortify}"
-# Deal with ppc specific linker failures when using the cflags
-SECURITY_CFLAGS_pn-dbus_powerpc = ""
-SECURITY_CFLAGS_pn-dbus-ptest_powerpc = ""
-SECURITY_CFLAGS_pn-libmatchbox_powerpc = ""
+SECURITY_CFLAGS_powerpc = "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_NOPIE_CFLAGS}"
+SECURITY_CFLAGS_pn-libgcc_powerpc = ""
# arm specific security flag issues
-SECURITY_CFLAGS_pn-lttng-tools_arm = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-aspell = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-beecrypt = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-coreutils = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-cups = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-db = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-directfb = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-glibc = ""
SECURITY_CFLAGS_pn-glibc-initial = ""
-SECURITY_CFLAGS_pn-elfutils = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-enchant = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-expect = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-gcc = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-gcc-runtime = ""
-SECURITY_CFLAGS_pn-gcc-sanitizers = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-gdb = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-gmp = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-gnutls = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-gpgme = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-grub = ""
SECURITY_CFLAGS_pn-grub-efi = ""
SECURITY_CFLAGS_pn-grub-efi-native = ""
SECURITY_CFLAGS_pn-grub-efi-x86-native = ""
SECURITY_CFLAGS_pn-grub-efi-i586-native = ""
SECURITY_CFLAGS_pn-grub-efi-x86-64-native = ""
-SECURITY_CFLAGS_pn-gstreamer1.0-plugins-bad = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-gstreamer1.0-plugins-good = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-harfbuzz = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-kexec-tools = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-iptables = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libaio = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libcap = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libgcc = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libid3tag = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libnewt-python = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libpcap = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libpcre = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libproxy = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-mesa = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-mesa-gl = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-openssl = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-opensp = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-ppp = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-python = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-python-pycurl = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-python-numpy = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-python3-numpy = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-python3-pycairo = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-python3-pycurl = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-python3-pygpgme = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-python3 = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-syslinux = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-slang = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-source-highlight = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-tcl = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-tiff = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-valgrind = ""
-SECURITY_CFLAGS_pn-zlib = "${SECURITY_NO_PIE_CFLAGS}"
+
+SECURITY_CFLAGS_pn-mkelfimage_x86 = ""
+
+SECURITY_CFLAGS_pn-valgrind = "${SECURITY_NOPIE_CFLAGS}"
+SECURITY_LDFLAGS_pn-valgrind = ""
# Recipes which fail to compile when elevating -Wformat-security to an error
SECURITY_STRINGFORMAT_pn-busybox = ""
SECURITY_STRINGFORMAT_pn-gcc = ""
-SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
-TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
+TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
SECURITY_LDFLAGS_remove_pn-gcc-runtime = "-fstack-protector-strong"
@@ -108,4 +64,7 @@ SECURITY_LDFLAGS_pn-xf86-video-vesa = "${SECURITY_X_LDFLAGS}"
SECURITY_LDFLAGS_pn-xf86-video-vmware = "${SECURITY_X_LDFLAGS}"
SECURITY_LDFLAGS_pn-xserver-xorg = "${SECURITY_X_LDFLAGS}"
-TARGET_CC_ARCH_append_pn-binutils = " ${SECURITY_CFLAGS} ${SELECTED_OPTIMIZATION}"
+TARGET_CC_ARCH_append_pn-binutils = " ${SELECTED_OPTIMIZATION}"
+TARGET_CC_ARCH_append_pn-gcc = " ${SELECTED_OPTIMIZATION}"
+TARGET_CC_ARCH_append_pn-gdb = " ${SELECTED_OPTIMIZATION}"
+TARGET_CC_ARCH_append_pn-perf = " ${SELECTED_OPTIMIZATION}"
--
2.13.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH 03/10] distutils, setuptools: Delete use of SECURITY_NO_PIE_CFLAGS
2017-06-28 16:04 [PATCH 00/10] Rework GCC PIE and security flags (take 2) Khem Raj
2017-06-28 16:04 ` [PATCH 01/10] gcc: Introduce a knob to configure gcc to default to PIE Khem Raj
2017-06-28 16:04 ` [PATCH 02/10] security_flags.inc: Delete pinnings for SECURITY_NO_PIE_CFLAGS Khem Raj
@ 2017-06-28 16:04 ` Khem Raj
2017-06-28 16:04 ` [PATCH 04/10] gcc7: Enable static PIE Khem Raj
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Khem Raj @ 2017-06-28 16:04 UTC (permalink / raw)
To: openembedded-core
gcc can handle PIE in gcc driver
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/classes/distutils-common-base.bbclass | 2 --
meta/classes/setuptools.bbclass | 2 --
2 files changed, 4 deletions(-)
diff --git a/meta/classes/distutils-common-base.bbclass b/meta/classes/distutils-common-base.bbclass
index fa733c672c..824a1b68b1 100644
--- a/meta/classes/distutils-common-base.bbclass
+++ b/meta/classes/distutils-common-base.bbclass
@@ -11,5 +11,3 @@ FILES_${PN}-dev += "\
${libdir}/pkgconfig \
${PYTHON_SITEPACKAGES_DIR}/*.la \
"
-
-SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
diff --git a/meta/classes/setuptools.bbclass b/meta/classes/setuptools.bbclass
index 7d0c5267d7..56343b1c73 100644
--- a/meta/classes/setuptools.bbclass
+++ b/meta/classes/setuptools.bbclass
@@ -6,5 +6,3 @@ DISTUTILS_INSTALL_ARGS = "--root=${D} \
--prefix=${prefix} \
--install-lib=${PYTHON_SITEPACKAGES_DIR} \
--install-data=${datadir}"
-
-SECURITY_CFLAGS = "${SECURITY_NO_PIE_CFLAGS}"
--
2.13.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH 04/10] gcc7: Enable static PIE
2017-06-28 16:04 [PATCH 00/10] Rework GCC PIE and security flags (take 2) Khem Raj
` (2 preceding siblings ...)
2017-06-28 16:04 ` [PATCH 03/10] distutils, setuptools: Delete use of SECURITY_NO_PIE_CFLAGS Khem Raj
@ 2017-06-28 16:04 ` Khem Raj
2017-06-28 16:04 ` [PATCH 05/10] gcc: Link libssp_nonshared.a only on musl targets Khem Raj
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Khem Raj @ 2017-06-28 16:04 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/recipes-devtools/gcc/gcc-7.1.inc | 1 +
.../gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch | 37 ++++++++++++++++++++++
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch
diff --git a/meta/recipes-devtools/gcc/gcc-7.1.inc b/meta/recipes-devtools/gcc/gcc-7.1.inc
index 4098d6a2c1..b52d51fba6 100644
--- a/meta/recipes-devtools/gcc/gcc-7.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-7.1.inc
@@ -72,6 +72,7 @@ SRC_URI = "\
file://0045-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch \
file://0046-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch \
file://0047-sync-gcc-stddef.h-with-musl.patch \
+ file://0048-gcc-Enable-static-PIE.patch \
${BACKPORTS} \
"
BACKPORTS = "\
diff --git a/meta/recipes-devtools/gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch b/meta/recipes-devtools/gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch
new file mode 100644
index 0000000000..879e360cf3
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch
@@ -0,0 +1,37 @@
+From 44ef80688b56beea85c0070840dea1e2a4e34aed Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 13 Jun 2017 12:12:52 -0700
+Subject: [PATCH 49/49] gcc: Enable static PIE
+
+Static PIE support in GCC
+see
+https://gcc.gnu.org/ml/gcc/2015-06/msg00008.html
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ gcc/config/gnu-user.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/gcc/config/gnu-user.h b/gcc/config/gnu-user.h
+index 2787a3d16be..ee7b781319e 100644
+--- a/gcc/config/gnu-user.h
++++ b/gcc/config/gnu-user.h
+@@ -51,10 +51,10 @@ see the files COPYING3 and COPYING.RUNTIME respectively. If not, see
+ #if defined HAVE_LD_PIE
+ #define GNU_USER_TARGET_STARTFILE_SPEC \
+ "%{!shared: %{pg|p|profile:gcrt1.o%s;: \
+- %{" PIE_SPEC ":Scrt1.o%s} %{" NO_PIE_SPEC ":crt1.o%s}}} \
+- crti.o%s %{static:crtbeginT.o%s;: %{shared:crtbeginS.o%s} \
++ %{" PIE_SPEC ":%{static:rcrt1.o%s;:Scrt1.o%s}} %{" NO_PIE_SPEC ":crt1.o%s}}} \
++ crti.o%s %{shared:crtbeginS.o%s;: \
+ %{" PIE_SPEC ":crtbeginS.o%s} \
+- %{" NO_PIE_SPEC ":crtbegin.o%s}} \
++ %{" NO_PIE_SPEC ":%{static:crtbeginT.o%s;:crtbegin.o%s}}} \
+ %{fvtable-verify=none:%s; \
+ fvtable-verify=preinit:vtv_start_preinit.o%s; \
+ fvtable-verify=std:vtv_start.o%s} \
+--
+2.13.1
+
--
2.13.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH 05/10] gcc: Link libssp_nonshared.a only on musl targets
2017-06-28 16:04 [PATCH 00/10] Rework GCC PIE and security flags (take 2) Khem Raj
` (3 preceding siblings ...)
2017-06-28 16:04 ` [PATCH 04/10] gcc7: Enable static PIE Khem Raj
@ 2017-06-28 16:04 ` Khem Raj
2017-06-28 16:04 ` [PATCH 06/10] libunwind: We set -fPIE in security flags now if gcc is not configured for default PIE Khem Raj
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Khem Raj @ 2017-06-28 16:04 UTC (permalink / raw)
To: openembedded-core
glibc already provides the content for libssp_nonshared
in libc_nonshared.a therefore we dont need to make it
universal.
This also fixed build issues on glibc when linking statically
and using -fstack-protector
Fixed errors like
/mnt/a/oe/build/tmp/work/i586-bec-linux/aufs-util/3.14+gitAUTOINC+bdfcc0dcfc-r0/recipe-sysroot/usr/lib/../lib/libc.a(stack_chk_fail.o): In function `__stack_chk_fail': /usr/src/debug/glibc/2.26-r0/git/debug/stack_chk_fail.c:27: multiple definition of `__stack_chk_fail_local' /mnt/a/oe/build/tmp/work/i586-bec-linux/aufs-util/3.14+gitAUTOINC+bdfcc0dcfc-r0/recipe-sysroot/usr/lib/../lib/libssp_nonshared.a(libssp_nonshared_la-ssp-local.o):/usr/src/debug/gcc-runtime/7.1.0-r0/gcc-7.1.0/build.i586-bec-linux.i586-bec-linux/i586-bec-linux/libssp/../../../../../../../../work-shared/gcc-7.1.0-r0/gcc-7.1.0/libssp/ssp-local.c:47: first defined here collect2: error: ld returned 1 exit status
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/recipes-devtools/gcc/gcc-7.1.inc | 2 +-
...shared-to-link-commandline-for-musl-targe.patch | 42 ++++++++++++++++++++++
.../gcc/gcc-7.1/0040-ssp_nonshared.patch | 28 ---------------
3 files changed, 43 insertions(+), 29 deletions(-)
create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
delete mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-ssp_nonshared.patch
diff --git a/meta/recipes-devtools/gcc/gcc-7.1.inc b/meta/recipes-devtools/gcc/gcc-7.1.inc
index b52d51fba6..96fc11c943 100644
--- a/meta/recipes-devtools/gcc/gcc-7.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-7.1.inc
@@ -64,7 +64,7 @@ SRC_URI = "\
file://0037-Search-target-sysroot-gcc-version-specific-dirs-with.patch \
file://0038-Fix-various-_FOR_BUILD-and-related-variables.patch \
file://0039-nios2-Define-MUSL_DYNAMIC_LINKER.patch \
- file://0040-ssp_nonshared.patch \
+ file://0040-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch \
file://0041-gcc-libcpp-support-ffile-prefix-map-old-new.patch \
file://0042-Reuse-fdebug-prefix-map-to-replace-ffile-prefix-map.patch \
file://0043-gcc-final.c-fdebug-prefix-map-support-to-remap-sourc.patch \
diff --git a/meta/recipes-devtools/gcc/gcc-7.1/0040-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch b/meta/recipes-devtools/gcc/gcc-7.1/0040-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
new file mode 100644
index 0000000000..310f7aacba
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-7.1/0040-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
@@ -0,0 +1,42 @@
+From 75a42d6d0f1f9784327f74882195a5c24843d5a8 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 27 Jun 2017 18:10:54 -0700
+Subject: [PATCH 40/49] Add ssp_nonshared to link commandline for musl targets
+
+when -fstack-protector options are enabled we need to
+link with ssp_shared on musl since it does not provide
+the __stack_chk_fail_local() so essentially it provides
+libssp but not libssp_nonshared something like
+TARGET_LIBC_PROVIDES_SSP_BUT_NOT_SSP_NONSHARED
+ where-as for glibc the needed symbols
+are already present in libc_nonshared library therefore
+we do not need any library helper on glibc based systems
+but musl needs the libssp_noshared from gcc
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ gcc/config/linux.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/gcc/config/linux.h b/gcc/config/linux.h
+index 2e683d0c430..5ff0a2cb2ff 100644
+--- a/gcc/config/linux.h
++++ b/gcc/config/linux.h
+@@ -182,6 +182,12 @@ see the files COPYING3 and COPYING.RUNTIME respectively. If not, see
+ { GCC_INCLUDE_DIR, "GCC", 0, 1, 0, 0 }, \
+ { 0, 0, 0, 0, 0, 0 } \
+ }
++#ifdef TARGET_LIBC_PROVIDES_SSP
++#define LINK_SSP_SPEC "%{fstack-protector|fstack-protector-all" \
++ "|fstack-protector-strong|fstack-protector-explicit" \
++ ":-lssp_nonshared}"
++#endif
++
+ #endif
+
+ #if (DEFAULT_LIBC == LIBC_UCLIBC) && defined (SINGLE_LIBC) /* uClinux */
+--
+2.13.2
+
diff --git a/meta/recipes-devtools/gcc/gcc-7.1/0040-ssp_nonshared.patch b/meta/recipes-devtools/gcc/gcc-7.1/0040-ssp_nonshared.patch
deleted file mode 100644
index e9fb35cb91..0000000000
--- a/meta/recipes-devtools/gcc/gcc-7.1/0040-ssp_nonshared.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 6c98538411ac30c2262b2635547974c6cd1699c5 Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <nsz@port70.net>
-Date: Sat, 7 Nov 2015 14:58:40 +0000
-Subject: [PATCH 40/47] ssp_nonshared
-
----
-Upstream-Status: Inappropriate [OE-Specific]
-
- gcc/gcc.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/gcc/gcc.c b/gcc/gcc.c
-index 84af5d5a2e1..2c6471aa565 100644
---- a/gcc/gcc.c
-+++ b/gcc/gcc.c
-@@ -872,7 +872,8 @@ proper position among the other output files. */
- #ifndef LINK_SSP_SPEC
- #ifdef TARGET_LIBC_PROVIDES_SSP
- #define LINK_SSP_SPEC "%{fstack-protector|fstack-protector-all" \
-- "|fstack-protector-strong|fstack-protector-explicit:}"
-+ "|fstack-protector-strong|fstack-protector-explicit" \
-+ ":-lssp_nonshared}"
- #else
- #define LINK_SSP_SPEC "%{fstack-protector|fstack-protector-all" \
- "|fstack-protector-strong|fstack-protector-explicit" \
---
-2.12.2
-
--
2.13.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH 06/10] libunwind: We set -fPIE in security flags now if gcc is not configured for default PIE
2017-06-28 16:04 [PATCH 00/10] Rework GCC PIE and security flags (take 2) Khem Raj
` (4 preceding siblings ...)
2017-06-28 16:04 ` [PATCH 05/10] gcc: Link libssp_nonshared.a only on musl targets Khem Raj
@ 2017-06-28 16:04 ` Khem Raj
2017-06-28 16:04 ` [PATCH 07/10] valgrind: Remove -no-pie from cflags Khem Raj
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Khem Raj @ 2017-06-28 16:04 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/recipes-support/libunwind/libunwind_1.2.bb | 4 ----
1 file changed, 4 deletions(-)
diff --git a/meta/recipes-support/libunwind/libunwind_1.2.bb b/meta/recipes-support/libunwind/libunwind_1.2.bb
index e598e40c6f..c6312f24fd 100644
--- a/meta/recipes-support/libunwind/libunwind_1.2.bb
+++ b/meta/recipes-support/libunwind/libunwind_1.2.bb
@@ -21,8 +21,4 @@ EXTRA_OECONF_append_libc-musl = " --disable-documentation --disable-tests "
ARM_INSTRUCTION_SET_armv4 = "arm"
ARM_INSTRUCTION_SET_armv5 = "arm"
-# see https://sourceware.org/bugzilla/show_bug.cgi?id=19987
-SECURITY_CFLAGS_remove_aarch64 = "-fpie"
-SECURITY_CFLAGS_append_aarch64 = " -fPIE"
-
LDFLAGS += "-Wl,-z,relro,-z,now ${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', ' -fuse-ld=bfd ', '', d)}"
--
2.13.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH 07/10] valgrind: Remove -no-pie from cflags
2017-06-28 16:04 [PATCH 00/10] Rework GCC PIE and security flags (take 2) Khem Raj
` (5 preceding siblings ...)
2017-06-28 16:04 ` [PATCH 06/10] libunwind: We set -fPIE in security flags now if gcc is not configured for default PIE Khem Raj
@ 2017-06-28 16:04 ` Khem Raj
2017-06-28 16:04 ` [PATCH 08/10] iptables: Apply 0001-fix-build-with-musl.patch unconditionally Khem Raj
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Khem Raj @ 2017-06-28 16:04 UTC (permalink / raw)
To: openembedded-core
It has been moved to distro security include file
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/recipes-devtools/valgrind/valgrind_3.12.0.bb | 2 --
1 file changed, 2 deletions(-)
diff --git a/meta/recipes-devtools/valgrind/valgrind_3.12.0.bb b/meta/recipes-devtools/valgrind/valgrind_3.12.0.bb
index a81adc31d6..888b132ec7 100644
--- a/meta/recipes-devtools/valgrind/valgrind_3.12.0.bb
+++ b/meta/recipes-devtools/valgrind/valgrind_3.12.0.bb
@@ -73,8 +73,6 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl'"
# which fixes build path issue in DWARF.
SELECTED_OPTIMIZATION = "${DEBUG_FLAGS}"
-CFLAGS += "-no-pie"
-
def get_mcpu(d):
for arg in (d.getVar('TUNE_CCARGS') or '').split():
if arg.startswith('-mcpu='):
--
2.13.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH 08/10] iptables: Apply 0001-fix-build-with-musl.patch unconditionally
2017-06-28 16:04 [PATCH 00/10] Rework GCC PIE and security flags (take 2) Khem Raj
` (6 preceding siblings ...)
2017-06-28 16:04 ` [PATCH 07/10] valgrind: Remove -no-pie from cflags Khem Raj
@ 2017-06-28 16:04 ` Khem Raj
2017-06-28 16:04 ` [PATCH 09/10] icu: Fix build with glibc 2.26 Khem Raj
2017-06-28 16:04 ` [PATCH 10/10] gstreamer1.0-plugins-bad: Fix missing library with bcm egl Khem Raj
9 siblings, 0 replies; 11+ messages in thread
From: Khem Raj @ 2017-06-28 16:04 UTC (permalink / raw)
To: openembedded-core
This patch is generic enough, That it can be applied universally
and makes maintainence easier
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/recipes-extended/iptables/iptables_1.6.1.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-extended/iptables/iptables_1.6.1.bb b/meta/recipes-extended/iptables/iptables_1.6.1.bb
index 4019e2a4a4..b37c55a64e 100644
--- a/meta/recipes-extended/iptables/iptables_1.6.1.bb
+++ b/meta/recipes-extended/iptables/iptables_1.6.1.bb
@@ -22,8 +22,8 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
file://types.h-add-defines-that-are-required-for-if_packet.patch \
file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
- "
-SRC_URI_append_libc-musl = " file://0001-fix-build-with-musl.patch"
+ file://0001-fix-build-with-musl.patch \
+"
SRC_URI[md5sum] = "ab38a33806b6182c6f53d6afb4619add"
SRC_URI[sha256sum] = "0fc2d7bd5d7be11311726466789d4c65fb4c8e096c9182b56ce97440864f0cf5"
--
2.13.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH 09/10] icu: Fix build with glibc 2.26
2017-06-28 16:04 [PATCH 00/10] Rework GCC PIE and security flags (take 2) Khem Raj
` (7 preceding siblings ...)
2017-06-28 16:04 ` [PATCH 08/10] iptables: Apply 0001-fix-build-with-musl.patch unconditionally Khem Raj
@ 2017-06-28 16:04 ` Khem Raj
2017-06-28 16:04 ` [PATCH 10/10] gstreamer1.0-plugins-bad: Fix missing library with bcm egl Khem Raj
9 siblings, 0 replies; 11+ messages in thread
From: Khem Raj @ 2017-06-28 16:04 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
.../icu/icu/0001-i18n-Drop-include-xlocale.h.patch | 31 ++++++++++++++++++++++
meta/recipes-support/icu/icu_58.2.bb | 3 ++-
2 files changed, 33 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/icu/icu/0001-i18n-Drop-include-xlocale.h.patch
diff --git a/meta/recipes-support/icu/icu/0001-i18n-Drop-include-xlocale.h.patch b/meta/recipes-support/icu/icu/0001-i18n-Drop-include-xlocale.h.patch
new file mode 100644
index 0000000000..add0d765b7
--- /dev/null
+++ b/meta/recipes-support/icu/icu/0001-i18n-Drop-include-xlocale.h.patch
@@ -0,0 +1,31 @@
+From c4254fd8ff1888ca285e3242b812010357ce2b3e Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 24 Jun 2017 22:52:40 -0700
+Subject: [PATCH] i18n: Drop include <xlocale.h>
+
+glibc 2.26 drops this header
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ i18n/digitlst.cpp | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+Index: source/i18n/digitlst.cpp
+===================================================================
+--- source.orig/i18n/digitlst.cpp
++++ source/i18n/digitlst.cpp
+@@ -61,11 +61,7 @@
+ #endif
+
+ #if U_USE_STRTOD_L
+-# if U_PLATFORM_USES_ONLY_WIN32_API || U_PLATFORM == U_PF_CYGWIN
+-# include <locale.h>
+-# else
+-# include <xlocale.h>
+-# endif
++# include <locale.h>
+ #endif
+
+ // ***************************************************************************
diff --git a/meta/recipes-support/icu/icu_58.2.bb b/meta/recipes-support/icu/icu_58.2.bb
index 4d062ebf94..47684a6c8b 100644
--- a/meta/recipes-support/icu/icu_58.2.bb
+++ b/meta/recipes-support/icu/icu_58.2.bb
@@ -16,7 +16,8 @@ BASE_SRC_URI = "http://download.icu-project.org/files/icu4c/${PV}/icu4c-${ICU_PV
SRC_URI = "${BASE_SRC_URI} \
file://icu-pkgdata-large-cmd.patch \
file://fix-install-manx.patch \
- "
+ file://0001-i18n-Drop-include-xlocale.h.patch \
+ "
SRC_URI_append_class-target = "\
file://0001-Disable-LDFLAGSICUDT-for-Linux.patch \
--
2.13.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH 10/10] gstreamer1.0-plugins-bad: Fix missing library with bcm egl
2017-06-28 16:04 [PATCH 00/10] Rework GCC PIE and security flags (take 2) Khem Raj
` (8 preceding siblings ...)
2017-06-28 16:04 ` [PATCH 09/10] icu: Fix build with glibc 2.26 Khem Raj
@ 2017-06-28 16:04 ` Khem Raj
9 siblings, 0 replies; 11+ messages in thread
From: Khem Raj @ 2017-06-28 16:04 UTC (permalink / raw)
To: openembedded-core
userland graphics driver provided libegl for rpi depends upon
symbols from vchostif library, therefore add it to linker cmdline
helps with loadng gst-gl plugins on rpi
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
.../link-with-libvchostif.patch | 35 ++++++++++++++++++++++
.../gstreamer/gstreamer1.0-plugins-bad_1.10.4.bb | 1 +
2 files changed, 36 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/link-with-libvchostif.patch
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/link-with-libvchostif.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/link-with-libvchostif.patch
new file mode 100644
index 0000000000..c382b17586
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/link-with-libvchostif.patch
@@ -0,0 +1,35 @@
+Add -lvchostif to link when using -lEGL on rpi
+
+This is required because libEGL from userland uses sybols
+from this library.
+
+lib/libEGL.so.1.0.0 121: 00000000 0 FUNC GLOBAL DEFAULT UND vc_dispmanx_element_add
+ 1552: 00000000 0 FUNC GLOBAL DEFAULT UND vc_dispmanx_element_add
+
+These symbols are provided by libvchostif as seen below
+
+lib/libvchostif.so
+ 252: 0000b161 192 FUNC GLOBAL DEFAULT 9 vc_dispmanx_element_add
+ 809: 0000b161 192 FUNC GLOBAL DEFAULT 9 vc_dispmanx_element_add
+
+With this explicit link, plugins fail during runtime
+
+(gst-plugin-scanner:571): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstomx.so': Error relocating /usr/lib/libgstgl-1.0.so.0: vc_dispmanx_element_add: symbol not found
+(gst-plugin-scanner:571): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-1.0/libgstopengl.so': Error relocating /usr/lib/libgstgl-1.0.so.0: vc_dispmanx_element_add: symbol not found
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+Upstream-Status: Pending
+Index: gst-plugins-bad-1.10.4/configure.ac
+===================================================================
+--- gst-plugins-bad-1.10.4.orig/configure.ac
++++ gst-plugins-bad-1.10.4/configure.ac
+@@ -785,7 +785,7 @@ case $host in
+ HAVE_EGL=yes
+ HAVE_GLES2=yes
+ HAVE_EGL_RPI=yes
+- EGL_LIBS="-lbcm_host -lvcos -lvchiq_arm"
++ EGL_LIBS="-lbcm_host -lvchostif -lvcos -lvchiq_arm"
+ EGL_CFLAGS=""
+ AC_DEFINE(USE_EGL_RPI, [1], [Use RPi platform])
+ ])
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.10.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.10.4.bb
index 0bb4053e43..def03a9b81 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.10.4.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.10.4.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
file://0001-smoothstreaming-implement-adaptivedemux-s-get_live_s.patch \
file://0001-smoothstreaming-use-the-duration-from-the-list-of-fr.patch \
file://0001-mssdemux-improved-live-playback-support.patch \
+ file://link-with-libvchostif.patch \
"
SRC_URI[md5sum] = "2757103e57a096a1a05b3ab85b8381af"
SRC_URI[sha256sum] = "23ddae506b3a223b94869a0d3eea3e9a12e847f94d2d0e0b97102ce13ecd6966"
--
2.13.2
^ permalink raw reply related [flat|nested] 11+ messages in thread