Interesting, I thought the image-prelink class had been removed completely, but apparently it was only the references to it in local.conf.sample that was removed.

Anyway, if you are going to do that change, I believe it is better to use bb.data.inherits_class() to see if the image-prelink class is in use:

GCCPIE ?= "${@'--disable-default-pie' if bb.data.inherits_class('image-prelink', d) else '--enable-default-pie'}"

//Peter

From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of bkylerussell@gmail.com
Sent: den 20 januari 2022 18:42
To: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled

Yes, we do use prelink.  I think our use case primarily benefits from CoW memory savings, rather than load times.  Of course, GCCPIE can be overridden in the distro layer, but seeing as image-prelink.bbclass still exists upstream, the default definition should support configurations that choose to enable it.

On Thu, Jan 20, 2022 at 3:30 AM Alexander Kanavin <alex.kanavin@gmail.com<mailto:alex.kanavin@gmail.com>> wrote:
I think we pretty much abandoned prelink at this point, are you using it and do you see the benefits?

Alex

On Thu, 20 Jan 2022 at 04:30, <bkylerussell@gmail.com<mailto:bkylerussell@gmail.com>> wrote:
Since a prelinked rootfs is in conflict with PIE, don't attempt the latter
if the image enables prelink.
---
 meta/conf/distro/include/security_flags.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index e469eadca1..be6feb9e5f 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -5,7 +5,7 @@
 # From a Yocto Project perspective, this file is included and tested
 # in the DISTRO="poky" configuration.

-GCCPIE ?= "--enable-default-pie"
+GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', '--disable-default-pie', '--enable-default-pie', d)}<mailto:$%7b@bb.utils.contains('USER_CLASSES',%20'image-prelink',%20'--disable-default-pie',%20'--enable-default-pie',%20d)%7d>"
 # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can be set

 # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
--
2.25.1