[oe] [meta-initramfs][PATCH 2/2] klibc: Fix build with security flags

Andrea Adami andrea.adami at gmail.com
Thu Sep 13 16:58:32 UTC 2018 

Khem,

build with gcc still fails:

# i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/shared/ipc
onfig -z noexecstack -e main usr/klibc/interp.o --start-group
usr/kinit/ipconfig/main.o usr/kinit/ipconfig/netdev.o
usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o
usr/kinit/ipconfig/bootp_proto.o  -R usr/klibc/libc.so
/tmp/build/tmp-musl/work/i586-oe-linux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a
--end-group
i586-oe-linux-musl-ld.bfd: discarded output section: `.got.plt'

However, adding  -pie to ld invocation seems solving the problem.

root at andrea-ThinkPad-T520:/tmp/build/tmp-musl/work/i586-oe-linux-musl/klibc/2.0.4-r0/git#
i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/shared/ipc
onfig -z noexecstack -e main usr/klibc/interp.o --start-group
usr/kinit/ipconfig/main.o usr/kinit/ipconfig/netdev.o
usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o
usr/kinit/ipconfig/bootp_proto.o  -R usr/klibc/libc.so
/tmp/build/tmp-musl/work/i586-oe-linux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a
--end-group -pie
root at andrea-ThinkPad-T520:/tmp/build/tmp-musl/work/i586-oe-linux-musl/klibc/2.0.4-r0/git#


Cheers
Andrea


On Wed, Sep 12, 2018 at 2:19 AM Khem Raj <raj.khem at gmail.com> wrote:
>
> Drop -Os which is also causing the relro
> Fixes
> | x86_64-bec-linux-musl-ld.bfd: discarded output section: `.got.plt'
>
> Signed-off-by: Khem Raj <raj.khem at gmail.com>
> Cc: Andrea Adami <andrea.adami at gmail.com>
> ---
>  ...libc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch | 28 +++++++++++++++++++
>  .../recipes-devtools/klibc/klibc.inc          |  9 +++---
>  2 files changed, 33 insertions(+), 4 deletions(-)
>  create mode 100644 meta-initramfs/recipes-devtools/klibc/klibc-2.0.4/0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch
>
> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc-2.0.4/0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch b/meta-initramfs/recipes-devtools/klibc/klibc-2.0.4/0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch
> new file mode 100644
> index 0000000000..94818e3669
> --- /dev/null
> +++ b/meta-initramfs/recipes-devtools/klibc/klibc-2.0.4/0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch
> @@ -0,0 +1,28 @@
> +From cdc6edc2cfcd0ce88d6e66654d605dad303b1a75 Mon Sep 17 00:00:00 2001
> +From: Khem Raj <raj.khem at gmail.com>
> +Date: Tue, 11 Sep 2018 17:03:36 -0700
> +Subject: [PATCH] klibc/Kbuild: Accept EXTRA_KLIBCAFLAGS
> +
> +For passing additional assembler flags
> +
> +Upstream-Status: Pending
> +
> +Signed-off-by: Khem Raj <raj.khem at gmail.com>
> +---
> + usr/klibc/Kbuild | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/usr/klibc/Kbuild b/usr/klibc/Kbuild
> +index 98caf2e9..b34521e0 100644
> +--- a/usr/klibc/Kbuild
> ++++ b/usr/klibc/Kbuild
> +@@ -168,7 +168,8 @@ $(SOHASH): $(SOLIB) $(SOLIB).hash
> + targets += interp.o
> +
> + quiet_cmd_interp = BUILD   $@
> +-      cmd_interp = $(KLIBCCC) $(klibccflags) -D__ASSEMBLY__     \
> ++      cmd_interp = $(KLIBCCC) $(klibccflags) $(EXTRA_KLIBCAFLAGS) \
> ++                             -D__ASSEMBLY__     \
> +                              -DLIBDIR=\"$(SHLIBDIR)\"         \
> +                            -DSOHASH=\"$(SOLIBHASH)\" \
> +                            -c -o $@ $<
> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> index f0b20bc7fd..3d25e96cd4 100644
> --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> @@ -21,9 +21,10 @@ SRC_URI = "git://git.kernel.org/pub/scm/libs/klibc/klibc.git \
>             file://0001-Kbuild.klibc-Use-print-libgcc-file-name-instead-of-p.patch \
>             file://0001-Kbuild.klibc-Add-path-to-compiler-headers-via-isyste.patch \
>             file://0001-arm-Do-not-set-a-fallback-march-and-mtune.patch \
> -           file://0001-klibc_2.0.4-add-kexec_file_load-syscall.patch  \
> +           file://0001-klibc_2.0.4-add-kexec_file_load-syscall.patch \
>             file://0001-klibc-add-getrandom-syscall.patch \
> -"
> +           file://0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch \
> +           "
>
>  ARMPATCHES ?= ""
>
> @@ -31,7 +32,6 @@ ARMPATCHES_arm = "file://klibc-config-eabi.patch \
>                    file://armv4-fix-v4bx.patch \
>                   "
>
> -
>  S = "${WORKDIR}/git"
>
>  PARALLEL_MAKE = ""
> @@ -44,9 +44,10 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
>                  'INSTALLDIR=${libdir}/klibc' \
>                  'SHLIBDIR=${libdir}' \
>                  '${KLIBCTHUMB}' \
> -                'KLIBCOPTFLAGS=${TUNE_CCARGS} -Os' \
> +                'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
>                   V=1 \
>                  "
> +EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z noexecstack"'
>
>  export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
>  KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
> --
> 2.18.0
>

More information about the Openembedded-devel mailing list