[oe] [meta-initramfs][PATCH 2/2] klibc: Fix build with security flags

Khem Raj raj.khem at gmail.com
Thu Sep 13 17:36:21 UTC 2018 

Thanks! can you cook a patch and send
On Thu, Sep 13, 2018 at 10:19 AM Andrea Adami <andrea.adami at gmail.com> wrote:
>
> Khem,
>
> with this fix it builds (I removed the two bottom lines)
> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> index 3d25e96..57f32ac 100644
> --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> @@ -47,7 +47,7 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
>                  'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
>                   V=1 \
>                  "
> -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack"
> EXTRA_KLIBCLDFLAGS="-z noexecstack"'
> +EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack"
> EXTRA_KLIBCLDFLAGS="-pie it -z noexecstack"'
>
>  export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
>  KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n',
> 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') ==
> 'thumb')]}"
> @@ -73,6 +73,3 @@ KLIBC_ARCH_x86-64 = "x86_64"
>  KLIBC_ARCH_powerpc = "ppc"
>  KLIBC_ARCH_powerpc64 = "ppc64"
>  THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
> -
> -SECURITY_CFLAGS = "-fno-PIE -no-pie"
> -SECURITY_LDFLAGS = "-no-pie"
> On Thu, Sep 13, 2018 at 6:58 PM Andrea Adami <andrea.adami at gmail.com> wrote:
> >
> > Khem,
> >
> > build with gcc still fails:
> >
> > # i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/shared/ipc
> > onfig -z noexecstack -e main usr/klibc/interp.o --start-group
> > usr/kinit/ipconfig/main.o usr/kinit/ipconfig/netdev.o
> > usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o
> > usr/kinit/ipconfig/bootp_proto.o  -R usr/klibc/libc.so
> > /tmp/build/tmp-musl/work/i586-oe-linux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a
> > --end-group
> > i586-oe-linux-musl-ld.bfd: discarded output section: `.got.plt'
> >
> > However, adding  -pie to ld invocation seems solving the problem.
> >
> > root at andrea-ThinkPad-T520:/tmp/build/tmp-musl/work/i586-oe-linux-musl/klibc/2.0.4-r0/git#
> > i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/shared/ipc
> > onfig -z noexecstack -e main usr/klibc/interp.o --start-group
> > usr/kinit/ipconfig/main.o usr/kinit/ipconfig/netdev.o
> > usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o
> > usr/kinit/ipconfig/bootp_proto.o  -R usr/klibc/libc.so
> > /tmp/build/tmp-musl/work/i586-oe-linux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a
> > --end-group -pie
> > root at andrea-ThinkPad-T520:/tmp/build/tmp-musl/work/i586-oe-linux-musl/klibc/2.0.4-r0/git#
> >
> >
> > Cheers
> > Andrea
> >
> >
> > On Wed, Sep 12, 2018 at 2:19 AM Khem Raj <raj.khem at gmail.com> wrote:
> > >
> > > Drop -Os which is also causing the relro
> > > Fixes
> > > | x86_64-bec-linux-musl-ld.bfd: discarded output section: `.got.plt'
> > >
> > > Signed-off-by: Khem Raj <raj.khem at gmail.com>
> > > Cc: Andrea Adami <andrea.adami at gmail.com>
> > > ---
> > >  ...libc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch | 28 +++++++++++++++++++
> > >  .../recipes-devtools/klibc/klibc.inc          |  9 +++---
> > >  2 files changed, 33 insertions(+), 4 deletions(-)
> > >  create mode 100644 meta-initramfs/recipes-devtools/klibc/klibc-2.0.4/0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch
> > >
> > > diff --git a/meta-initramfs/recipes-devtools/klibc/klibc-2.0.4/0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch b/meta-initramfs/recipes-devtools/klibc/klibc-2.0.4/0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch
> > > new file mode 100644
> > > index 0000000000..94818e3669
> > > --- /dev/null
> > > +++ b/meta-initramfs/recipes-devtools/klibc/klibc-2.0.4/0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch
> > > @@ -0,0 +1,28 @@
> > > +From cdc6edc2cfcd0ce88d6e66654d605dad303b1a75 Mon Sep 17 00:00:00 2001
> > > +From: Khem Raj <raj.khem at gmail.com>
> > > +Date: Tue, 11 Sep 2018 17:03:36 -0700
> > > +Subject: [PATCH] klibc/Kbuild: Accept EXTRA_KLIBCAFLAGS
> > > +
> > > +For passing additional assembler flags
> > > +
> > > +Upstream-Status: Pending
> > > +
> > > +Signed-off-by: Khem Raj <raj.khem at gmail.com>
> > > +---
> > > + usr/klibc/Kbuild | 3 ++-
> > > + 1 file changed, 2 insertions(+), 1 deletion(-)
> > > +
> > > +diff --git a/usr/klibc/Kbuild b/usr/klibc/Kbuild
> > > +index 98caf2e9..b34521e0 100644
> > > +--- a/usr/klibc/Kbuild
> > > ++++ b/usr/klibc/Kbuild
> > > +@@ -168,7 +168,8 @@ $(SOHASH): $(SOLIB) $(SOLIB).hash
> > > + targets += interp.o
> > > +
> > > + quiet_cmd_interp = BUILD   $@
> > > +-      cmd_interp = $(KLIBCCC) $(klibccflags) -D__ASSEMBLY__     \
> > > ++      cmd_interp = $(KLIBCCC) $(klibccflags) $(EXTRA_KLIBCAFLAGS) \
> > > ++                             -D__ASSEMBLY__     \
> > > +                              -DLIBDIR=\"$(SHLIBDIR)\"         \
> > > +                            -DSOHASH=\"$(SOLIBHASH)\" \
> > > +                            -c -o $@ $<
> > > diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > > index f0b20bc7fd..3d25e96cd4 100644
> > > --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > > +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > > @@ -21,9 +21,10 @@ SRC_URI = "git://git.kernel.org/pub/scm/libs/klibc/klibc.git \
> > >             file://0001-Kbuild.klibc-Use-print-libgcc-file-name-instead-of-p.patch \
> > >             file://0001-Kbuild.klibc-Add-path-to-compiler-headers-via-isyste.patch \
> > >             file://0001-arm-Do-not-set-a-fallback-march-and-mtune.patch \
> > > -           file://0001-klibc_2.0.4-add-kexec_file_load-syscall.patch  \
> > > +           file://0001-klibc_2.0.4-add-kexec_file_load-syscall.patch \
> > >             file://0001-klibc-add-getrandom-syscall.patch \
> > > -"
> > > +           file://0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch \
> > > +           "
> > >
> > >  ARMPATCHES ?= ""
> > >
> > > @@ -31,7 +32,6 @@ ARMPATCHES_arm = "file://klibc-config-eabi.patch \
> > >                    file://armv4-fix-v4bx.patch \
> > >                   "
> > >
> > > -
> > >  S = "${WORKDIR}/git"
> > >
> > >  PARALLEL_MAKE = ""
> > > @@ -44,9 +44,10 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
> > >                  'INSTALLDIR=${libdir}/klibc' \
> > >                  'SHLIBDIR=${libdir}' \
> > >                  '${KLIBCTHUMB}' \
> > > -                'KLIBCOPTFLAGS=${TUNE_CCARGS} -Os' \
> > > +                'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
> > >                   V=1 \
> > >                  "
> > > +EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z noexecstack"'
> > >
> > >  export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
> > >  KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
> > > --
> > > 2.18.0
> > >

More information about the Openembedded-devel mailing list