[oe] [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled

Andrea Adami andrea.adami at gmail.com
Sat Sep 15 10:58:50 UTC 2018 

On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia <hongxu.jia at windriver.com> wrote:
>
> On 2018年09月15日 02:02, Andrea Adami wrote:
> > ld fails if distro's security-flags are enabled:
> > Inject the SECURITY_XFLAGS if security_flags.inc was included.
> >
> > Fix on i386: ld: discarded output section: `.got.plt'
> >
> > Signed-off-by: Andrea Adami <andrea.adami at gmail.com>
> > ---
> >   meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
> >   1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > index 3d25e96..837b026 100644
> > --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> > @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
> >                   'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
> >                    V=1 \
> >                   "
> > -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z noexecstack"'
> > +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
> > +                 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
> >
> Is it necessary to pass SECURITY_XFLAGS directly? While including
> security_flags.inc,
> CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
> Maybe you should make sure  to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
> ldflags qa warning.
>
> [security_flags.inc]
>   58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
>   59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> [security_flags.inc]
>
> >   export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
> >   KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
> > @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
> >   KLIBC_ARCH_powerpc64 = "ppc64"
> >   THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
> >
> > -SECURITY_CFLAGS = "-fno-PIE -no-pie"
> > -SECURITY_LDFLAGS = "-no-pie"
> > +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
>
> The same reason, it is not necessary to test GCCPIE,
>
> and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""
>
Hi,
thanks for reviewing.

It is true the SECURITY_CFLAGS are passed to the compiler.
The problem is, klibc has its own arch makefiles (MCONFIG) and the
linker is called directly, so if you just append the LDFLAGS like
this:

EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \
                 'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'"

you get:

  i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/static/ipconfig -W
l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z noexecstack u
sr/klibc/arch/i386/crt0.o --start-group  usr/kinit/ipconfig/main.o usr/kinit/ipc
onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o usr/k
init/ipconfig/bootp_proto.o  usr/klibc/libc.a /tmp/build/tmp-musl/work/i586-oe-l
inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a --
end-group ; cp -f usr/kinit/ipconfig/static/ipconfig usr/kinit/ipconfig/static/i
pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note --strip-al
l -R .comment -R .note --strip-all -R .comment -R .note usr/kinit/ipconfig/stati
c/ipconfig
i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1'

Thus I am expliciting the SECURITY_LDFLAGS.

Note that this patch, injecting the -pie, does now break build for mips,
because the MCONFIG foir mips disables pic.
The immediate fix is to remove -pie for mips (standard behavior).

Cheers
Andrea


>
> //Hongxu
>

More information about the Openembedded-devel mailing list