[oe] [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled

Hongxu Jia hongxu.jia at windriver.com
Sat Sep 15 11:30:21 UTC 2018 

On 2018年09月15日 18:58, Andrea Adami wrote:
> On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia <hongxu.jia at windriver.com> wrote:
>> On 2018年09月15日 02:02, Andrea Adami wrote:
>>> ld fails if distro's security-flags are enabled:
>>> Inject the SECURITY_XFLAGS if security_flags.inc was included.
>>>
>>> Fix on i386: ld: discarded output section: `.got.plt'
>>>
>>> Signed-off-by: Andrea Adami <andrea.adami at gmail.com>
>>> ---
>>>    meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
>>>    1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc
>>> index 3d25e96..837b026 100644
>>> --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
>>> +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
>>> @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
>>>                    'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
>>>                     V=1 \
>>>                    "
>>> -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z noexecstack"'
>>> +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
>>> +                 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
>>>
>> Is it necessary to pass SECURITY_XFLAGS directly? While including
>> security_flags.inc,
>> CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
>> Maybe you should make sure  to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
>> ldflags qa warning.
>>
>> [security_flags.inc]
>>    58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
>>    59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
>> [security_flags.inc]
>>
>>>    export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
>>>    KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
>>> @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
>>>    KLIBC_ARCH_powerpc64 = "ppc64"
>>>    THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
>>>
>>> -SECURITY_CFLAGS = "-fno-PIE -no-pie"
>>> -SECURITY_LDFLAGS = "-no-pie"
>>> +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
>> The same reason, it is not necessary to test GCCPIE,
>>
>> and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""
>>
> Hi,
> thanks for reviewing.
>
> It is true the SECURITY_CFLAGS are passed to the compiler.
> The problem is, klibc has its own arch makefiles (MCONFIG) and the
> linker is called directly, so if you just append the LDFLAGS like
> this:
>
> EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \
>                   'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'"
>
> you get:
>
>    i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/static/ipconfig -W
> l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z noexecstack u
> sr/klibc/arch/i386/crt0.o --start-group  usr/kinit/ipconfig/main.o usr/kinit/ipc
> onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o usr/k
> init/ipconfig/bootp_proto.o  usr/klibc/libc.a /tmp/build/tmp-musl/work/i586-oe-l
> inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a --
> end-group ; cp -f usr/kinit/ipconfig/static/ipconfig usr/kinit/ipconfig/static/i
> pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note --strip-al
> l -R .comment -R .note --strip-all -R .comment -R .note usr/kinit/ipconfig/stati
> c/ipconfig
> i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1'
>
> Thus I am expliciting the SECURITY_LDFLAGS.
>
> Note that this patch, injecting the -pie, does now break build for mips,
> because the MCONFIG foir mips disables pic.
> The immediate fix is to remove -pie for mips (standard behavior).

OK, thanks for the explain

//Hongxu

> Cheers
> Andrea
>
>
>> //Hongxu
>>

More information about the Openembedded-devel mailing list