[oe] [meta-initramfs][PATCH v2] klibc: fix build on i386 with GCC and security flags enabled

Andrea Adami andrea.adami at gmail.com
Mon Sep 17 13:09:04 UTC 2018 

On Sat, Sep 15, 2018 at 1:30 PM Hongxu Jia <hongxu.jia at windriver.com> wrote:
>
> On 2018年09月15日 18:58, Andrea Adami wrote:
> > On Sat, Sep 15, 2018 at 10:15 AM Hongxu Jia <hongxu.jia at windriver.com> wrote:
> >> On 2018年09月15日 02:02, Andrea Adami wrote:
> >>> ld fails if distro's security-flags are enabled:
> >>> Inject the SECURITY_XFLAGS if security_flags.inc was included.
> >>>
> >>> Fix on i386: ld: discarded output section: `.got.plt'
> >>>
> >>> Signed-off-by: Andrea Adami <andrea.adami at gmail.com>
> >>> ---
> >>>    meta-initramfs/recipes-devtools/klibc/klibc.inc | 6 +++---
> >>>    1 file changed, 3 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> >>> index 3d25e96..837b026 100644
> >>> --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc
> >>> +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc
> >>> @@ -47,7 +47,8 @@ EXTRA_OEMAKE = "'KLIBCARCH=${KLIBC_ARCH}' \
> >>>                    'KLIBCOPTFLAGS=${TUNE_CCARGS}' \
> >>>                     V=1 \
> >>>                    "
> >>> -EXTRA_OEMAKE += 'EXTRA_KLIBCAFLAGS="-Wa,--noexecstack" EXTRA_KLIBCLDFLAGS="-z noexecstack"'
> >>> +EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=${SECURITY_CFLAGS} -Wa,--noexecstack' \
> >>> +                 'EXTRA_KLIBCLDFLAGS=${SECURITY_LDFLAGS} -z noexecstack'"
> >>>
> >> Is it necessary to pass SECURITY_XFLAGS directly? While including
> >> security_flags.inc,
> >> CC will contain SECURITY_CFLAGS and LDFLAGS will contain SECURITY_LDFLAGS.
> >> Maybe you should make sure  to pass LDFLAGS to EXTRA_KLIBCLDFLAGS to avoid
> >> ldflags qa warning.
> >>
> >> [security_flags.inc]
> >>    58 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> >>    59 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> >> [security_flags.inc]
> >>
> >>>    export FIX_ARMV4_EABI_BX = "${FIX_V4BX}"
> >>>    KLIBCTHUMB = "${@['CONFIG_KLIBC_THUMB=n', 'CONFIG_KLIBC_THUMB=y'][(d.getVar('ARM_INSTRUCTION_SET') == 'thumb')]}"
> >>> @@ -74,5 +75,4 @@ KLIBC_ARCH_powerpc = "ppc"
> >>>    KLIBC_ARCH_powerpc64 = "ppc64"
> >>>    THIS_LIBKLIBC = "libklibc (= ${PV}-${PR})"
> >>>
> >>> -SECURITY_CFLAGS = "-fno-PIE -no-pie"
> >>> -SECURITY_LDFLAGS = "-no-pie"
> >>> +SECURITY_LDFLAGS = "${@'-z relro -z now -pie' if '${GCCPIE}' else ''}"
> >> The same reason, it is not necessary to test GCCPIE,
> >>
> >> and it missed "-Wl,"?, how about directly set SECURITY_STACK_PROTECTOR = ""
> >>
> > Hi,
> > thanks for reviewing.
> >
> > It is true the SECURITY_CFLAGS are passed to the compiler.
> > The problem is, klibc has its own arch makefiles (MCONFIG) and the
> > linker is called directly, so if you just append the LDFLAGS like
> > this:
> >
> > EXTRA_OEMAKE += "'EXTRA_KLIBCAFLAGS=-Wa,--noexecstack' \
> >                   'EXTRA_KLIBCLDFLAGS=${LDFLAGS} -z noexecstack'"
> >
> > you get:
> >
> >    i586-oe-linux-musl-ld.bfd -m elf_i386 -o usr/kinit/ipconfig/static/ipconfig -W
> > l,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -z relro -z now -pie -z noexecstack u
> > sr/klibc/arch/i386/crt0.o --start-group  usr/kinit/ipconfig/main.o usr/kinit/ipc
> > onfig/netdev.o usr/kinit/ipconfig/packet.o usr/kinit/ipconfig/dhcp_proto.o usr/k
> > init/ipconfig/bootp_proto.o  usr/klibc/libc.a /tmp/build/tmp-musl/work/i586-oe-l
> > inux-musl/klibc/2.0.4-r0/recipe-sysroot/usr/lib/i586-oe-linux-musl/*/libgcc.a --
> > end-group ; cp -f usr/kinit/ipconfig/static/ipconfig usr/kinit/ipconfig/static/i
> > pconfig.g ; i586-oe-linux-musl-strip --strip-all -R .comment -R .note --strip-al
> > l -R .comment -R .note --strip-all -R .comment -R .note usr/kinit/ipconfig/stati
> > c/ipconfig
> > i586-oe-linux-musl-ld.bfd: unrecognized option '-Wl,-O1'
> >
> > Thus I am expliciting the SECURITY_LDFLAGS.
> >
> > Note that this patch, injecting the -pie, does now break build for mips,
> > because the MCONFIG foir mips disables pic.
> > The immediate fix is to remove -pie for mips (standard behavior).
>
> OK, thanks for the explain
>
> //Hongxu

Hi,

with a following patch more archs were fixed when building with security flags.
I ended up appending both SECURITY_CFLAGS and SECURITY_LDFLAGS and I
only have to special-case the mips/mips64 which at the time of klibc
(10yrs ago) if you read the kernel was expecting pic code in userspace
but here in klibc I see pic disabled in the makefiles...
Maybe Khem can test runtime...my only mips is a DTB decoder (well,
with a bit of motivation I could do that, it's OpenPli).

Cheers
Andrea


>
> > Cheers
> > Andrea
> >
> >
> >> //Hongxu
> >>
>

More information about the Openembedded-devel mailing list