From: Arnout Vandecappelle <arnout@mind.be>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 2/6] package/Makefile.in: Add missing options to LDFLAGS for full RELRO build
Date: Wed, 11 Jul 2018 23:26:55 +0200 [thread overview]
Message-ID: <4e64b93d-e5fd-a666-2e08-ae03ecac941e@mind.be> (raw)
In-Reply-To: <20180711143113.11927-3-matthew.weber@rockwellcollins.com>
On 11-07-18 16:31, Matt Weber wrote:
> From: Stefan S?rensen <stefan.sorensen@spectralink.com>
>
> The options for a full RELRO build should also be added to LDFLAGS.
>
> Originally submitted as
> http://patchwork.ozlabs.org/patch/904034/
>
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> ---
> package/Makefile.in | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/Makefile.in b/package/Makefile.in
> index 5e0ff8c841..14b3bbd243 100644
> --- a/package/Makefile.in
> +++ b/package/Makefile.in
> @@ -159,7 +159,7 @@ TARGET_HARDENED += $(TARGET_CFLAGS_RELRO)
> TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)
> else ifeq ($(BR2_RELRO_FULL),y)
> TARGET_HARDENED += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
> -TARGET_LDFLAGS += -pie
> +TARGET_LDFLAGS += -pie $(TARGET_CFLAGS_RELRO_FULL)
Actually, those flags (-Wl,-z,now,-z,relo) really are link-time flags only. So
really there is no reason why we would have them in TARGET_CFLAGS (i.e. in
TARGET_HARDENED). However, it is likely that there are packages that only apply
TARGET_CFLAGS to linking, not TARGET_LDFLAGS (we currently have no way of
knowing, since all of the LDFLAGS are also in CFLAGS, except for the hardening
ones).
I have also considered to add TARGET_HARDENING to TARGET_LDFLAGS. However, it
is really only this -Wl,-z,... option which is relevant in LDFLAGS; the
-fstack-protector and -D_FORTIFY options can never have any effect. So this
looks good.
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
I have one little gripe, not directly related to this patch: I think the
variables TARGET_CFLAGS_RELRO and TARGET_CFLAGS_RELRO_FULL have little value,
they make IMO the code harder to read.
Regards,
Arnout
> endif
>
> ifeq ($(BR2_FORTIFY_SOURCE_1),y)
>
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
next prev parent reply other threads:[~2018-07-11 21:26 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-11 14:31 [Buildroot] [PATCH 0/6] Hardening Flag Bugfix/Enhancement Matt Weber
2018-07-11 14:31 ` [Buildroot] [PATCH 1/6] package/Makefile.in: Do not use CPPFLAGS for hardening options Matt Weber
2018-07-11 21:14 ` Arnout Vandecappelle
2018-08-10 20:31 ` Thomas Petazzoni
2018-07-11 14:31 ` [Buildroot] [PATCH 2/6] package/Makefile.in: Add missing options to LDFLAGS for full RELRO build Matt Weber
2018-07-11 21:26 ` Arnout Vandecappelle [this message]
2018-08-10 20:33 ` Thomas Petazzoni
2018-07-11 14:31 ` [Buildroot] [PATCH 3/6] package/Makefile.in: Use gcc spec files for PIE build flags Matt Weber
2018-07-11 21:44 ` Arnout Vandecappelle
2018-07-11 23:17 ` Matthew Weber
2018-07-13 9:39 ` Arnout Vandecappelle
2018-07-13 12:31 ` Matthew Weber
2018-07-19 9:49 ` Sørensen, Stefan
2018-07-19 12:58 ` Matthew Weber
2018-07-19 13:10 ` Sørensen, Stefan
2018-08-07 17:02 ` Matthew Weber
2018-08-07 17:20 ` Matthew Weber
2018-08-08 7:24 ` Jan Kundrát
2018-08-08 8:35 ` Jan Kundrát
2018-08-08 11:38 ` Matthew Weber
2018-08-09 14:32 ` Matthew Weber
2018-08-28 20:07 ` Matthew Weber
2018-08-10 20:50 ` Thomas Petazzoni
2018-08-11 0:42 ` Matthew Weber
2018-08-11 10:29 ` Thomas Petazzoni
2018-08-12 3:55 ` Matthew Weber
2018-08-12 7:41 ` Thomas Petazzoni
2018-08-12 12:49 ` Matthew Weber
2018-08-12 15:07 ` Thomas Petazzoni
2018-08-12 21:20 ` Arnout Vandecappelle
2018-07-11 14:31 ` [Buildroot] [PATCH 4/6] support/testing: runtest proxy support Matt Weber
2018-07-11 21:47 ` Arnout Vandecappelle
2018-08-10 20:51 ` Thomas Petazzoni
2018-08-11 0:30 ` Matthew Weber
2018-08-11 1:03 ` Matthew Weber
2018-07-11 14:31 ` [Buildroot] [PATCH 5/6] package/checksec: new package Matt Weber
2018-08-10 20:58 ` Thomas Petazzoni
2018-08-11 0:57 ` Matthew Weber
2018-08-11 10:30 ` Thomas Petazzoni
2018-07-11 14:31 ` [Buildroot] [PATCH 6/6] support/testing/tests/core: SSP & hardening flags Matt Weber
2018-07-16 1:32 ` Ricardo Martincoski
2018-07-17 2:53 ` Matthew Weber
2018-07-17 3:05 ` Matthew Weber
2018-07-12 11:44 ` [Buildroot] [PATCH 0/6] Hardening Flag Bugfix/Enhancement Matthew Weber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4e64b93d-e5fd-a666-2e08-ae03ecac941e@mind.be \
--to=arnout@mind.be \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.