[Buildroot] [PATCH v2 0/3] Hardening build flags fixes

[Buildroot] [PATCH v2 0/3] Hardening build flags fixes

[Stefan Sørensen]

This series provides a number of fixes and cleanups of the build flags
releated to hardened builds.

Changes v1->v2:
  * Drop patch removing linker flags from TARGET_CFLAGS
  * Use a single spec file for compiler and linker flags

Stefan S?rensen (3):
  package/Makefile.in: Do not use CPPFLAGS for hardening options
  package/Makefile.in: Add missing options to LDFLAGS for full RELRO
    build
  package/Makefile.in: Use gcc spec files for PIE build flags

 package/Makefile.in     | 18 +++++++++---------
 toolchain/gcc-specs-pie |  5 +++++
 2 files changed, 14 insertions(+), 9 deletions(-)
 create mode 100644 toolchain/gcc-specs-pie

-- 
1.8.3.1

[Buildroot] [PATCH v2 1/3] package/Makefile.in: Do not use CPPFLAGS for hardening options

[Stefan Sørensen]

The hardening options are compiler flags, not pure pre-processor flags, so
put them in CFLAGS, not CPPFLAGS.

This fixes build errors where -D_FORTIFY_SOURCE=2 whas put in CPPFLAGS and
then applied to configure tests which could fail since the required -O2 is
only in CFLAGS.

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 package/Makefile.in | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/package/Makefile.in b/package/Makefile.in
index f296276..5e0ff8c 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -147,29 +147,29 @@ TARGET_CFLAGS_RELRO_FULL = -Wl,-z,now $(TARGET_CFLAGS_RELRO)
 TARGET_LDFLAGS = $(call qstrip,$(BR2_TARGET_LDFLAGS))
 
 ifeq ($(BR2_SSP_REGULAR),y)
-TARGET_CPPFLAGS += -fstack-protector
+TARGET_HARDENED += -fstack-protector
 else ifeq ($(BR2_SSP_STRONG),y)
-TARGET_CPPFLAGS += -fstack-protector-strong
+TARGET_HARDENED += -fstack-protector-strong
 else ifeq ($(BR2_SSP_ALL),y)
-TARGET_CPPFLAGS += -fstack-protector-all
+TARGET_HARDENED += -fstack-protector-all
 endif
 
 ifeq ($(BR2_RELRO_PARTIAL),y)
-TARGET_CPPFLAGS += $(TARGET_CFLAGS_RELRO)
+TARGET_HARDENED += $(TARGET_CFLAGS_RELRO)
 TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)
 else ifeq ($(BR2_RELRO_FULL),y)
-TARGET_CPPFLAGS += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
+TARGET_HARDENED += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
 TARGET_LDFLAGS += -pie
 endif
 
 ifeq ($(BR2_FORTIFY_SOURCE_1),y)
-TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=1
+TARGET_HARDENED += -D_FORTIFY_SOURCE=1
 else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
-TARGET_CPPFLAGS += -D_FORTIFY_SOURCE=2
+TARGET_HARDENED += -D_FORTIFY_SOURCE=2
 endif
 
 TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
-TARGET_CFLAGS = $(TARGET_CPPFLAGS) $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
+TARGET_CFLAGS = $(TARGET_CPPFLAGS) $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING) $(TARGET_HARDENED)
 TARGET_CXXFLAGS = $(TARGET_CFLAGS)
 TARGET_FCFLAGS = $(TARGET_ABI) $(TARGET_OPTIMIZATION) $(TARGET_DEBUGGING)
 
-- 
1.8.3.1

[Buildroot] [PATCH v2 2/3] package/Makefile.in: Add missing options to LDFLAGS for full RELRO build

[Stefan Sørensen]

The options for a full RELRO build should also be added to LDFLAGS.

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 package/Makefile.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/Makefile.in b/package/Makefile.in
index 5e0ff8c..14b3bbd 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -159,7 +159,7 @@ TARGET_HARDENED += $(TARGET_CFLAGS_RELRO)
 TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)
 else ifeq ($(BR2_RELRO_FULL),y)
 TARGET_HARDENED += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
-TARGET_LDFLAGS += -pie
+TARGET_LDFLAGS += -pie $(TARGET_CFLAGS_RELRO_FULL)
 endif
 
 ifeq ($(BR2_FORTIFY_SOURCE_1),y)
-- 
1.8.3.1

[Buildroot] [PATCH v2 3/3] package/Makefile.in: Use gcc spec files for PIE build flags

[Stefan Sørensen]

The PIE build flags are only intended for building executables and can not be
used in relocateable links (-r), static builds and shared library build -
including the flags here causes build errors.

So instead of parsing the PIE flags directly on the command line to gcc,
include them in a gcc spec file where it is possible to only apply the flags
when other incompatible flags are not set.

This method and the spec file are from the Fedora build system.

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 package/Makefile.in     | 4 ++--
 toolchain/gcc-specs-pie | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 toolchain/gcc-specs-pie

diff --git a/package/Makefile.in b/package/Makefile.in
index 14b3bbd..433701c 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -158,8 +158,8 @@ ifeq ($(BR2_RELRO_PARTIAL),y)
 TARGET_HARDENED += $(TARGET_CFLAGS_RELRO)
 TARGET_LDFLAGS += $(TARGET_CFLAGS_RELRO)
 else ifeq ($(BR2_RELRO_FULL),y)
-TARGET_HARDENED += -fPIE $(TARGET_CFLAGS_RELRO_FULL)
-TARGET_LDFLAGS += -pie $(TARGET_CFLAGS_RELRO_FULL)
+TARGET_HARDENED += -specs=$(TOPDIR)/toolchain/gcc-specs-pie $(TARGET_CFLAGS_RELRO_FULL)
+TARGET_LDFLAGS += -specs=$(TOPDIR)/toolchain/gcc-specs-pie $(TARGET_CFLAGS_RELRO_FULL)
 endif
 
 ifeq ($(BR2_FORTIFY_SOURCE_1),y)
diff --git a/toolchain/gcc-specs-pie b/toolchain/gcc-specs-pie
new file mode 100644
index 0000000..dc03736
--- /dev/null
+++ b/toolchain/gcc-specs-pie
@@ -0,0 +1,5 @@
+*cc1_options:
++ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}}
+
+*self_spec:
++ %{!static:%{!shared:%{!r:-pie}}}
-- 
1.8.3.1

[Buildroot] [PATCH v2 0/3] Hardening build flags fixes

[Thomas Petazzoni]

Hello Stefan,

On Thu, 19 Jul 2018 13:02:00 +0200, Stefan S?rensen wrote:
> This series provides a number of fixes and cleanups of the build flags
> releated to hardened builds.
> 
> Changes v1->v2:
>   * Drop patch removing linker flags from TARGET_CFLAGS
>   * Use a single spec file for compiler and linker flags
> 
> Stefan S?rensen (3):
>   package/Makefile.in: Do not use CPPFLAGS for hardening options
>   package/Makefile.in: Add missing options to LDFLAGS for full RELRO
>     build
>   package/Makefile.in: Use gcc spec files for PIE build flags

These patches were also sent by Matt Weber recently, the first two got
Reviewed-by from Arnout, the third one has questions:

  http://patchwork.ozlabs.org/project/buildroot/list/?series=54943

I'm a bit confused as to which patches to apply. Are your patches
unchanged compared to what Matt Weber sent ?

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v2 0/3] Hardening build flags fixes

[Sørensen, Stefan]

On Thu, 2018-07-19 at 14:27 +0200, Thomas Petazzoni wrote:
> Hello Stefan,
> 
> On Thu, 19 Jul 2018 13:02:00 +0200, Stefan S?rensen wrote:
> > This series provides a number of fixes and cleanups of the build
> > flags
> > releated to hardened builds.
> > 
> > Changes v1->v2:
> >   * Drop patch removing linker flags from TARGET_CFLAGS
> >   * Use a single spec file for compiler and linker flags
> > 
> > Stefan S?rensen (3):
> >   package/Makefile.in: Do not use CPPFLAGS for hardening options
> >   package/Makefile.in: Add missing options to LDFLAGS for full
> > RELRO
> >     build
> >   package/Makefile.in: Use gcc spec files for PIE build flags
> 
> These patches were also sent by Matt Weber recently, the first two
> got
> Reviewed-by from Arnout, the third one has questions:
> 
>   http://patchwork.ozlabs.org/project/buildroot/list/?series=54943
> 
> I'm a bit confused as to which patches to apply. Are your patches
> unchanged compared to what Matt Weber sent ?

I had also modified the first two patches, so i dropped the Reviewed-by 
from them. But in the end i ditched the changes so that they are now
unchanged from what Matt posted, but forgot to put back the Reviewed-
by.

As far as I can see, all the questions on the third patch was answered
/ addressed.


Stefan

[Buildroot] [PATCH v2 1/3] package/Makefile.in: Do not use CPPFLAGS for hardening options

[Thomas Petazzoni]

Hello,

On Thu, 19 Jul 2018 13:02:01 +0200, Stefan S?rensen wrote:
> The hardening options are compiler flags, not pure pre-processor flags, so
> put them in CFLAGS, not CPPFLAGS.
> 
> This fixes build errors where -D_FORTIFY_SOURCE=2 whas put in CPPFLAGS and
> then applied to configure tests which could fail since the required -O2 is
> only in CFLAGS.
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>

I have applied this patch, from the series resent by Matt Weber.

See:
https://git.buildroot.org/buildroot/commit/?h=next&id=d4f5801027f3329fb6c2cd096f3396d3cd067390

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v2 2/3] package/Makefile.in: Add missing options to LDFLAGS for full RELRO build

[Thomas Petazzoni]

Hello,

On Thu, 19 Jul 2018 13:02:02 +0200, Stefan S?rensen wrote:
> The options for a full RELRO build should also be added to LDFLAGS.
> 
> Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>

Same: I have applied this patch, from the series posted by Matt Weber.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com