From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] SSP: disable ssp support on microblaze
Date: Fri, 7 Sep 2018 09:26:07 +0200 [thread overview]
Message-ID: <20180907092607.027fc274@windsurf.home> (raw)
In-Reply-To: <20180701145522.3f8d670c@windsurf.home>
Romain,
I was wondering if you had the chance to work on this topic ?
Thanks,
Thomas
On Sun, 1 Jul 2018 14:55:22 +0200, Thomas Petazzoni wrote:
> Hello,
>
> On Sun, 10 Jun 2018 18:33:00 +0200, Romain Naour wrote:
> > As reported by [1], SSP support is missing in the Buildroot toolchain
> > for microblaze even if it's requested by selecting
> > BR2_TOOLCHAIN_HAS_SSP config option.
> >
> > In Buildroot, we are using libssp provided by the C library (Glibc,
> > musl, uClibc-ng) when available. We are not using libssp from gcc.
> >
> > So for a microblaze glibc based toolchain, the SSP support is enabled
> > unconditionally by a select BR2_TOOLCHAIN_HAS_SSP.
> >
> > BR2_microblazeel=y
> > BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
> > BR2_KERNEL_HEADERS_4_14=y
> > BR2_BINUTILS_VERSION_2_30_X=y
> > BR2_GCC_VERSION_8_X=y
> > BR2_TOOLCHAIN_BUILDROOT_CXX=y
> >
> > While building the toolchain, we are building host-binutils which
> > provide "as" (assembler) and host-gcc-initial wich provide a
> > minimal cross gcc (C only cross-compiler without any C library).
> > When SSP support is requested, gcc_cv_libc_provides_ssp=yes is
> > added to the make command line (see [2] for full details)
> >
> > With this setting, the SSP support is requested but it's not available
> > in the end and the toochain build succeed.
> >
> > When the microblaze toolchain is imported to Biuldroot (2018.05) as
> > external toolchain with BR2_TOOLCHAIN_EXTERNAL_HAS_SSP set, the build
> > stop with :
> > "SSP support not available in this toolchain, please disable BR2_TOOLCHAIN_EXTERNAL_HAS_SSP"
> >
> > The test is doing the following command line:
> >
> > echo 'void main(){}' | [...]/host/bin/microblazeel-linux-gcc.br_real -Werror -fstack-protector -x c - -o [...]/build/.br-toolchain-test.tmp
> > cc1: error: -fstack-protector not supported for this target [-Werror]
> >
> > When we look at the gcc-final log file (config.log) we can see this
> > error several time when using the minimal gcc (from host-gcc-initial).
> > So Why the minimal gcc doesn't support SSP?
> >
> > When we look at the gcc-initial log file (config.log) we can see an
> > error with 'as':
> >
> > configure:23194: checking assembler for cfi directives
> > configure:23209: [...]microblazeel-buildroot-linux-gnu/bin/as -o conftest.o conftest.s >&5
> > conftest.s: Assembler messages:
> > conftest.s:2: Error: CFI is not supported for this target
> > conftest.s:3: Error: CFI is not supported for this target
> > conftest.s:4: Error: CFI is not supported for this target
> > conftest.s:5: Error: CFI is not supported for this target
> > conftest.s:6: Error: CFI is not supported for this target
> > conftest.s:7: Error: CFI is not supported for this target
> > configure:23212: $? = 1
> > configure: failed program was
> > .text
> > .cfi_startproc
> > .cfi_offset 0, 0
> > .cfi_same_value 1
> > .cfi_def_cfa 1, 2
> > .cfi_escape 1, 2, 3, 4, 5
> > .cfi_endproc
> >
> > This is the only relevant difference compared to a nios2 toolchain where
> > libssp is enabled and available (nios2 is an example).
> >
> > "CFI" stand for "Control Flow Integrity" and it seems that SSP support
> > requires CFI target support (see [3] for some explanation).
> >
> > The SSP support seems to depends on CFI support, but the toolchain
> > infrastructure is not detailed enough to handle the CFI dependency.
> >
> > In the other hand, microblaze is the only architecture where CFI support
> > is missing.
> >
> > Disable SSP support for microblaze entirely.
> >
> > Fixes:
> > https://gitlab.com/free-electrons/toolchains-builder/-/jobs/72006389
> >
> > [1] https://gitlab.com/free-electrons/toolchains-builder/issues/1
> > [2] https://git.buildroot.net/buildroot/tree/package/gcc/gcc.mk?h=2018.05#n275
> > [3] https://grsecurity.net/rap_faq.php
> >
> > Signed-off-by: Romain Naour <romain.naour@gmail.com>
> > Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>
> Thanks for working on this. Based on this explanation, I think I'd
> prefer to see something like this in package/binutils/Config.in.host
>
> config BR2_PACKAGE_HOST_BINUTILS_SUPPORTS_CFI
> default y
> depends on !BR2_microblaze
>
> > diff --git a/package/glibc/Config.in b/package/glibc/Config.in
> > index 57a2e833d2..7adf76699d 100644
> > --- a/package/glibc/Config.in
> > +++ b/package/glibc/Config.in
> > @@ -4,6 +4,7 @@ config BR2_PACKAGE_GLIBC
> > bool
> > default y
> > select BR2_PACKAGE_LINUX_HEADERS
> > - select BR2_TOOLCHAIN_HAS_SSP
> > + # SSP not supported on microblaze
> > + select BR2_TOOLCHAIN_HAS_SSP if !BR2_microblaze
>
> select BR2_TOOLCHAIN_HAS_SSP if BR2_PACKAGE_HOST_BINUTILS_SUPPORTS_CFI
>
> > diff --git a/package/musl/Config.in b/package/musl/Config.in
> > index bedc50cd45..4e0d6f4ef1 100644
> > --- a/package/musl/Config.in
> > +++ b/package/musl/Config.in
> > @@ -4,6 +4,7 @@ config BR2_PACKAGE_MUSL
> > depends on BR2_TOOLCHAIN_USES_MUSL
> > select BR2_PACKAGE_LINUX_HEADERS
> > # SSP broken on i386/ppc: http://www.openwall.com/lists/musl/2016/12/04/2
> > - select BR2_TOOLCHAIN_HAS_SSP if !(BR2_i386 || BR2_powerpc)
> > + # SSP not supported on microblaze
> > + select BR2_TOOLCHAIN_HAS_SSP if !(BR2_i386 || BR2_microblaze || BR2_powerpc)
>
> select BR2_TOOLCHAIN_HAS_SSP if BR2_PACKAGE_HOST_BINUTILS_SUPPORTS_CFI && !(BR2_i386 || BR2_powerpc)
>
> > config BR2_TOOLCHAIN_BUILDROOT_USE_SSP
> > bool "Enable stack protection support"
> > + depends on !BR2_microblaze # SSP not supported on microblaze
>
> depends on BR2_PACKAGE_HOST_BINUTILS_SUPPORTS_CFI
>
> > select BR2_TOOLCHAIN_HAS_SSP
> > help
> > Enable stack smashing protection support using GCCs
> > diff --git a/toolchain/Config.in b/toolchain/Config.in
> > index 3a53a32a6d..1bf71a6d52 100644
> > --- a/toolchain/Config.in
> > +++ b/toolchain/Config.in
> > @@ -122,6 +122,9 @@ config BR2_TOOLCHAIN_HAS_THREADS_NPTL
> >
> > config BR2_TOOLCHAIN_HAS_SSP
> > bool
> > + # SSP support require CFI architecture support.
> > + # https://gitlab.com/free-electrons/toolchains-builder/issues/1
> > + depends on !BR2_microblaze # missing CFI support in "gas"
>
> And this change is not necessary. Really BR2_TOOLCHAIN_HAS_SSP
> is a blind option that indicates if the toolchain has SSP support or
> not, it's not meant to handle the dependencies of SSP. support.
>
> Could you rework your patch accordingly if you agree with the proposal ?
>
> Thanks!
>
> Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2018-09-07 7:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-10 16:33 [Buildroot] [PATCH] SSP: disable ssp support on microblaze Romain Naour
2018-07-01 12:55 ` Thomas Petazzoni
2018-09-07 7:26 ` Thomas Petazzoni [this message]
2018-09-08 13:17 ` Romain Naour
2018-09-08 14:02 ` Romain Naour
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180907092607.027fc274@windsurf.home \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox