From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Heiko Thiery <heiko.thiery@gmail.com>
Cc: Romain Naour <romain.naour@smile.fr>,
Dario Binacchi <dario.binacchi@amarulasolutions.com>,
Sergey Matyukevich <geomatsi@gmail.com>,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2] boot/arm-trusted-firmware: fix build issue with binutils 2.39+
Date: Mon, 10 Jul 2023 23:41:27 +0200 [thread overview]
Message-ID: <20230710214127.GB188780@scaer> (raw)
In-Reply-To: <20230710094148.308395-1-heiko.thiery@gmail.com>
Heiko, All,
On 2023-07-10 11:41 +0200, Heiko Thiery spake thusly:
> The new version of binutils introduces a new warning when linking. The
> new warninng is enabled by default. To fix the issue this warning is
> disabled by adding the patches to the arm-trusted-firmware package
> v{2.2..2.8}. This is a backport of an upstream commit [1]
>
> Since there are too many defconfigs that use the arm-trusted-firmware
> package, it is not practical to create a global-patch-dir for all of them.
> Therefore the patches are only in the package directory.
>
> [1] https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c
>
> Fixes:
> https://gitlab.com/buildroot.org/buildroot/-/jobs/4603996186
> https://gitlab.com/buildroot.org/buildroot/-/jobs/4603996189
>
> Cc: Yann E. MORIN <yann.morin.1998@free.fr>
> Cc: Dario Binacchi <dario.binacchi@amarulasolutions.com>
> Cc: Romain Naour <romain.naour@smile.fr>
> Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
>
> ---
> v2: change the commit message to state why we add the patch to the
> package directory
> ---
> ...-add-support-for-new-binutils-versio.patch | 58 +++++++++++++++++
> ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++
> ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++
> ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++
> ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++
> ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++
> ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++
$ make check-package
boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)
boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)
boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)
boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)
boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)
boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)
boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)
I fixed that, and applied to master, thanks.
Regards,
Yann E. MORIN.
> 7 files changed, 430 insertions(+)
> create mode 100644 boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch
> create mode 100644 boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch
> create mode 100644 boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch
> create mode 100644 boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch
> create mode 100644 boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch
> create mode 100644 boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch
> create mode 100644 boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch
>
> diff --git a/boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch b/boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch
> new file mode 100644
> index 0000000000..2375de0eef
> --- /dev/null
> +++ b/boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch
> @@ -0,0 +1,58 @@
> +From 5e1beb793c06352e87c46eca1144ff1fe8555103 Mon Sep 17 00:00:00 2001
> +From: Heiko Thiery <heiko.thiery@gmail.com>
> +Date: Mon, 10 Jul 2023 10:43:03 +0200
> +Subject: [PATCH] [PATCH] feat(build): add support for new binutils versions
> +
> +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces
> +of a new warning when linking the bl*.elf in the form:
> +
> + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack
> + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
> + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions
> + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions
> +
> +These new warnings are enbaled by default to secure elf binaries:
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774
> +
> +Fix it in a similar way to what the Linux kernel does, see:
> +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/
> +
> +Following the reasoning there, we set "-z noexecstack" for all linkers
> +(although LLVM's LLD defaults to it) and optional add
> +--no-warn-rwx-segments since this a ld.bfd related.
> +
> +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617
> +
> +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> +---
> + Makefile | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/Makefile b/Makefile
> +index 721246d51..5893cf422 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -297,11 +297,16 @@ endif
> +
> + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1)
> +
> ++TF_LDFLAGS += -z noexecstack
> ++
> + ifneq ($(findstring armlink,$(notdir $(LD))),)
> + TF_LDFLAGS += --diag_error=warning --lto_level=O1
> + TF_LDFLAGS += --remove --info=unused,unusedsymbols
> + else
> +-TF_LDFLAGS += --fatal-warnings -O1
> ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we
> ++# are not loaded by a elf loader.
> ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments)
> ++TF_LDFLAGS += -O1
> + TF_LDFLAGS += --gc-sections
> + endif
> + TF_LDFLAGS += $(TF_LDFLAGS_$(ARCH))
> +--
> +2.30.2
> +
> diff --git a/boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch
> new file mode 100644
> index 0000000000..9b5a9dba97
> --- /dev/null
> +++ b/boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch
> @@ -0,0 +1,62 @@
> +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001
> +From: Marco Felsch <m.felsch@pengutronix.de>
> +Date: Wed, 9 Nov 2022 12:59:09 +0100
> +Subject: [PATCH] feat(build): add support for new binutils versions
> +
> +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces
> +of a new warning when linking the bl*.elf in the form:
> +
> + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack
> + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
> + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions
> + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions
> +
> +These new warnings are enbaled by default to secure elf binaries:
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774
> +
> +Fix it in a similar way to what the Linux kernel does, see:
> +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/
> +
> +Following the reasoning there, we set "-z noexecstack" for all linkers
> +(although LLVM's LLD defaults to it) and optional add
> +--no-warn-rwx-segments since this a ld.bfd related.
> +
> +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> +[Retrieved and rebased from
> +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c]
> +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617
> +---
> + Makefile | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/Makefile b/Makefile
> +index 1ddb7b844..470956b19 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -416,6 +416,8 @@ endif
> +
> + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1)
> +
> ++TF_LDFLAGS += -z noexecstack
> ++
> + # LD = armlink
> + ifneq ($(findstring armlink,$(notdir $(LD))),)
> + TF_LDFLAGS += --diag_error=warning --lto_level=O1
> +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH)))
> +
> + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other
> + else
> +-TF_LDFLAGS += --fatal-warnings -O1
> ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we
> ++# are not loaded by a elf loader.
> ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments)
> ++TF_LDFLAGS += -O1
> + TF_LDFLAGS += --gc-sections
> + # ld.lld doesn't recognize the errata flags,
> + # therefore don't add those in that case
> +--
> +2.30.2
> +
> diff --git a/boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch
> new file mode 100644
> index 0000000000..9b5a9dba97
> --- /dev/null
> +++ b/boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch
> @@ -0,0 +1,62 @@
> +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001
> +From: Marco Felsch <m.felsch@pengutronix.de>
> +Date: Wed, 9 Nov 2022 12:59:09 +0100
> +Subject: [PATCH] feat(build): add support for new binutils versions
> +
> +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces
> +of a new warning when linking the bl*.elf in the form:
> +
> + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack
> + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
> + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions
> + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions
> +
> +These new warnings are enbaled by default to secure elf binaries:
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774
> +
> +Fix it in a similar way to what the Linux kernel does, see:
> +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/
> +
> +Following the reasoning there, we set "-z noexecstack" for all linkers
> +(although LLVM's LLD defaults to it) and optional add
> +--no-warn-rwx-segments since this a ld.bfd related.
> +
> +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> +[Retrieved and rebased from
> +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c]
> +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617
> +---
> + Makefile | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/Makefile b/Makefile
> +index 1ddb7b844..470956b19 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -416,6 +416,8 @@ endif
> +
> + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1)
> +
> ++TF_LDFLAGS += -z noexecstack
> ++
> + # LD = armlink
> + ifneq ($(findstring armlink,$(notdir $(LD))),)
> + TF_LDFLAGS += --diag_error=warning --lto_level=O1
> +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH)))
> +
> + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other
> + else
> +-TF_LDFLAGS += --fatal-warnings -O1
> ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we
> ++# are not loaded by a elf loader.
> ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments)
> ++TF_LDFLAGS += -O1
> + TF_LDFLAGS += --gc-sections
> + # ld.lld doesn't recognize the errata flags,
> + # therefore don't add those in that case
> +--
> +2.30.2
> +
> diff --git a/boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch
> new file mode 100644
> index 0000000000..9b5a9dba97
> --- /dev/null
> +++ b/boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch
> @@ -0,0 +1,62 @@
> +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001
> +From: Marco Felsch <m.felsch@pengutronix.de>
> +Date: Wed, 9 Nov 2022 12:59:09 +0100
> +Subject: [PATCH] feat(build): add support for new binutils versions
> +
> +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces
> +of a new warning when linking the bl*.elf in the form:
> +
> + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack
> + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
> + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions
> + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions
> +
> +These new warnings are enbaled by default to secure elf binaries:
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774
> +
> +Fix it in a similar way to what the Linux kernel does, see:
> +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/
> +
> +Following the reasoning there, we set "-z noexecstack" for all linkers
> +(although LLVM's LLD defaults to it) and optional add
> +--no-warn-rwx-segments since this a ld.bfd related.
> +
> +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> +[Retrieved and rebased from
> +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c]
> +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617
> +---
> + Makefile | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/Makefile b/Makefile
> +index 1ddb7b844..470956b19 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -416,6 +416,8 @@ endif
> +
> + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1)
> +
> ++TF_LDFLAGS += -z noexecstack
> ++
> + # LD = armlink
> + ifneq ($(findstring armlink,$(notdir $(LD))),)
> + TF_LDFLAGS += --diag_error=warning --lto_level=O1
> +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH)))
> +
> + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other
> + else
> +-TF_LDFLAGS += --fatal-warnings -O1
> ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we
> ++# are not loaded by a elf loader.
> ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments)
> ++TF_LDFLAGS += -O1
> + TF_LDFLAGS += --gc-sections
> + # ld.lld doesn't recognize the errata flags,
> + # therefore don't add those in that case
> +--
> +2.30.2
> +
> diff --git a/boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch
> new file mode 100644
> index 0000000000..9b5a9dba97
> --- /dev/null
> +++ b/boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch
> @@ -0,0 +1,62 @@
> +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001
> +From: Marco Felsch <m.felsch@pengutronix.de>
> +Date: Wed, 9 Nov 2022 12:59:09 +0100
> +Subject: [PATCH] feat(build): add support for new binutils versions
> +
> +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces
> +of a new warning when linking the bl*.elf in the form:
> +
> + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack
> + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
> + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions
> + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions
> +
> +These new warnings are enbaled by default to secure elf binaries:
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774
> +
> +Fix it in a similar way to what the Linux kernel does, see:
> +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/
> +
> +Following the reasoning there, we set "-z noexecstack" for all linkers
> +(although LLVM's LLD defaults to it) and optional add
> +--no-warn-rwx-segments since this a ld.bfd related.
> +
> +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> +[Retrieved and rebased from
> +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c]
> +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617
> +---
> + Makefile | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/Makefile b/Makefile
> +index 1ddb7b844..470956b19 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -416,6 +416,8 @@ endif
> +
> + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1)
> +
> ++TF_LDFLAGS += -z noexecstack
> ++
> + # LD = armlink
> + ifneq ($(findstring armlink,$(notdir $(LD))),)
> + TF_LDFLAGS += --diag_error=warning --lto_level=O1
> +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH)))
> +
> + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other
> + else
> +-TF_LDFLAGS += --fatal-warnings -O1
> ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we
> ++# are not loaded by a elf loader.
> ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments)
> ++TF_LDFLAGS += -O1
> + TF_LDFLAGS += --gc-sections
> + # ld.lld doesn't recognize the errata flags,
> + # therefore don't add those in that case
> +--
> +2.30.2
> +
> diff --git a/boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch
> new file mode 100644
> index 0000000000..9b5a9dba97
> --- /dev/null
> +++ b/boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch
> @@ -0,0 +1,62 @@
> +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001
> +From: Marco Felsch <m.felsch@pengutronix.de>
> +Date: Wed, 9 Nov 2022 12:59:09 +0100
> +Subject: [PATCH] feat(build): add support for new binutils versions
> +
> +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces
> +of a new warning when linking the bl*.elf in the form:
> +
> + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack
> + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
> + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions
> + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions
> +
> +These new warnings are enbaled by default to secure elf binaries:
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774
> +
> +Fix it in a similar way to what the Linux kernel does, see:
> +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/
> +
> +Following the reasoning there, we set "-z noexecstack" for all linkers
> +(although LLVM's LLD defaults to it) and optional add
> +--no-warn-rwx-segments since this a ld.bfd related.
> +
> +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> +[Retrieved and rebased from
> +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c]
> +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617
> +---
> + Makefile | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/Makefile b/Makefile
> +index 1ddb7b844..470956b19 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -416,6 +416,8 @@ endif
> +
> + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1)
> +
> ++TF_LDFLAGS += -z noexecstack
> ++
> + # LD = armlink
> + ifneq ($(findstring armlink,$(notdir $(LD))),)
> + TF_LDFLAGS += --diag_error=warning --lto_level=O1
> +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH)))
> +
> + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other
> + else
> +-TF_LDFLAGS += --fatal-warnings -O1
> ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we
> ++# are not loaded by a elf loader.
> ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments)
> ++TF_LDFLAGS += -O1
> + TF_LDFLAGS += --gc-sections
> + # ld.lld doesn't recognize the errata flags,
> + # therefore don't add those in that case
> +--
> +2.30.2
> +
> diff --git a/boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch
> new file mode 100644
> index 0000000000..9b5a9dba97
> --- /dev/null
> +++ b/boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch
> @@ -0,0 +1,62 @@
> +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001
> +From: Marco Felsch <m.felsch@pengutronix.de>
> +Date: Wed, 9 Nov 2022 12:59:09 +0100
> +Subject: [PATCH] feat(build): add support for new binutils versions
> +
> +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces
> +of a new warning when linking the bl*.elf in the form:
> +
> + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack
> + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
> + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions
> + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions
> +
> +These new warnings are enbaled by default to secure elf binaries:
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
> + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774
> +
> +Fix it in a similar way to what the Linux kernel does, see:
> +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/
> +
> +Following the reasoning there, we set "-z noexecstack" for all linkers
> +(although LLVM's LLD defaults to it) and optional add
> +--no-warn-rwx-segments since this a ld.bfd related.
> +
> +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
> +[Retrieved and rebased from
> +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c]
> +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617
> +---
> + Makefile | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/Makefile b/Makefile
> +index 1ddb7b844..470956b19 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -416,6 +416,8 @@ endif
> +
> + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1)
> +
> ++TF_LDFLAGS += -z noexecstack
> ++
> + # LD = armlink
> + ifneq ($(findstring armlink,$(notdir $(LD))),)
> + TF_LDFLAGS += --diag_error=warning --lto_level=O1
> +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH)))
> +
> + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other
> + else
> +-TF_LDFLAGS += --fatal-warnings -O1
> ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we
> ++# are not loaded by a elf loader.
> ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments)
> ++TF_LDFLAGS += -O1
> + TF_LDFLAGS += --gc-sections
> + # ld.lld doesn't recognize the errata flags,
> + # therefore don't add those in that case
> +--
> +2.30.2
> +
> --
> 2.30.2
>
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2023-07-10 21:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-10 9:41 [Buildroot] [PATCH v2] boot/arm-trusted-firmware: fix build issue with binutils 2.39+ Heiko Thiery
2023-07-10 21:33 ` Giulio Benetti
2023-07-10 21:41 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230710214127.GB188780@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=dario.binacchi@amarulasolutions.com \
--cc=geomatsi@gmail.com \
--cc=heiko.thiery@gmail.com \
--cc=romain.naour@smile.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox