[PATCH] Fix cc1 options check to ensure we do not use -fPIC when compiling

[PATCH] Fix cc1 options check to ensure we do not use -fPIC when compiling

[Jory A. Pratt]

[-- Attachment #1: Type: text/plain, Size: 804 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have sent this to the lkml, it seems to have been pushed to the back
burner. This is a major issue effecting users/developers that are
working on a much more security enhanced system. This means any gentoo
user running a hardened toolchain will have problems building a kernel
that works as expect. This patch does nothing but pass the macro
- -D__KERNEL__ to ensure that hardened toolchain drops back to that of a
vanilla toolchain to prevent unexpected compile problems in the kernel.

Jory
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqm+xkACgkQwnA7Q1Z0YScE9QCbBA+cHQ4Q92Ajl3DKbBqEKQT+
VPUAoKFMx2dQQI7+fGWJWaqoNS7MK1sc
=67Hv
-----END PGP SIGNATURE-----

[-- Attachment #2: fix-cc-options-test-to-ensure-we-do-not-step-on-compile-flags.patch --]
[-- Type: text/plain, Size: 1321 bytes --]

The arch/*/boot/Makefile use cc-options to check for GCC command options and
cc-options use the hardened specs when checking for GCC command options.
When -fPIE is pass to cc1 it can't use -ffreestanding or -fno-toplevel-reorder.
Then it fail to build stuff with -ffreestanding and -fno-toplevel-reorder.
Thanks to Fredric Johansson <johansson_fredric@hotmail.com> for finding the main
problem behind a failed build using a hardened toolchain.

Signed-off-by: Magnus Granberg <zorry@ume.nu>
Signed-off-by: Jory A. Pratt <anarchy@gentoo.org>

diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include
index c29be8f..43300b3 100644
--- a/scripts/Kbuild.include
+++ b/scripts/Kbuild.include
@@ -105,12 +105,12 @@ as-instr = $(call try-run,\
 # Usage: cflags-y += $(call cc-option,-march=winchip-c6,-march=i586)
 
 cc-option = $(call try-run,\
-	$(CC) $(KBUILD_CFLAGS) $(1) -c -xc /dev/null -o "$$TMP",$(1),$(2))
+	$(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) $(1) -c -xc /dev/null -o "$$TMP",$(1),$(2))
 
 # cc-option-yn
 # Usage: flag := $(call cc-option-yn,-march=winchip-c6)
 cc-option-yn = $(call try-run,\
-	$(CC) $(KBUILD_CFLAGS) $(1) -c -xc /dev/null -o "$$TMP",y,n)
+	$(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) $(1) -c -xc /dev/null -o "$$TMP",y,n)
 
 # cc-option-align
 # Prefix align with either -falign or -malign

Re: [PATCH] Fix cc1 options check to ensure we do not use -fPIC when compiling

[H. Peter Anvin]

On 09/08/2009 05:47 PM, Jory A. Pratt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I have sent this to the lkml, it seems to have been pushed to the back
> burner. This is a major issue effecting users/developers that are
> working on a much more security enhanced system. This means any gentoo
> user running a hardened toolchain will have problems building a kernel
> that works as expect. This patch does nothing but pass the macro
> - -D__KERNEL__ to ensure that hardened toolchain drops back to that of a
> vanilla toolchain to prevent unexpected compile problems in the kernel.
> 

This should also be sent to the Kbuild maintainer, Sam Ravnborg
<sam@ravnborg.org>.

	-hpa