* [PATCH 1/6] nss-myhostname: Fix build on musl
2016-02-04 22:54 [PATCH V2 0/6] Fix issues when using security_flags on musl Khem Raj
@ 2016-02-04 22:55 ` Khem Raj
2016-02-04 22:55 ` [PATCH 2/6] gcc: Fix build on musl with -fstack-protector Khem Raj
` (4 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Khem Raj @ 2016-02-04 22:55 UTC (permalink / raw)
To: openembedded-core
provide needed data types if nss.h is not available
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
...tname-Check-for-nss.h-presense-before-use.patch | 53 ++++++++++++++++++++++
.../nss-myhostname/nss-myhostname_0.3.bb | 4 +-
2 files changed, 56 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/nss-myhostname/nss-myhostname/0001-nss-myhostname-Check-for-nss.h-presense-before-use.patch
diff --git a/meta/recipes-support/nss-myhostname/nss-myhostname/0001-nss-myhostname-Check-for-nss.h-presense-before-use.patch b/meta/recipes-support/nss-myhostname/nss-myhostname/0001-nss-myhostname-Check-for-nss.h-presense-before-use.patch
new file mode 100644
index 0000000..82f2574
--- /dev/null
+++ b/meta/recipes-support/nss-myhostname/nss-myhostname/0001-nss-myhostname-Check-for-nss.h-presense-before-use.patch
@@ -0,0 +1,53 @@
+From d1345871b992f9a055c968963967e728da1a7ffb Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 30 Jan 2016 20:29:06 +0000
+Subject: [PATCH] nss-myhostname: Check for nss.h presense before use
+
+We do not have nss.h on musl e.g. and configury is already checking for
+nss.h presence, use this to define needed data structures if nss.h is
+missing on a given libc implementation on a platform
+
+include stdint.h for uint32_h definition
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ nss-myhostname.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/nss-myhostname.c b/nss-myhostname.c
+index 293166c..6f287f5 100644
+--- a/nss-myhostname.c
++++ b/nss-myhostname.c
+@@ -21,7 +21,27 @@
+ ***/
+
+ #include <limits.h>
++#include <stdint.h>
++#ifdef HAVE_NSS_H
+ #include <nss.h>
++#else
++enum nss_status {
++ NSS_STATUS_TRYAGAIN = -2,
++ NSS_STATUS_UNAVAIL,
++ NSS_STATUS_NOTFOUND,
++ NSS_STATUS_SUCCESS,
++ NSS_STATUS_RETURN
++};
++/* Data structure used for the 'gethostbyname4_r' function. */
++struct gaih_addrtuple
++ {
++ struct gaih_addrtuple *next;
++ char *name;
++ int family;
++ uint32_t addr[4];
++ uint32_t scopeid;
++ };
++#endif
+ #include <sys/types.h>
+ #include <netdb.h>
+ #include <errno.h>
+--
+2.7.0
+
diff --git a/meta/recipes-support/nss-myhostname/nss-myhostname_0.3.bb b/meta/recipes-support/nss-myhostname/nss-myhostname_0.3.bb
index bbce9e9..de5b7cf 100644
--- a/meta/recipes-support/nss-myhostname/nss-myhostname_0.3.bb
+++ b/meta/recipes-support/nss-myhostname/nss-myhostname_0.3.bb
@@ -6,7 +6,9 @@ HOMEPAGE = "http://0pointer.de/lennart/projects/nss-myhostname/"
LICENSE = "LGPLv2.1"
LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1"
-SRC_URI = "http://0pointer.de/lennart/projects/nss-myhostname/nss-myhostname-${PV}.tar.gz"
+SRC_URI = "http://0pointer.de/lennart/projects/nss-myhostname/nss-myhostname-${PV}.tar.gz \
+ file://0001-nss-myhostname-Check-for-nss.h-presense-before-use.patch \
+ "
SRC_URI[md5sum] = "d4ab9ac36c053ab8fb836db1cbd4a48f"
SRC_URI[sha256sum] = "2ba744ea8d578d1c57c85884e94a3042ee17843a5294434d3a7f6c4d67e7caf2"
--
2.7.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH 2/6] gcc: Fix build on musl with -fstack-protector
2016-02-04 22:54 [PATCH V2 0/6] Fix issues when using security_flags on musl Khem Raj
2016-02-04 22:55 ` [PATCH 1/6] nss-myhostname: Fix build " Khem Raj
@ 2016-02-04 22:55 ` Khem Raj
2016-02-04 22:55 ` [PATCH 3/6] security_flags: Disable fstack-protector for gcc runtime libs Khem Raj
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Khem Raj @ 2016-02-04 22:55 UTC (permalink / raw)
To: openembedded-core
When enabling the secutity flags on musl based targets the builds fail
due to libssp(gcc-runtime) build asking to link with libssp and
libssp_nonshared.a when configuring libssp itself. This does not work
with musl since it does provide ssp implementation but not like glibc
where these libraries are separate to libc
Fix the nios2 patch with upstream status while at it and generate the
patch after applying to my tree
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/recipes-devtools/gcc/gcc-5.3.inc | 3 ++-
.../gcc/gcc-5.3/0047-Fix-nios2-musl-build.patch | 11 --------
.../0047-nios2-Define-MUSL_DYNAMIC_LINKER.patch | 28 +++++++++++++++++++++
.../gcc/gcc-5.3/0048-ssp_nonshared.patch | 29 ++++++++++++++++++++++
4 files changed, 59 insertions(+), 12 deletions(-)
delete mode 100644 meta/recipes-devtools/gcc/gcc-5.3/0047-Fix-nios2-musl-build.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/0047-nios2-Define-MUSL_DYNAMIC_LINKER.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/0048-ssp_nonshared.patch
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 80999c1..e12bfad 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -76,7 +76,8 @@ SRC_URI = "\
file://0044-Adding-mmusl-as-a-musl-libc-specifier-and-the-necess.patch \
file://0045-Support-for-arm-linux-musl.patch \
file://0046-Get-rid-of-ever-broken-fixincludes-on-musl.patch \
- file://0047-Fix-nios2-musl-build.patch \
+ file://0047-nios2-Define-MUSL_DYNAMIC_LINKER.patch \
+ file://0048-ssp_nonshared.patch \
"
BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/0047-Fix-nios2-musl-build.patch b/meta/recipes-devtools/gcc/gcc-5.3/0047-Fix-nios2-musl-build.patch
deleted file mode 100644
index 44cea84..0000000
--- a/meta/recipes-devtools/gcc/gcc-5.3/0047-Fix-nios2-musl-build.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -Naru gcc-5.3.0.orig/gcc/config/nios2/linux.h gcc-5.3.0/gcc/config/nios2/linux.h
---- gcc-5.3.0.orig/gcc/config/nios2/linux.h 2015-05-28 16:08:37.000000000 +0200
-+++ gcc-5.3.0/gcc/config/nios2/linux.h 2016-01-04 02:42:46.878844806 +0100
-@@ -30,6 +30,7 @@
- #define CPP_SPEC "%{posix:-D_POSIX_SOURCE} %{pthread:-D_REENTRANT}"
-
- #define GLIBC_DYNAMIC_LINKER "/lib/ld-linux-nios2.so.1"
-+#define MUSL_DYNAMIC_LINKER "/lib/ld-musl-nios2.so.1"
-
- #undef LINK_SPEC
- #define LINK_SPEC LINK_SPEC_ENDIAN \
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/0047-nios2-Define-MUSL_DYNAMIC_LINKER.patch b/meta/recipes-devtools/gcc/gcc-5.3/0047-nios2-Define-MUSL_DYNAMIC_LINKER.patch
new file mode 100644
index 0000000..a1cfb9c
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/0047-nios2-Define-MUSL_DYNAMIC_LINKER.patch
@@ -0,0 +1,28 @@
+From f5ca07132b9292d2045ca7204e9cbfde2e59d0bf Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 2 Feb 2016 10:26:10 -0800
+Subject: [PATCH 47/48] nios2: Define MUSL_DYNAMIC_LINKER
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ gcc/config/nios2/linux.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/gcc/config/nios2/linux.h b/gcc/config/nios2/linux.h
+index f43f655..5587ab3 100644
+--- a/gcc/config/nios2/linux.h
++++ b/gcc/config/nios2/linux.h
+@@ -30,6 +30,7 @@
+ #define CPP_SPEC "%{posix:-D_POSIX_SOURCE} %{pthread:-D_REENTRANT}"
+
+ #define GLIBC_DYNAMIC_LINKER "/lib/ld-linux-nios2.so.1"
++#define MUSL_DYNAMIC_LINKER "/lib/ld-musl-nios2.so.1"
+
+ #undef LINK_SPEC
+ #define LINK_SPEC LINK_SPEC_ENDIAN \
+--
+2.7.0
+
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/0048-ssp_nonshared.patch b/meta/recipes-devtools/gcc/gcc-5.3/0048-ssp_nonshared.patch
new file mode 100644
index 0000000..5ddd40a
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/0048-ssp_nonshared.patch
@@ -0,0 +1,29 @@
+From 3cb6013cf287ed9b1247ea37541e64b9810a121d Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <nsz@port70.net>
+Date: Sat, 7 Nov 2015 14:58:40 +0000
+Subject: [PATCH 48/48] ssp_nonshared
+
+---
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Pending
+
+ gcc/gcc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gcc/gcc.c b/gcc/gcc.c
+index 8f53aea..3ddc658 100644
+--- a/gcc/gcc.c
++++ b/gcc/gcc.c
+@@ -732,7 +732,8 @@ proper position among the other output files. */
+ #ifndef LINK_SSP_SPEC
+ #ifdef TARGET_LIBC_PROVIDES_SSP
+ #define LINK_SSP_SPEC "%{fstack-protector|fstack-protector-all" \
+- "|fstack-protector-strong|fstack-protector-explicit:}"
++ "|fstack-protector-strong|fstack-protector-explicit" \
++ ":-lssp_nonshared}"
+ #else
+ #define LINK_SSP_SPEC "%{fstack-protector|fstack-protector-all" \
+ "|fstack-protector-strong|fstack-protector-explicit" \
+--
+2.7.0
+
--
2.7.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH 3/6] security_flags: Disable fstack-protector for gcc runtime libs
2016-02-04 22:54 [PATCH V2 0/6] Fix issues when using security_flags on musl Khem Raj
2016-02-04 22:55 ` [PATCH 1/6] nss-myhostname: Fix build " Khem Raj
2016-02-04 22:55 ` [PATCH 2/6] gcc: Fix build on musl with -fstack-protector Khem Raj
@ 2016-02-04 22:55 ` Khem Raj
2016-02-04 23:07 ` Andre McCurdy
2016-02-04 22:55 ` [PATCH 4/6] security_flags: Replace -fstack-protector-all with -fstack-protector-strong Khem Raj
` (2 subsequent siblings)
5 siblings, 1 reply; 8+ messages in thread
From: Khem Raj @ 2016-02-04 22:55 UTC (permalink / raw)
To: openembedded-core
it causes a catch-22 situation where we build libssp in gcc-runtime
but also pass -fstack-protector flags which require libssp, these
libraries are special as well.
also flush out ldflags for gcc libs and glibc
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/conf/distro/include/security_flags.inc | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index ac4fc65..7f898ee 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -39,8 +39,8 @@ SECURITY_CFLAGS_pn-expect = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-flex = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-gcc = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-gcc-runtime = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-gcc-sanitizers = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-gcc-runtime = ""
+SECURITY_CFLAGS_pn-gcc-sanitizers = ""
SECURITY_CFLAGS_pn-gdb = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-gmp = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-gnutls = "${SECURITY_NO_PIE_CFLAGS}"
@@ -59,7 +59,7 @@ SECURITY_CFLAGS_pn-kexec-tools = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-iptables = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-libaio = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-libcap = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libgcc = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-libgcc = ""
SECURITY_CFLAGS_pn-libid3tag = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-libnewt = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}"
@@ -90,6 +90,11 @@ SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}"
TARGET_CFLAGS_append = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append = " ${SECURITY_LDFLAGS}"
+SECURITY_LDFLAGS_pn-gcc-runtime = ""
+SECURITY_LDFLAGS_pn-gcc-sanitizers = ""
+SECURITY_LDFLAGS_pn-glibc = ""
+SECURITY_LDFLAGS_pn-glibc-initial = ""
+SECURITY_LDFLAGS_pn-libgcc = ""
SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}"
SECURITY_LDFLAGS_pn-xf86-video-intel = "${SECURITY_X_LDFLAGS}"
SECURITY_LDFLAGS_pn-xf86-video-omapfb = "${SECURITY_X_LDFLAGS}"
--
2.7.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH 3/6] security_flags: Disable fstack-protector for gcc runtime libs
2016-02-04 22:55 ` [PATCH 3/6] security_flags: Disable fstack-protector for gcc runtime libs Khem Raj
@ 2016-02-04 23:07 ` Andre McCurdy
0 siblings, 0 replies; 8+ messages in thread
From: Andre McCurdy @ 2016-02-04 23:07 UTC (permalink / raw)
To: Khem Raj; +Cc: OE Core mailing list
On Thu, Feb 4, 2016 at 2:55 PM, Khem Raj <raj.khem@gmail.com> wrote:
> it causes a catch-22 situation where we build libssp in gcc-runtime
> but also pass -fstack-protector flags which require libssp, these
> libraries are special as well.
>
> also flush out ldflags for gcc libs and glibc
>
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> ---
> meta/conf/distro/include/security_flags.inc | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> index ac4fc65..7f898ee 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -39,8 +39,8 @@ SECURITY_CFLAGS_pn-expect = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-flex = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-gcc = "${SECURITY_NO_PIE_CFLAGS}"
> -SECURITY_CFLAGS_pn-gcc-runtime = "${SECURITY_NO_PIE_CFLAGS}"
> -SECURITY_CFLAGS_pn-gcc-sanitizers = "${SECURITY_NO_PIE_CFLAGS}"
> +SECURITY_CFLAGS_pn-gcc-runtime = ""
> +SECURITY_CFLAGS_pn-gcc-sanitizers = ""
> SECURITY_CFLAGS_pn-gdb = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-gmp = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-gnutls = "${SECURITY_NO_PIE_CFLAGS}"
> @@ -59,7 +59,7 @@ SECURITY_CFLAGS_pn-kexec-tools = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-iptables = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-libaio = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-libcap = "${SECURITY_NO_PIE_CFLAGS}"
> -SECURITY_CFLAGS_pn-libgcc = "${SECURITY_NO_PIE_CFLAGS}"
> +SECURITY_CFLAGS_pn-libgcc = ""
Should libgcc-initial be included here too?
> SECURITY_CFLAGS_pn-libid3tag = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-libnewt = "${SECURITY_NO_PIE_CFLAGS}"
> SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}"
> @@ -90,6 +90,11 @@ SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}"
> TARGET_CFLAGS_append = " ${SECURITY_CFLAGS}"
> TARGET_LDFLAGS_append = " ${SECURITY_LDFLAGS}"
>
> +SECURITY_LDFLAGS_pn-gcc-runtime = ""
> +SECURITY_LDFLAGS_pn-gcc-sanitizers = ""
> +SECURITY_LDFLAGS_pn-glibc = ""
> +SECURITY_LDFLAGS_pn-glibc-initial = ""
> +SECURITY_LDFLAGS_pn-libgcc = ""
> SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}"
> SECURITY_LDFLAGS_pn-xf86-video-intel = "${SECURITY_X_LDFLAGS}"
> SECURITY_LDFLAGS_pn-xf86-video-omapfb = "${SECURITY_X_LDFLAGS}"
> --
> 2.7.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 4/6] security_flags: Replace -fstack-protector-all with -fstack-protector-strong
2016-02-04 22:54 [PATCH V2 0/6] Fix issues when using security_flags on musl Khem Raj
` (2 preceding siblings ...)
2016-02-04 22:55 ` [PATCH 3/6] security_flags: Disable fstack-protector for gcc runtime libs Khem Raj
@ 2016-02-04 22:55 ` Khem Raj
2016-02-04 22:55 ` [PATCH 5/6] gcc: Assume libssp and dl_iterate_phdr on musl Khem Raj
2016-02-04 22:55 ` [PATCH 6/6] gcc: musl related fixes for unwinding, ppc/secure-plt and gthr Khem Raj
5 siblings, 0 replies; 8+ messages in thread
From: Khem Raj @ 2016-02-04 22:55 UTC (permalink / raw)
To: openembedded-core
since gcc 4.9 this is new option added to gcc which is a better version
of fstack-protector-all with reduced stack usage and better performance
yet giving same amount of coverage.
pass fstack-protector-strong to linker flags as well
so ld is passed flags to link with ssp libraries
https://outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
describes it in usablility terms.
Do not use ssp when compiling glibc and gcc libs
ensure that security flags are only used for target packages
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/conf/distro/include/security_flags.inc | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index 7f898ee..ff5d940 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -9,11 +9,11 @@
# -O0 which then results in a compiler warning.
lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
-SECURITY_CFLAGS ?= "-fstack-protector-all -pie -fpie ${lcl_maybe_fortify}"
-SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-all ${lcl_maybe_fortify}"
+SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify}"
+SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify}"
-SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
-SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
+SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
+SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro"
# powerpc does not get on with pie for reasons not looked into as yet
SECURITY_CFLAGS_powerpc = "-fstack-protector-all ${lcl_maybe_fortify}"
@@ -87,14 +87,14 @@ SECURITY_CFLAGS_pn-zlib = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-ltp = "${SECURITY_NO_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-pulseaudio = "${SECURITY_NO_PIE_CFLAGS}"
-TARGET_CFLAGS_append = " ${SECURITY_CFLAGS}"
-TARGET_LDFLAGS_append = " ${SECURITY_LDFLAGS}"
+TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
+TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
-SECURITY_LDFLAGS_pn-gcc-runtime = ""
-SECURITY_LDFLAGS_pn-gcc-sanitizers = ""
-SECURITY_LDFLAGS_pn-glibc = ""
-SECURITY_LDFLAGS_pn-glibc-initial = ""
-SECURITY_LDFLAGS_pn-libgcc = ""
+SECURITY_LDFLAGS_remove_pn-gcc-runtime = "-fstack-protector-strong"
+SECURITY_LDFLAGS_remove_pn-gcc-sanitizers = "-fstack-protector-strong"
+SECURITY_LDFLAGS_remove_pn-glibc = "-fstack-protector-strong"
+SECURITY_LDFLAGS_remove_pn-glibc-initial = "-fstack-protector-strong"
+SECURITY_LDFLAGS_remove_pn-libgcc = "-fstack-protector-strong"
SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}"
SECURITY_LDFLAGS_pn-xf86-video-intel = "${SECURITY_X_LDFLAGS}"
SECURITY_LDFLAGS_pn-xf86-video-omapfb = "${SECURITY_X_LDFLAGS}"
--
2.7.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH 5/6] gcc: Assume libssp and dl_iterate_phdr on musl
2016-02-04 22:54 [PATCH V2 0/6] Fix issues when using security_flags on musl Khem Raj
` (3 preceding siblings ...)
2016-02-04 22:55 ` [PATCH 4/6] security_flags: Replace -fstack-protector-all with -fstack-protector-strong Khem Raj
@ 2016-02-04 22:55 ` Khem Raj
2016-02-04 22:55 ` [PATCH 6/6] gcc: musl related fixes for unwinding, ppc/secure-plt and gthr Khem Raj
5 siblings, 0 replies; 8+ messages in thread
From: Khem Raj @ 2016-02-04 22:55 UTC (permalink / raw)
To: openembedded-core
gcc configure fails to set these settings correctly
on musl based builds
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index e12bfad..83e061f 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -123,6 +123,7 @@ EXTRA_OECONF_INITIAL = "\
"
EXTRA_OECONF_append_libc-uclibc = " --disable-decimal-float "
+EXTRA_OECONF_append_libc-musl = " gcc_cv_libc_provides_ssp=yes gcc_cv_target_dl_iterate_phdr=yes "
EXTRA_OECONF_PATHS = "\
--with-gxx-include-dir=/not/exist{target_includedir}/c++/${BINV} \
--
2.7.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH 6/6] gcc: musl related fixes for unwinding, ppc/secure-plt and gthr
2016-02-04 22:54 [PATCH V2 0/6] Fix issues when using security_flags on musl Khem Raj
` (4 preceding siblings ...)
2016-02-04 22:55 ` [PATCH 5/6] gcc: Assume libssp and dl_iterate_phdr on musl Khem Raj
@ 2016-02-04 22:55 ` Khem Raj
5 siblings, 0 replies; 8+ messages in thread
From: Khem Raj @ 2016-02-04 22:55 UTC (permalink / raw)
To: openembedded-core
These issues are fixing building gcc for target, ppc issue
helps in fixing discrepency between gcc cmdline and linker cmdline
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
meta/recipes-devtools/gcc/gcc-5.3.inc | 3 +
...-weak-reference-logic-in-gthr.h-for-os-ge.patch | 78 ++++++++++++++++++++++
...050-powerpc-pass-secure-plt-to-the-linker.patch | 66 ++++++++++++++++++
.../gcc-5.3/0051-support-unwinding-on-musl.patch | 34 ++++++++++
4 files changed, 181 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/0049-Disable-the-weak-reference-logic-in-gthr.h-for-os-ge.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/0050-powerpc-pass-secure-plt-to-the-linker.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/0051-support-unwinding-on-musl.patch
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 83e061f..372b844 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -78,6 +78,9 @@ SRC_URI = "\
file://0046-Get-rid-of-ever-broken-fixincludes-on-musl.patch \
file://0047-nios2-Define-MUSL_DYNAMIC_LINKER.patch \
file://0048-ssp_nonshared.patch \
+ file://0049-Disable-the-weak-reference-logic-in-gthr.h-for-os-ge.patch \
+ file://0050-powerpc-pass-secure-plt-to-the-linker.patch \
+ file://0051-support-unwinding-on-musl.patch \
"
BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/0049-Disable-the-weak-reference-logic-in-gthr.h-for-os-ge.patch b/meta/recipes-devtools/gcc/gcc-5.3/0049-Disable-the-weak-reference-logic-in-gthr.h-for-os-ge.patch
new file mode 100644
index 0000000..0ea5143
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/0049-Disable-the-weak-reference-logic-in-gthr.h-for-os-ge.patch
@@ -0,0 +1,78 @@
+From 553d8e3b9073ff3e0a9d2fac9b1823fb17ad247c Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 2 Feb 2016 21:00:18 -0800
+Subject: [PATCH 49/51] Disable the weak reference logic in gthr.h for
+ os/generic
+
+It does not work unless work arounds are there in gthr-posix.h
+
+origin of patch
+http://port70.net/~nsz/musl/gcc-5.3.0/0004-gthr.patch
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ libgfortran/acinclude.m4 | 2 +-
+ libgfortran/configure | 2 +-
+ libstdc++-v3/config/os/generic/os_defines.h | 5 +++++
+ libstdc++-v3/configure.host | 3 +++
+ 4 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/libgfortran/acinclude.m4 b/libgfortran/acinclude.m4
+index ba890f9..30b8b1a6 100644
+--- a/libgfortran/acinclude.m4
++++ b/libgfortran/acinclude.m4
+@@ -100,7 +100,7 @@ void foo (void);
+ [Define to 1 if the target supports #pragma weak])
+ fi
+ case "$host" in
+- *-*-darwin* | *-*-hpux* | *-*-cygwin* | *-*-mingw* )
++ *-*-darwin* | *-*-hpux* | *-*-cygwin* | *-*-mingw* | *-*-musl* )
+ AC_DEFINE(GTHREAD_USE_WEAK, 0,
+ [Define to 0 if the target shouldn't use #pragma weak])
+ ;;
+diff --git a/libgfortran/configure b/libgfortran/configure
+index 5d47e65..cdf9695 100755
+--- a/libgfortran/configure
++++ b/libgfortran/configure
+@@ -26456,7 +26456,7 @@ $as_echo "#define SUPPORTS_WEAK 1" >>confdefs.h
+
+ fi
+ case "$host" in
+- *-*-darwin* | *-*-hpux* | *-*-cygwin* | *-*-mingw* )
++ *-*-darwin* | *-*-hpux* | *-*-cygwin* | *-*-mingw* | *-*-musl* )
+
+ $as_echo "#define GTHREAD_USE_WEAK 0" >>confdefs.h
+
+diff --git a/libstdc++-v3/config/os/generic/os_defines.h b/libstdc++-v3/config/os/generic/os_defines.h
+index 45bf52a..103ec0e 100644
+--- a/libstdc++-v3/config/os/generic/os_defines.h
++++ b/libstdc++-v3/config/os/generic/os_defines.h
+@@ -33,4 +33,9 @@
+ // System-specific #define, typedefs, corrections, etc, go here. This
+ // file will come before all others.
+
++// Disable the weak reference logic in gthr.h for os/generic because it
++// is broken on every platform unless there is implementation specific
++// workaround in gthr-posix.h and at link-time for static linking.
++#define _GLIBCXX_GTHREAD_USE_WEAK 0
++
+ #endif
+diff --git a/libstdc++-v3/configure.host b/libstdc++-v3/configure.host
+index 1756444..2a87bb8 100644
+--- a/libstdc++-v3/configure.host
++++ b/libstdc++-v3/configure.host
+@@ -273,6 +273,9 @@ case "${host_os}" in
+ freebsd*)
+ os_include_dir="os/bsd/freebsd"
+ ;;
++ linux-musl*)
++ os_include_dir="os/generic"
++ ;;
+ gnu* | linux* | kfreebsd*-gnu | knetbsd*-gnu)
+ # check for musl by target
+ case "${host_os}" in
+--
+2.7.0
+
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/0050-powerpc-pass-secure-plt-to-the-linker.patch b/meta/recipes-devtools/gcc/gcc-5.3/0050-powerpc-pass-secure-plt-to-the-linker.patch
new file mode 100644
index 0000000..b2f2bbd
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/0050-powerpc-pass-secure-plt-to-the-linker.patch
@@ -0,0 +1,66 @@
+From 4fa0cf03678f849917dcc3d149989b7fecdbe276 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 2 Feb 2016 21:10:00 -0800
+Subject: [PATCH 50/51] powerpc pass --secure-plt to the linker
+
+Secure-plt when enabled does not pass right options to linker
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+ gcc/config/rs6000/linux64.h | 4 ++++
+ gcc/config/rs6000/sysv4.h | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/gcc/config/rs6000/linux64.h b/gcc/config/rs6000/linux64.h
+index 679da4b..3ca7cd7 100644
+--- a/gcc/config/rs6000/linux64.h
++++ b/gcc/config/rs6000/linux64.h
+@@ -174,20 +174,24 @@ extern int dot_symbols;
+ #undef ASM_DEFAULT_SPEC
+ #undef ASM_SPEC
+ #undef LINK_OS_LINUX_SPEC
++#undef LINK_SECURE_PLT_SPEC
+
+ #ifndef RS6000_BI_ARCH
+ #define ASM_DEFAULT_SPEC "-mppc64"
+ #define ASM_SPEC "%(asm_spec64) %(asm_spec_common)"
+ #define LINK_OS_LINUX_SPEC "%(link_os_linux_spec64)"
++#define LINK_SECURE_PLT_SPEC ""
+ #else
+ #if DEFAULT_ARCH64_P
+ #define ASM_DEFAULT_SPEC "-mppc%{!m32:64}"
+ #define ASM_SPEC "%{m32:%(asm_spec32)}%{!m32:%(asm_spec64)} %(asm_spec_common)"
+ #define LINK_OS_LINUX_SPEC "%{m32:%(link_os_linux_spec32)}%{!m32:%(link_os_linux_spec64)}"
++#define LINK_SECURE_PLT_SPEC "%{m32: " LINK_SECURE_PLT_DEFAULT_SPEC "}"
+ #else
+ #define ASM_DEFAULT_SPEC "-mppc%{m64:64}"
+ #define ASM_SPEC "%{!m64:%(asm_spec32)}%{m64:%(asm_spec64)} %(asm_spec_common)"
+ #define LINK_OS_LINUX_SPEC "%{!m64:%(link_os_linux_spec32)}%{m64:%(link_os_linux_spec64)}"
++#define LINK_SECURE_PLT_SPEC "%{!m64: " LINK_SECURE_PLT_DEFAULT_SPEC "}"
+ #endif
+ #endif
+
+diff --git a/gcc/config/rs6000/sysv4.h b/gcc/config/rs6000/sysv4.h
+index 8794fa5..0835551 100644
+--- a/gcc/config/rs6000/sysv4.h
++++ b/gcc/config/rs6000/sysv4.h
+@@ -571,6 +571,7 @@ ENDIAN_SELECT(" -mbig", " -mlittle", DEFAULT_ASM_ENDIAN)
+ : %(link_start_default) }"
+
+ #define LINK_START_DEFAULT_SPEC ""
++#define LINK_SECURE_PLT_SPEC LINK_SECURE_PLT_DEFAULT_SPEC
+
+ #undef LINK_SPEC
+ #define LINK_SPEC "\
+@@ -578,6 +579,7 @@ ENDIAN_SELECT(" -mbig", " -mlittle", DEFAULT_ASM_ENDIAN)
+ %{R*} \
+ %(link_shlib) \
+ %{!T*: %(link_start) } \
++%{!static: %{!mbss-plt: %(link_secure_plt_default)}} \
+ %(link_os)"
+
+ /* Shared libraries are not default. */
+--
+2.7.0
+
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/0051-support-unwinding-on-musl.patch b/meta/recipes-devtools/gcc/gcc-5.3/0051-support-unwinding-on-musl.patch
new file mode 100644
index 0000000..b0480b3
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/0051-support-unwinding-on-musl.patch
@@ -0,0 +1,34 @@
+From 2ed1e7da8b4367af28588131ff510a1d238131b2 Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <nsz@port70.net>
+Date: Sat, 1 Aug 2015 22:37:27 +0000
+Subject: [PATCH 51/51] support unwinding on musl
+
+musl does not define __GLIBC__ so we need
+to take care of that case
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+ libgcc/unwind-dw2-fde-dip.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libgcc/unwind-dw2-fde-dip.c b/libgcc/unwind-dw2-fde-dip.c
+index e1e566b..137dced 100644
+--- a/libgcc/unwind-dw2-fde-dip.c
++++ b/libgcc/unwind-dw2-fde-dip.c
+@@ -59,6 +59,12 @@
+
+ #if !defined(inhibit_libc) && defined(HAVE_LD_EH_FRAME_HDR) \
+ && defined(TARGET_DL_ITERATE_PHDR) \
++ && defined(__linux__)
++# define USE_PT_GNU_EH_FRAME
++#endif
++
++#if !defined(inhibit_libc) && defined(HAVE_LD_EH_FRAME_HDR) \
++ && defined(TARGET_DL_ITERATE_PHDR) \
+ && (defined(__DragonFly__) || defined(__FreeBSD__))
+ # define ElfW __ElfN
+ # define USE_PT_GNU_EH_FRAME
+--
+2.7.0
+
--
2.7.0
^ permalink raw reply related [flat|nested] 8+ messages in thread