From: Avi Kivity <avi@redhat.com>
To: Anthony Liguori <anthony@codemonkey.ws>,
qemu-devel@nongnu.org, Blue Swirl <blauwirbel@gmail.com>
Cc: Paul Moore <pmoore@redhat.com>, Peter Maydell <peter.maydell@linaro.org>
Subject: [Qemu-devel] [PATCH v6 1.0] configure: build position independent executables on x86 hosts
Date: Tue, 15 Nov 2011 10:57:56 +0200 [thread overview]
Message-ID: <1321347476-6546-1-git-send-email-avi@redhat.com> (raw)
Change the default on x86 hosts to building PIE (position independent
executables); instead of restricting the option to user-only targets,
apply it to all targets.
In addition, set the relocation sections to read-only (relro) when available;
this reduces the attack surface by disallowing changes to relocation tables
at runtime.
While PIE reduces performance and relro increases load time, it greatly
improves security, with the potential to reduce a code execution vulnerability
to a self denial of service.
Non-x86 are not changed, as they require TCG changes.
Signed-off-by: Avi Kivity <avi@redhat.com>
---
v6: fix subject line. sigh.
v5: fix typos; only default enable for x86; mutually exclusive with -static
v4: say it's v4 and for 1.0
v3: detect toolchain support for PIE at configure time
v2: improve description to include relro
configure | 55 +++++++++++++++++++++++++++++++++++++------------------
1 files changed, 37 insertions(+), 18 deletions(-)
diff --git a/configure b/configure
index 6c77fbb..024e603 100755
--- a/configure
+++ b/configure
@@ -172,7 +172,7 @@ aix="no"
blobs="yes"
pkgversion=""
check_utests=""
-user_pie="no"
+pie=""
zero_malloc=""
trace_backend="nop"
trace_file="trace"
@@ -701,9 +701,9 @@ for opt do
;;
--disable-guest-base) guest_base="no"
;;
- --enable-user-pie) user_pie="yes"
+ --enable-pie) pie="yes"
;;
- --disable-user-pie) user_pie="no"
+ --disable-pie) pie="no"
;;
--enable-uname-release=*) uname_release="$optarg"
;;
@@ -1031,8 +1031,8 @@ echo " --disable-bsd-user disable all BSD usermode emulation targets"
echo " --enable-guest-base enable GUEST_BASE support for usermode"
echo " emulation targets"
echo " --disable-guest-base disable GUEST_BASE support"
-echo " --enable-user-pie build usermode emulation targets as PIE"
-echo " --disable-user-pie do not build usermode emulation targets as PIE"
+echo " --enable-pie build Position Independent Executables"
+echo " --disable-pie do not build Position Independent Executables"
echo " --fmod-lib path to FMOD library"
echo " --fmod-inc path to FMOD includes"
echo " --oss-lib path to OSS library"
@@ -1099,6 +1099,37 @@ for flag in $gcc_flags; do
fi
done
+if test "$pie" = "yes" -a "$static" = "yes" ; then
+ echo "static and pie are mutually incompatible"
+ exit 1
+fi
+
+if test "$pie" != "no" -a "$static" != "yes" ; then
+ case "$cpu" in
+ i386|x86_64)
+ pie="yes"
+ ;;
+ *)
+ ;;
+ esac
+fi
+
+if test "$pie" = "yes" ; then
+ cat > $TMPC << EOF
+int main(void) { return 0; }
+EOF
+ if compile_prog "-fPIE -DPIE" "-Wl,-pie"; then
+ QEMU_CFLAGS="-fPIE -DPIE $QEMU_CFLAGS"
+ LDFLAGS="-Wl,-pie $LDFLAGS"
+ if compile_prog "-fPIE -DPIE" "-Wl,-pie -Wl,-z,relro -Wl,-z,now"; then
+ LDFLAGS="-Wl,-z,relro -Wl,-z,now $LDFLAGS"
+ fi
+ else
+ echo "Disabling PIE due to missing toolchain support"
+ pie="no"
+ fi
+fi
+
#
# Solaris specific configure tool chain decisions
#
@@ -2765,7 +2796,7 @@ echo "Documentation $docs"
echo "uname -r $uname_release"
echo "NPTL support $nptl"
echo "GUEST_BASE $guest_base"
-echo "PIE user targets $user_pie"
+echo "PIE $pie"
echo "vde support $vde"
echo "Linux AIO support $linux_aio"
echo "ATTR/XATTR support $attr"
@@ -3225,9 +3256,6 @@ for d in libdis libdis-user; do
symlink $source_path/Makefile.dis $d/Makefile
echo > $d/config.mak
done
-if test "$static" = "no" -a "$user_pie" = "yes" ; then
- echo "QEMU_CFLAGS+=-fpie" > libdis-user/config.mak
-fi
for target in $target_list; do
target_dir="$target"
@@ -3646,12 +3674,6 @@ if test "$target_softmmu" = "yes" ; then
esac
fi
-if test "$target_user_only" = "yes" -a "$static" = "no" -a \
- "$user_pie" = "yes" ; then
- cflags="-fpie $cflags"
- ldflags="-pie $ldflags"
-fi
-
if test "$target_softmmu" = "yes" -a \( \
"$TARGET_ARCH" = "microblaze" -o \
"$TARGET_ARCH" = "cris" \) ; then
@@ -3775,9 +3797,6 @@ d=libuser
mkdir -p $d
mkdir -p $d/trace
symlink $source_path/Makefile.user $d/Makefile
-if test "$static" = "no" -a "$user_pie" = "yes" ; then
- echo "QEMU_CFLAGS+=-fpie" > $d/config.mak
-fi
if test "$docs" = "yes" ; then
mkdir -p QMP
--
1.7.7.1
reply other threads:[~2011-11-15 8:58 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1321347476-6546-1-git-send-email-avi@redhat.com \
--to=avi@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=blauwirbel@gmail.com \
--cc=peter.maydell@linaro.org \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).