From patchwork Wed Jun 28 16:04:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Khem Raj X-Patchwork-Id: 106544 Delivered-To: patch@linaro.org Received: by 10.182.135.102 with SMTP id pr6csp3715478obb; Wed, 28 Jun 2017 09:05:31 -0700 (PDT) X-Received: by 10.84.164.193 with SMTP id l1mr12402732plg.243.1498665931243; Wed, 28 Jun 2017 09:05:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1498665931; cv=none; d=google.com; s=arc-20160816; b=jDMbdzay2bcB+eiAL5HOtaQuwX/Yxf6Iw6eitOqZsPh8nyrPC5/hWFBHcErGDAjBxj XtCxTek2f4Y6s9076lIg5TrKydsUOHQz01NnpImVA8EJ7JMW0aivFbmkPnA7fXvlvr1x pjcvWN4YcUqB0VwWe/299pN+2JrfXwlu6H3ciMIZgrtXKH9N7edGUIFtVK17bNCseHXY N/+VEvc3VAhtZpP1agkQvyanBDWO3HUqUe3G58GGA1vcyT1+UKszj0D9S/AxTYJ3MKD1 YX9MMJwOwExCW6CkGUrt0fKypc/WEERntSrX9vCAQZrUf1sXan4VaPz4x5i0s/rR9a2R yEWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to:arc-authentication-results; bh=f9Y4cvb9DmiGY6uuxwj21pA3ywM37932v1jNHAk5O3o=; b=wk9+N11yjn3ojUIAqjnyX2VnGRyOSA91hG83Nw1ljNf5ru/72/RX2R8AMQLdM1piMR c79bAeoOUZsR8EArkYcM6hGNi8u2eeuJbK0rbE+pwBN8X+R9pz3GFT99tthTX8GtFj/M y+bJDfIf1yy1STsfk9pgkZKE2hn+MZa5F/JE4T1Adp2O1QRJUelaFfUpsBkSMugizVAb +81ChY8aYy0VW9FdEXPrii5UwAtlQo/dLGXqsmkuk1svNgwQM32q8OLUsxYFJMGxlxBX BmYiKZnH+SHJlZA9xQmTYZBRn2wacn+HQDvtNLLSPdURPUVLEuHxtcECOKRT+EK3swmS nPJQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.b=tqhfWCZE; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id o24si1820825pgn.99.2017.06.28.09.05.30; Wed, 28 Jun 2017 09:05:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.b=tqhfWCZE; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: from review.yoctoproject.org (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id C47D577FF9; Wed, 28 Jun 2017 16:05:28 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pg0-f67.google.com (mail-pg0-f67.google.com [74.125.83.67]) by mail.openembedded.org (Postfix) with ESMTP id 4F5A277FF6 for ; Wed, 28 Jun 2017 16:04:35 +0000 (UTC) Received: by mail-pg0-f67.google.com with SMTP id j186so8715949pge.1 for ; Wed, 28 Jun 2017 09:04:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=1N+2dhs28SnuvFCty7CEt3Go0xzLoY4ZxXyhiIy573k=; b=tqhfWCZENYk+hbAkyGZuCA01p7sJO0IJEhN2Lkp2QGZzLHeKOti4nRceXeJk2taLTh rN+7uek2PJud2tzA+VjEMXl095zgw9SRajPej9bY5A6KpdpiHNlK6fcutM2bKn1FWvuw x76eVKWkYlFbL7tpshybi/lGoUeEC8kBAO4VfK0UKKgyjgIIgjZixXI9jutr4cC0I6LL NsvLNIStCwcv32rF2z6SWgGn55HBMRVUU3oFPPnNXnOEENNBI3EddFSD3RD5YIQTSirA r+zLSJVe50rSJKLwrK4Vs0+hy92YZOAC6xWmmkJv8aGAUnTQovSSKXDxgii2n5QbIgID wn+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=1N+2dhs28SnuvFCty7CEt3Go0xzLoY4ZxXyhiIy573k=; b=MMey4Kz6+gLpbaWOEoZHVCH6iFbBMZUWbEmchSGaIZtJzN97CmNnnEIrzxYdAF+qei T1fYgvLoyrJ6R14E4KtgxGAtCWs4dP+8TxdPLCDtkIHoiCyzUBa/UK4bvN3oFPzcDIyR O4Zg2WQ0nWOmI9V3HWvbfAYn2HuhP5T4SqnBemJgfWQZDoOL3tviLRaNMTj2Dqjz2CN6 lW02CoYq8I4HU2fFnHl9mICuS9KULOaJ/loVEAmk3YFcUWV1ml8H2QYCISgJSGegZ0Zx A9oOvhhRzM3iZd0trHqbZwFmfq3xCVZfHbSFrzeZRmRBJIhc/CK7zER3x4B3qj1Kz2Dr bIeg== X-Gm-Message-State: AKS2vOw3rHGO87wElV1aqHEDqbVrdM78uQaapZXtB+YEH/k5XrHO0Gu2 mqbfbyhHZL+x/1l3 X-Received: by 10.84.128.69 with SMTP id 63mr12412962pla.54.1498665876924; Wed, 28 Jun 2017 09:04:36 -0700 (PDT) Received: from localhost.localdomain ([2601:646:8882:b8c::3df3]) by smtp.gmail.com with ESMTPSA id v62sm5243608pfb.124.2017.06.28.09.04.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Jun 2017 09:04:35 -0700 (PDT) From: Khem Raj To: openembedded-core@lists.openembedded.org Date: Wed, 28 Jun 2017 09:04:14 -0700 Message-Id: X-Mailer: git-send-email 2.13.2 In-Reply-To: References: Subject: [OE-core] [PATCH 01/10] gcc: Introduce a knob to configure gcc to default to PIE X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org GCCPIE flag which is empty by default adds "--enable-default-pie" configure option for harderned distros We do not require to add -fpie -pie flag externally anymore Signed-off-by: Khem Raj --- meta/conf/distro/include/security_flags.inc | 4 +++- meta/recipes-devtools/gcc/gcc-configure-common.inc | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) -- 2.13.2 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index 38164d08b8..f2eb224a77 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -5,6 +5,8 @@ # From a Yocto Project perspective, this file is included and tested # in the DISTRO="poky-lsb" configuration. +GCCPIE ?= "--enable-default-pie" + # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use # -O0 which then results in a compiler warning. lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}" @@ -12,7 +14,7 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE # Error on use of format strings that represent possible security problems SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security" -SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" +SECURITY_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now" diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc b/meta/recipes-devtools/gcc/gcc-configure-common.inc index 63fa1d9686..e2ce234aa1 100644 --- a/meta/recipes-devtools/gcc/gcc-configure-common.inc +++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc @@ -22,6 +22,8 @@ EXTRA_OECONF_INITIAL ?= "" GCCMULTILIB ?= "--disable-multilib" GCCTHREADS ?= "posix" +GCCPIE ??= "" + EXTRA_OECONF = "\ ${@['--enable-clocale=generic', ''][d.getVar('USE_NLS') != 'no']} \ --with-gnu-ld \ @@ -29,6 +31,7 @@ EXTRA_OECONF = "\ --enable-languages=${LANGUAGES} \ --enable-threads=${GCCTHREADS} \ ${GCCMULTILIB} \ + ${GCCPIE} \ --enable-c99 \ --enable-long-long \ --enable-symvers=gnu \