From patchwork Thu Jul 6 14:33:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Khem Raj X-Patchwork-Id: 107146 Delivered-To: patch@linaro.org Received: by 10.182.135.102 with SMTP id pr6csp2245904obb; Thu, 6 Jul 2017 07:34:07 -0700 (PDT) X-Received: by 10.84.198.129 with SMTP id p1mr28597151pld.120.1499351647595; Thu, 06 Jul 2017 07:34:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1499351647; cv=none; d=google.com; s=arc-20160816; b=qdWL3kC4q8v/KT9V0UfxdmWo4wLFy6EpGhtM8V0jT0rBqEG9YsgBhjXzuJUW3+qL5K JYjnOopZ1Ftk3nrYZHDwaCdwTFiud9MV6pYZsisgmc4ya2T/Ri1qwzLWw0EpfgpfGTCp tWtbxwxJ4NVVILWlXwB/0LGWDb/W3pLpUTc5ZrVJ5t2rX9g3ww871S2egM0fafkn3vZy 1azYLl3gO/kN+P1Cc0zT5R4ubB0I2E9unUSXi7KLCsIpbQGRAY4pKhYAtYLBcvQgArN8 colNBxqP/z9Uz2aT9QHWhR73eyopFcc56+75prCnWS+XYVbY4aDpJY2XaF1lAmwpZwB/ 9I2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to:arc-authentication-results; bh=f9Y4cvb9DmiGY6uuxwj21pA3ywM37932v1jNHAk5O3o=; b=s4Yez7i9GiO8gPni+uJ2666j/tY2f7wA8DOnF4R+yFF2Jn0MvU4SF2+xl5AHH2UpfF pWv7RZY1H1blt9+xNmFPvaM4E4OnYP3XOAsW18+Ay0EXqAIsOtQb0p5UBDm/3wecr1YY J+uvYBHnsP02HWMWHwsfotwhR9CWYM5592wydl4Yv3nlYmrnzvMC8d5w3GKWjtZeJO0i PNJp8tBgE0zNBOMx98f39VcmRlLWUlc9MYOOcfI/M2ZIDBhHJDlK4/cFkG+DCwVWRlMK G41YpWDmXLs0GHP1m6cwfmF9NMPAQaq666OIkEgdzmWFb6rspnU8x/sHIFeUG5X9eSqF jDTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.b=CfEuNPyY; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id 1si221317plk.574.2017.07.06.07.34.07; Thu, 06 Jul 2017 07:34:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.b=CfEuNPyY; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: from review.yoctoproject.org (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 19F4777A56; Thu, 6 Jul 2017 14:34:05 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pg0-f68.google.com (mail-pg0-f68.google.com [74.125.83.68]) by mail.openembedded.org (Postfix) with ESMTP id 45AA8774FC for ; Thu, 6 Jul 2017 14:33:34 +0000 (UTC) Received: by mail-pg0-f68.google.com with SMTP id u36so464117pgn.3 for ; Thu, 06 Jul 2017 07:33:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=1N+2dhs28SnuvFCty7CEt3Go0xzLoY4ZxXyhiIy573k=; b=CfEuNPyYRGoY+e5lnUEuNQmRI6p2st6BBST7o3TGtKuE80rwzvtN5LWcLUu97W0wpB 4LbXEe4DrDcydNrt9B/Z+WzVjHKTYyQr7cbCNuYzcT0dpQ6IfJig38xXjAeZDJl2dX9Q 4GH4k47AW9ratFt/x4IRH4J+4wCIAilBZrZleY9rDG85jRIkZBt7OIIsDX/cY6myixg5 7fancMnNBq8sdpTzUL4C//pd8XQFKgam1nwlV+Qgl70hgONYQXTkEAKFaOQPGGKdtJ3u G1HD/8T+Kw8jHVeZLJ7GAiLX/vJreNg92HE/WBQQWUCqSJ/uo2PgKz1TO7H9lTDQFD1o W1hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=1N+2dhs28SnuvFCty7CEt3Go0xzLoY4ZxXyhiIy573k=; b=hQTD2WKzOtcZaO587B2z8+T7ZmNiBwyfS7FPFW/xazvpPiqabypx3T0zXADrMtgxCe y1Mkxth/sp8UNrAlexo/17iHvnFJdsjadv2AFmnHEj08FQpnHKNxQBk7apdUpLpqbbeM /eJ4bnegb2d/aiUO6Ox9C4CaSKBQJBkxSkaofELkF8nW9yJwiiI761CMPyVDB6TNL9fr RNziUZnhQT0oVRh40KjIwi5+xtvXCu0gMphdtYCXy++ZaR3wHkbiY1mQAqd6zNEjWzI+ 6unUgsVlncBHFwDXcEYv6awdj1CqBTtneuMILKfw7wwckMS75xlXOzoyfIkkD01VFLxJ gtrA== X-Gm-Message-State: AIVw111vl5x+gec4xnjNCNrg7eSuqagQFoLnvG+J9S7SfstnDjYq44Ug u6BL3IIFKtSw02Dk X-Received: by 10.98.147.142 with SMTP id r14mr9668465pfk.150.1499351615900; Thu, 06 Jul 2017 07:33:35 -0700 (PDT) Received: from localhost.localdomain ([2601:646:8882:b8c::3df3]) by smtp.gmail.com with ESMTPSA id w66sm1132739pfi.63.2017.07.06.07.33.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Jul 2017 07:33:34 -0700 (PDT) From: Khem Raj To: openembedded-core@lists.openembedded.org Date: Thu, 6 Jul 2017 07:33:02 -0700 Message-Id: <5b14394f7884d7aff45122a03fb3e15bbe52d8f3.1499351361.git.raj.khem@gmail.com> X-Mailer: git-send-email 2.13.2 In-Reply-To: References: Subject: [OE-core] [PATCH 01/22] gcc: Introduce a knob to configure gcc to default to PIE X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org GCCPIE flag which is empty by default adds "--enable-default-pie" configure option for harderned distros We do not require to add -fpie -pie flag externally anymore Signed-off-by: Khem Raj --- meta/conf/distro/include/security_flags.inc | 4 +++- meta/recipes-devtools/gcc/gcc-configure-common.inc | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) -- 2.13.2 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index 38164d08b8..f2eb224a77 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -5,6 +5,8 @@ # From a Yocto Project perspective, this file is included and tested # in the DISTRO="poky-lsb" configuration. +GCCPIE ?= "--enable-default-pie" + # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use # -O0 which then results in a compiler warning. lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}" @@ -12,7 +14,7 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE # Error on use of format strings that represent possible security problems SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security" -SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" +SECURITY_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now" diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc b/meta/recipes-devtools/gcc/gcc-configure-common.inc index 63fa1d9686..e2ce234aa1 100644 --- a/meta/recipes-devtools/gcc/gcc-configure-common.inc +++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc @@ -22,6 +22,8 @@ EXTRA_OECONF_INITIAL ?= "" GCCMULTILIB ?= "--disable-multilib" GCCTHREADS ?= "posix" +GCCPIE ??= "" + EXTRA_OECONF = "\ ${@['--enable-clocale=generic', ''][d.getVar('USE_NLS') != 'no']} \ --with-gnu-ld \ @@ -29,6 +31,7 @@ EXTRA_OECONF = "\ --enable-languages=${LANGUAGES} \ --enable-threads=${GCCTHREADS} \ ${GCCMULTILIB} \ + ${GCCPIE} \ --enable-c99 \ --enable-long-long \ --enable-symvers=gnu \