mirror of
https://github.com/godotengine/buildroot.git
synced 2026-01-04 06:10:16 +03:00
7484c1c3b8
The RELRO/PIE flags are currently passed via CFLAGS/LDFLAGS and this patch
proposes moving them to the toolchain wrapper.
(1) The flags should _always_ be passed, without leaving the possibility
for any package to ignore them. I.e, when BR2_RELRO_FULL=y is used
in a build, all executables should be built PIE. Passing those
options through the wrapper ensures they are used during the build
of all packages.
(2) Some options are incompatible with -fPIE. For example, when
building object files for a shared libraries, -fPIC is used, and
-fPIE shouldn't be used in combination with -fPIE. Similarly, -r
or -static are directly incompatible as they are different link
time behaviors then the intent of PIE. Passing those options
through the wrapper allows to add some "smart" logic to only pass
-fPIE/-pie when relevant.
(3) Some toolchain, kernel and bootloader packages may want to
explicitly disable PIE in a build where the rest of the userspace
has intentionally enabled it. The wrapper provides an option
to key on the -fno-pie/-no-pie and bypass the appending of RELRO
flags.
The current Kernel and U-boot source trees include this option.
8438ee76b0
6ace36e19a
If using PIE with a older Kernel and/or U-boot version, a backport of these
changes might be required. However this patchset also uses the
__KERNEL__ and __UBOOT__ defines as a way to disable PIE.
NOTE: The current implementation via CFLAGS/LDFLAGS has caused some
build time failures as the conditional logic doesn't yet exist in
Buildroot:
https://bugs.busybox.net/show_bug.cgi?id=11206
https://bugs.busybox.net/show_bug.cgi?id=11321
Good summary of the most common build failures related to
enabling pie: https://wiki.ubuntu.com/SecurityTeam/PIE
[Peter: minor cleanups]
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
65 lines
1.9 KiB
Makefile
65 lines
1.9 KiB
Makefile
################################################################################
|
|
#
|
|
# definition of the toolchain wrapper build commands
|
|
#
|
|
################################################################################
|
|
|
|
# We use --hash-style=both to increase the compatibility of the generated
|
|
# binary with older platforms, except for MIPS, where the only acceptable
|
|
# hash style is 'sysv'
|
|
ifeq ($(findstring mips,$(HOSTARCH)),mips)
|
|
TOOLCHAIN_WRAPPER_HASH_STYLE = sysv
|
|
else
|
|
TOOLCHAIN_WRAPPER_HASH_STYLE = both
|
|
endif
|
|
|
|
TOOLCHAIN_WRAPPER_ARGS = $($(PKG)_TOOLCHAIN_WRAPPER_ARGS)
|
|
TOOLCHAIN_WRAPPER_ARGS += -DBR_SYSROOT='"$(STAGING_SUBDIR)"'
|
|
|
|
# We create a list like '"-mfoo", "-mbar", "-mbarfoo"' so that each flag is a
|
|
# separate argument when used in execv() by the toolchain wrapper.
|
|
TOOLCHAIN_WRAPPER_OPTS = \
|
|
$(foreach f,$(call qstrip,$(BR2_TARGET_OPTIMIZATION)),"$(f)"$(comma))
|
|
TOOLCHAIN_WRAPPER_ARGS += -DBR_ADDITIONAL_CFLAGS='$(TOOLCHAIN_WRAPPER_OPTS)'
|
|
|
|
ifeq ($(BR2_CCACHE),y)
|
|
TOOLCHAIN_WRAPPER_ARGS += -DBR_CCACHE
|
|
endif
|
|
|
|
ifeq ($(BR2_x86_x1000),y)
|
|
TOOLCHAIN_WRAPPER_ARGS += -DBR_OMIT_LOCK_PREFIX
|
|
endif
|
|
|
|
# Avoid FPU bug on XBurst CPUs
|
|
ifeq ($(BR2_mips_xburst),y)
|
|
# Before gcc 4.6, -mno-fused-madd was needed, after -ffp-contract is
|
|
# needed
|
|
ifeq ($(BR2_TOOLCHAIN_GCC_AT_LEAST_4_6),y)
|
|
TOOLCHAIN_WRAPPER_ARGS += -DBR_FP_CONTRACT_OFF
|
|
else
|
|
TOOLCHAIN_WRAPPER_ARGS += -DBR_NO_FUSED_MADD
|
|
endif
|
|
endif
|
|
|
|
ifeq ($(BR2_CCACHE_USE_BASEDIR),y)
|
|
TOOLCHAIN_WRAPPER_ARGS += -DBR_CCACHE_BASEDIR='"$(BASE_DIR)"'
|
|
endif
|
|
|
|
ifeq ($(BR2_RELRO_PARTIAL),y)
|
|
TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_PARTIAL
|
|
else ifeq ($(BR2_RELRO_FULL),y)
|
|
TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_FULL
|
|
endif
|
|
|
|
define TOOLCHAIN_WRAPPER_BUILD
|
|
$(HOSTCC) $(HOST_CFLAGS) $(TOOLCHAIN_WRAPPER_ARGS) \
|
|
-s -Wl,--hash-style=$(TOOLCHAIN_WRAPPER_HASH_STYLE) \
|
|
toolchain/toolchain-wrapper.c \
|
|
-o $(@D)/toolchain-wrapper
|
|
endef
|
|
|
|
define TOOLCHAIN_WRAPPER_INSTALL
|
|
$(INSTALL) -D -m 0755 $(@D)/toolchain-wrapper \
|
|
$(HOST_DIR)/bin/toolchain-wrapper
|
|
endef
|