diff options
| author | Matt Weber <matthew.weber@rockwellcollins.com> | 2018-09-17 16:21:49 -0500 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2018-10-20 12:50:29 +0200 |
| commit | 7484c1c3b8065d6f2f5a67607e9917ecfea022eb (patch) | |
| tree | a1394dde3ab8673adc197327bb2550bdea133a8b /package/php/php.mk | |
| parent | c5a7c287de4a3108d8aaf965731ef7978a903875 (diff) | |
| download | buildroot-7484c1c3b8065d6f2f5a67607e9917ecfea022eb.tar.gz buildroot-7484c1c3b8065d6f2f5a67607e9917ecfea022eb.zip | |
toolchain/toolchain-wrapper: add BR2_RELRO_
The RELRO/PIE flags are currently passed via CFLAGS/LDFLAGS and this patch
proposes moving them to the toolchain wrapper.
(1) The flags should _always_ be passed, without leaving the possibility
for any package to ignore them. I.e, when BR2_RELRO_FULL=y is used
in a build, all executables should be built PIE. Passing those
options through the wrapper ensures they are used during the build
of all packages.
(2) Some options are incompatible with -fPIE. For example, when
building object files for a shared libraries, -fPIC is used, and
-fPIE shouldn't be used in combination with -fPIE. Similarly, -r
or -static are directly incompatible as they are different link
time behaviors then the intent of PIE. Passing those options
through the wrapper allows to add some "smart" logic to only pass
-fPIE/-pie when relevant.
(3) Some toolchain, kernel and bootloader packages may want to
explicitly disable PIE in a build where the rest of the userspace
has intentionally enabled it. The wrapper provides an option
to key on the -fno-pie/-no-pie and bypass the appending of RELRO
flags.
The current Kernel and U-boot source trees include this option.
https://github.com/torvalds/linux/commit/8438ee76b004ef66d125ade64c91fc128047d244
https://github.com/u-boot/u-boot/commit/6ace36e19a8cfdd16ce7c02625edf36864897bf5
If using PIE with a older Kernel and/or U-boot version, a backport of these
changes might be required. However this patchset also uses the
__KERNEL__ and __UBOOT__ defines as a way to disable PIE.
NOTE: The current implementation via CFLAGS/LDFLAGS has caused some
build time failures as the conditional logic doesn't yet exist in
Buildroot:
https://bugs.busybox.net/show_bug.cgi?id=11206
https://bugs.busybox.net/show_bug.cgi?id=11321
Good summary of the most common build failures related to
enabling pie: https://wiki.ubuntu.com/SecurityTeam/PIE
[Peter: minor cleanups]
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/php/php.mk')
0 files changed, 0 insertions, 0 deletions
