[PATCH 09/45] configure: Implement --enable-host-pie

Arsen Arsenović arsen@aarsen.me
Mon Aug 7 11:07:12 GMT 2023


From: Marek Polacek <polacek@redhat.com>

[ This is my third attempt to add this configure option.  The first
version was approved but it came too late in the development cycle.
The second version was also approved, but I had to revert it:
<https://gcc.gnu.org/pipermail/gcc-patches/2022-November/607082.html>.
I've fixed the problem (by moving $(PICFLAG) from INTERNAL_CFLAGS to
ALL_COMPILERFLAGS).  Another change is that since r13-4536 I no longer
need to touch Makefile.def, so this patch is simplified. ]

This patch implements the --enable-host-pie configure option which
makes the compiler executables PIE.  This can be used to enhance
protection against ROP attacks, and can be viewed as part of a wider
trend to harden binaries.

It is similar to the option --enable-host-shared, except that --e-h-s
won't add -shared to the linker flags whereas --e-h-p will add -pie.
It is different from --enable-default-pie because that option just
adds an implicit -fPIE/-pie when the compiler is invoked, but the
compiler itself isn't PIE.

Since r12-5768-gfe7c3ecf, PCH works well with PIE, so there are no PCH
regressions.

When building the compiler, the build process may use various in-tree
libraries; these need to be built with -fPIE so that it's possible to
use them when building a PIE.  For instance, when --with-included-gettext
is in effect, intl object files must be compiled with -fPIE.  Similarly,
when building in-tree gmp, isl, mpfr and mpc, they must be compiled with
-fPIE.

With this patch and --enable-host-pie used to configure gcc:

$ file gcc/cc1{,plus,obj,gm2} gcc/f951 gcc/lto1 gcc/cpp gcc/go1 gcc/rust1 gcc/gnat1
gcc/cc1:     ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=98e22cde129d304aa6f33e61b1c39e144aeb135e, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/cc1plus: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=859d1ea37e43dfe50c18fd4e3dd9a34bb1db8f77, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/cc1obj:  ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1964f8ecee6163182bc26134e2ac1f324816e434, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/cc1gm2:  ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=a396672c7ff913d21855829202e7b02ecf42ff4c, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/f951:    ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=59c523db893186547ac75c7a71f48be0a461c06b, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/lto1:    ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=084a7b77df7be2d63c2d4c655b5bbc3fcdb6038d, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/cpp:     ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3503bf8390d219a10d6653b8560aa21158132168, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/go1:     ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=988cc673af4fba5dcb482f4b34957b99050a68c5, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/rust1:   ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b6a5d3d514446c4dcdee0707f086ab9b274a8a3c, for GNU/Linux 3.2.0, with debug_info, not stripped
gcc/gnat1:   ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=bb11ccdc2c366fe3fe0980476bcd8ca19b67f9dc, for GNU/Linux 3.2.0, with debug_info, not stripped

I plan to add an option to link with -Wl,-z,now.

Bootstrapped on x86_64-pc-linux-gnu with --with-included-gettext
--enable-host-pie as well as without --enable-host-pie.  Also tested
on a Debian system where the system gcc was configured with
--enable-default-pie.

Co-Authored by: Iain Sandoe  <iain@sandoe.co.uk>

ChangeLog:

	* configure.ac (--enable-host-pie): New check.  Set PICFLAG after this
	check.
	* configure: Regenerate.

intl/ChangeLog:

	* Makefile.in: Use @PICFLAG@ in COMPILE as well.
	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
	(--enable-host-pie): New check.  Set PICFLAG after this check.
	* configure: Regenerate.

libdecnumber/ChangeLog:

	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
	(--enable-host-pie): New check.  Set PICFLAG after this check.
	* configure: Regenerate.

zlib/ChangeLog:

	* configure.ac (--enable-host-shared): Don't set PICFLAG here.
	(--enable-host-pie): New check.  Set PICFLAG after this check.
	* configure: Regenerate.
---
 configure                 | 49 +++++++++++++++++++++++++++++++++++++--
 configure.ac              | 43 ++++++++++++++++++++++++++++++++--
 intl/Makefile.in          |  6 ++++-
 intl/configure            | 31 +++++++++++++++++++++++++
 intl/configure.ac         | 21 +++++++++++++++++
 libdecnumber/configure    | 22 +++++++++++++++++-
 libdecnumber/configure.ac | 19 +++++++++++++--
 zlib/configure            | 28 ++++++++++++++++++----
 zlib/configure.ac         | 21 ++++++++++++++---
 9 files changed, 225 insertions(+), 15 deletions(-)

diff --git a/configure b/configure
index 4b3d8ed02c5..be32bbff1b2 100755
--- a/configure
+++ b/configure
@@ -689,7 +689,9 @@ extra_host_zlib_configure_flags
 extra_host_libiberty_configure_flags
 stage1_languages
 host_libs_picflag
+PICFLAG
 host_shared
+host_pie
 extra_linker_plugin_flags
 extra_linker_plugin_configure_flags
 islinc
@@ -837,6 +839,7 @@ enable_isl_version_check
 enable_lto
 enable_linker_plugin_configure_flags
 enable_linker_plugin_flags
+enable_host_pie
 enable_host_shared
 enable_stage1_languages
 enable_objc_gc
@@ -1570,6 +1573,7 @@ Optional Features:
   --enable-linker-plugin-flags=FLAGS
                           additional flags for configuring and building linker
                           plugins [none]
+  --enable-host-pie       build position independent host executables
   --enable-host-shared    build host code as shared libraries
   --enable-stage1-languages[=all]
                           choose additional languages to build during stage1.
@@ -8765,6 +8769,30 @@ fi
 
 
 
+# Enable --enable-host-pie.
+# Checked early to determine whether jit is an 'all' language
+# Check whether --enable-host-pie was given.
+if test "${enable_host_pie+set}" = set; then :
+  enableval=$enable_host_pie; host_pie=$enableval
+ case $host in
+   x86_64-*-darwin* | aarch64-*-darwin*)
+     if test x$host_pie != xyes ; then
+       # PIC is the default, and actually cannot be switched off.
+       echo configure.ac: warning: PIC code is required for the configured target, host-shared setting ignored. 1>&2
+       host_pie=yes
+     fi ;;
+  *) ;;
+ esac
+else
+  case $host in
+  *-*-darwin2*) host_pie=yes ;;
+  *) host_pie=no ;;
+ esac
+fi
+
+
+
+
 # Enable --enable-host-shared.
 # Checked early to determine whether jit is an 'all' language
 # Check whether --enable-host-shared was given.
@@ -8777,23 +8805,40 @@ if test "${enable_host_shared+set}" = set; then :
        echo configure.ac: warning: PIC code is required for the configured target, host-shared setting ignored. 1>&2
        host_shared=yes
      fi ;;
+   *-*-darwin*)
+     if test x$host_pie == xyes ; then
+       echo configure.ac: warning: PIC code is required for PIE executables. 1>&2
+       host_shared=yes
+     fi ;;
   *) ;;
  esac
 else
   case $host in
   x86_64-*-darwin* | aarch64-*-darwin*) host_shared=yes ;;
-  *) host_shared=no ;;
+  # Darwin needs PIC objects to link PIE executables.
+  *-*-darwin*) host_shared=host_pie ;;
+  *) host_shared=no;;
  esac
 fi
 
 
 
 
+if test x$host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$host_pie = xyes; then
+  PICFLAG=-fPIE
+else
+  PICFLAG=
+fi
+
+
+
 # If we are building PIC/PIE host executables, and we are building dependent
 # libs (e.g. GMP) in-tree those libs need to be configured to generate PIC
 # code.
 host_libs_picflag=
-if test "$host_shared" = "yes";then
+if test "$host_shared" = "yes" -o "$host_pie" = "yes"; then
 host_libs_picflag='--with-pic'
 fi
 
diff --git a/configure.ac b/configure.ac
index 86d10a6af8e..39dcf54b6a8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1987,6 +1987,28 @@ AC_ARG_ENABLE(linker-plugin-flags,
   extra_linker_plugin_flags=)
 AC_SUBST(extra_linker_plugin_flags)
 
+# Enable --enable-host-pie.
+# Checked early to determine whether jit is an 'all' language
+AC_ARG_ENABLE(host-pie,
+[AS_HELP_STRING([--enable-host-pie],
+		[build position independent host executables])],
+[host_pie=$enableval
+ case $host in
+   x86_64-*-darwin* | aarch64-*-darwin*)
+     if test x$host_pie != xyes ; then
+       # PIC is the default, and actually cannot be switched off.
+       echo configure.ac: warning: PIC code is required for the configured target, host-shared setting ignored. 1>&2
+       host_pie=yes
+     fi ;;
+  *) ;;
+ esac],
+[case $host in
+  *-*-darwin2*) host_pie=yes ;;
+  *) host_pie=no ;;
+ esac])
+
+AC_SUBST(host_pie)
+
 # Enable --enable-host-shared.
 # Checked early to determine whether jit is an 'all' language
 AC_ARG_ENABLE(host-shared,
@@ -2000,20 +2022,37 @@ AC_ARG_ENABLE(host-shared,
        echo configure.ac: warning: PIC code is required for the configured target, host-shared setting ignored. 1>&2
        host_shared=yes
      fi ;;
+   *-*-darwin*)
+     if test x$host_pie == xyes ; then
+       echo configure.ac: warning: PIC code is required for PIE executables. 1>&2
+       host_shared=yes
+     fi ;;
   *) ;;
  esac],
 [case $host in
   x86_64-*-darwin* | aarch64-*-darwin*) host_shared=yes ;;
-  *) host_shared=no ;;
+  # Darwin needs PIC objects to link PIE executables.
+  *-*-darwin*) host_shared=host_pie ;;
+  *) host_shared=no;;
  esac])
 
 AC_SUBST(host_shared)
 
+if test x$host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$host_pie = xyes; then
+  PICFLAG=-fPIE
+else
+  PICFLAG=
+fi
+
+AC_SUBST(PICFLAG)
+
 # If we are building PIC/PIE host executables, and we are building dependent
 # libs (e.g. GMP) in-tree those libs need to be configured to generate PIC
 # code.
 host_libs_picflag=
-if test "$host_shared" = "yes";then
+if test "$host_shared" = "yes" -o "$host_pie" = "yes"; then
 host_libs_picflag='--with-pic'
 fi
 AC_SUBST(host_libs_picflag)
diff --git a/intl/Makefile.in b/intl/Makefile.in
index 96df727baea..1ded6f55fe9 100644
--- a/intl/Makefile.in
+++ b/intl/Makefile.in
@@ -51,7 +51,11 @@ LIBS = @LIBS@
 DEFS = -DHAVE_CONFIG_H
 PICFLAG = @PICFLAG@
 
-COMPILE = $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PICFLAG) $(DEFS) $(DEFS-$@) $(INCLUDES)
+CTAGS = @CTAGS@
+ETAGS = @ETAGS@
+MKID = @MKID@
+
+COMPILE = $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PICFLAGS) $(DEFS) $(DEFS-$@) $(INCLUDES)
 
 HEADERS = \
   gmo.h \
diff --git a/intl/configure b/intl/configure
index 9b1f6d0828b..b0aae146908 100755
--- a/intl/configure
+++ b/intl/configure
@@ -622,6 +622,8 @@ ac_unique_file="gettext.c"
 ac_header_list=
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
+enable_host_pie
+enable_host_shared
 BISON3_NO
 BISON3_YES
 PICFLAG
@@ -727,6 +729,8 @@ with_included_gettext
 with_libintl_prefix
 with_libintl_type
 enable_maintainer_mode
+enable_host_shared
+enable_host_pie
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1351,6 +1355,8 @@ Optional Features:
   --disable-nls           do not use Native Language Support
   --disable-rpath         do not hardcode runtime library paths
   --enable-maintainer-mode enable rules only needed by maintainers
+  --enable-host-shared    build host code as shared libraries
+  --enable-host-pie       build host code as PIE
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -6919,6 +6925,31 @@ fi
 
 
 
+# Enable --enable-host-shared.
+# Check whether --enable-host-shared was given.
+if test "${enable_host_shared+set}" = set; then :
+  enableval=$enable_host_shared;
+fi
+
+
+
+# Enable --enable-host-pie.
+# Check whether --enable-host-pie was given.
+if test "${enable_host_pie+set}" = set; then :
+  enableval=$enable_host_pie;
+fi
+
+
+
+if test x$enable_host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$enable_host_pie = xyes; then
+  PICFLAG=-fPIE
+else
+  PICFLAG=
+fi
+
+
 ac_config_files="$ac_config_files Makefile config.intl"
 
 cat >confcache <<\_ACEOF
diff --git a/intl/configure.ac b/intl/configure.ac
index 77e2fd2d8c5..a5fc45b3602 100644
--- a/intl/configure.ac
+++ b/intl/configure.ac
@@ -73,5 +73,26 @@ fi
 AC_SUBST(BISON3_YES)
 AC_SUBST(BISON3_NO)
 
+# Enable --enable-host-shared.
+AC_ARG_ENABLE(host-shared,
+[AS_HELP_STRING([--enable-host-shared],
+       [build host code as shared libraries])])
+AC_SUBST(enable_host_shared)
+
+# Enable --enable-host-pie.
+AC_ARG_ENABLE(host-pie,
+[AS_HELP_STRING([--enable-host-pie],
+       [build host code as PIE])])
+AC_SUBST(enable_host_pie)
+
+if test x$enable_host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$enable_host_pie = xyes; then
+  PICFLAG=-fPIE
+else
+  PICFLAG=
+fi
+AC_SUBST(PICFLAG)
+
 AC_CONFIG_FILES(Makefile config.intl)
 AC_OUTPUT
diff --git a/libdecnumber/configure b/libdecnumber/configure
index 87f3bd5e457..e4600c10e55 100755
--- a/libdecnumber/configure
+++ b/libdecnumber/configure
@@ -625,6 +625,8 @@ ac_includes_default="\
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
 PICFLAG
+enable_host_pie
+enable_host_shared
 ADDITIONAL_OBJS
 enable_decimal_float
 target_os
@@ -704,6 +706,7 @@ enable_werror_always
 enable_maintainer_mode
 enable_decimal_float
 enable_host_shared
+enable_host_pie
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1335,6 +1338,7 @@ Optional Features:
 			or 'dpd' choses which decimal floating point format
 			to use
   --enable-host-shared    build host code as shared libraries
+  --enable-host-pie       build host code as PIE
 
 Some influential environment variables:
   CC          C compiler command
@@ -5044,7 +5048,23 @@ $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h
 # Enable --enable-host-shared.
 # Check whether --enable-host-shared was given.
 if test "${enable_host_shared+set}" = set; then :
-  enableval=$enable_host_shared; PICFLAG=-fPIC
+  enableval=$enable_host_shared;
+fi
+
+
+
+# Enable --enable-host-pie.
+# Check whether --enable-host-pie was given.
+if test "${enable_host_pie+set}" = set; then :
+  enableval=$enable_host_pie;
+fi
+
+
+
+if test x$enable_host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$enable_host_pie = xyes; then
+  PICFLAG=-fPIE
 else
   PICFLAG=
 fi
diff --git a/libdecnumber/configure.ac b/libdecnumber/configure.ac
index 16c7465b327..2e95b829dc0 100644
--- a/libdecnumber/configure.ac
+++ b/libdecnumber/configure.ac
@@ -99,8 +99,23 @@ AC_C_BIGENDIAN
 # Enable --enable-host-shared.
 AC_ARG_ENABLE(host-shared,
 [AS_HELP_STRING([--enable-host-shared],
-		[build host code as shared libraries])],
-[PICFLAG=-fPIC], [PICFLAG=])
+		[build host code as shared libraries])])
+AC_SUBST(enable_host_shared)
+
+# Enable --enable-host-pie.
+AC_ARG_ENABLE(host-pie,
+[AS_HELP_STRING([--enable-host-pie],
+		[build host code as PIE])])
+AC_SUBST(enable_host_pie)
+
+if test x$enable_host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$enable_host_pie = xyes; then
+  PICFLAG=-fPIE
+else
+  PICFLAG=
+fi
+
 AC_SUBST(PICFLAG)
 
 # Output.
diff --git a/zlib/configure b/zlib/configure
index 09206bb0405..5f2f7d5f250 100755
--- a/zlib/configure
+++ b/zlib/configure
@@ -635,6 +635,8 @@ am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
 PICFLAG
+enable_host_pie
+enable_host_shared
 TARGET_LIBRARY_FALSE
 TARGET_LIBRARY_TRUE
 toolexeclibdir
@@ -776,6 +778,7 @@ enable_fast_install
 with_gnu_ld
 enable_libtool_lock
 enable_host_shared
+enable_host_pie
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1417,6 +1420,7 @@ Optional Features:
                           optimize for fast installation [default=yes]
   --disable-libtool-lock  avoid locking (might break parallel builds)
   --enable-host-shared    build host code as shared libraries
+  --enable-host-pie       build host code as PIE
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -10713,7 +10717,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 10716 "configure"
+#line 10720 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -10819,7 +10823,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 10822 "configure"
+#line 10826 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -11534,15 +11538,31 @@ else
   multilib_arg=
 fi
 
+# Enable --enable-host-shared.
 # Check whether --enable-host-shared was given.
 if test "${enable_host_shared+set}" = set; then :
-  enableval=$enable_host_shared; PICFLAG=-fPIC
+  enableval=$enable_host_shared;
+fi
+
+
+
+# Enable --enable-host-pie.
+# Check whether --enable-host-pie was given.
+if test "${enable_host_pie+set}" = set; then :
+  enableval=$enable_host_pie;
+fi
+
+
+
+if test x$enable_host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$enable_host_pie = xyes; then
+  PICFLAG=-fPIE
 else
   PICFLAG=
 fi
 
 
-
 ac_config_files="$ac_config_files Makefile"
 
 cat >confcache <<\_ACEOF
diff --git a/zlib/configure.ac b/zlib/configure.ac
index ec73c219228..b50b9c7b426 100644
--- a/zlib/configure.ac
+++ b/zlib/configure.ac
@@ -121,11 +121,26 @@ else
   multilib_arg=
 fi
 
+# Enable --enable-host-shared.
 AC_ARG_ENABLE(host-shared,
 [AS_HELP_STRING([--enable-host-shared],
-		[build host code as shared libraries])],
-[PICFLAG=-fPIC], [PICFLAG=])
+		[build host code as shared libraries])])
+AC_SUBST(enable_host_shared)
+
+# Enable --enable-host-pie.
+AC_ARG_ENABLE(host-pie,
+[AS_HELP_STRING([--enable-host-pie],
+		[build host code as PIE])])
+AC_SUBST(enable_host_pie)
+
+if test x$enable_host_shared = xyes; then
+  PICFLAG=-fPIC
+elif test x$enable_host_pie = xyes; then
+  PICFLAG=-fPIE
+else
+  PICFLAG=
+fi
+
 AC_SUBST(PICFLAG)
-
 AC_CONFIG_FILES([Makefile])
 AC_OUTPUT
-- 
2.41.0



More information about the Binutils mailing list