7b3702e2dd
Successfully tested both the gcc4 compiler on x86_64 with a simple program (fbdebug) and the gcc4-armhf cross-compiler to build a very old u-boot port for Galaxy Nexus (a MR will follow soon) which failed to boot with either newer version (6 and 8). [skip ci]: already went through
68 lines
3.4 KiB
Diff
68 lines
3.4 KiB
Diff
Apply Alpine Linux specific differences to Gentoo ESP configuration:
|
|
- default PIE and SSP by default without additional CFLAGS (to clean up APKBUILD)
|
|
- do not enable -fstack-check by default (caused failures in programs that setup
|
|
small stack in musl)
|
|
- enable -z relro by default
|
|
- enable -fstack-protector-strong instead of -fstack-protector-all by default
|
|
|
|
--- gcc-4.9.2/gcc/config/esp.h 2014-12-10 15:54:19.925060848 +0000
|
|
+++ gcc-4.9.2/gcc/config/esp.h 2014-12-10 15:59:16.793850060 +0000
|
|
@@ -4,7 +4,7 @@
|
|
#ifndef GCC_ESP_H
|
|
#define GCC_ESP_H
|
|
|
|
-/* This file will add -fstack-protector-all, -fstack-check, -fPIE, -pie and -z now
|
|
+/* This file will add -fstack-protector-strong, -fPIE, -pie, -z relro and -z now
|
|
as default if the defines and the spec allow it.
|
|
Added a hack for gcc-specs-* in toolchain-funcs.eclass and _filter-hardened in flag-o-matic.eclass
|
|
to support older hardened GCC patches and we don't need to change the code on gcc-specs-* and _filter-hardened.
|
|
@@ -16,11 +16,14 @@
|
|
ENABLE_CRTBEGINP add support for crtbeginP.o, build -static with -fPIE or -fpie.
|
|
*/
|
|
#ifdef ENABLE_ESP
|
|
+
|
|
+ /* Enable by default on Alpine */
|
|
+ #define EFAULT_PIE_SSP
|
|
|
|
/* Hack to support gcc-specs-* in toolchain-funcs.eclass and _filter-hardened in flag-o-matic.eclass */
|
|
#define ESP_CC1_SPEC " %(esp_cc1_ssp) %(esp_cc1_pie) %(esp_cc1_strict_overflow)"
|
|
#if defined ( EFAULT_SSP ) || defined ( EFAULT_PIE_SSP )
|
|
- #define ESP_CC1_SSP_SPEC "%{!fno-stack-protector: %{!fno-stack-protector-all: %{!fno-stack-check: }}}"
|
|
+ #define ESP_CC1_SSP_SPEC "%{!fno-stack-protector: %{!fno-stack-protector-all: }}"
|
|
#else
|
|
#define ESP_CC1_SSP_SPEC ""
|
|
#endif
|
|
@@ -34,20 +37,20 @@
|
|
/* ESP_LINK_SPEC is added to LINK_PIE_SPEC if esp is enable
|
|
-z now will be added if we don't have -vanilla spec. We do a -pie incompatible check
|
|
Don't remove the specs in the end */
|
|
- #define ESP_LINK_SPEC "%(esp_link_now) %(esp_link_pie_check) "
|
|
+ #define ESP_LINK_SPEC "%(esp_link_now) %(esp_link_relro) %(esp_link_pie_check) "
|
|
#define ESP_LINK_NOW_SPEC "%{!nonow:-z now}"
|
|
+ #define ESP_LINK_RELRO_SPEC "%{!norelro:-z relro}"
|
|
|
|
/* We use ESP_DRIVER_SELF_SPEC to add pie and ssp command-line options. */
|
|
#define ESP_DRIVER_SELF_SPEC "%{D__KERNEL__:;:%{!nopie:%(esp_options_pie) \
|
|
%(esp_link_pie)} %(esp_options_ssp) }"
|
|
|
|
- /* This will add -fstack-protector-all if we don't have -nostdlib -nodefaultlibs -fno-stack-protector -fstack-protector
|
|
+ /* This will add -fstack-protector-strong if we don't have -nostdlib -nodefaultlibs -fno-stack-protector -fstack-protector
|
|
-fstack-protector-all and we have EFAULT_SSP or EFAULT_PIE_SSP defined. */
|
|
#if defined ( EFAULT_SSP ) || defined ( EFAULT_PIE_SSP )
|
|
#define ESP_OPTIONS_SSP_SPEC \
|
|
"%{nostdlib|ffreestanding|fno-stack-protector|fstack-protector| \
|
|
- fstack-protector-all|fstack-protector-strong:;:-fstack-protector-all} \
|
|
- %{fstack-check|fstack-check=*:;: -fstack-check}"
|
|
+ fstack-protector-all|fstack-protector-strong:;:-fstack-protector-strong}"
|
|
#else
|
|
#define ESP_OPTIONS_SSP_SPEC ""
|
|
#endif
|
|
@@ -115,6 +118,7 @@
|
|
{ "esp_cc1_strict_overflow", ESP_CC1_STRICT_OVERFLOW_SPEC }, \
|
|
{ "esp_link", ESP_LINK_SPEC }, \
|
|
{ "esp_link_now", ESP_LINK_NOW_SPEC }, \
|
|
+ { "esp_link_relro", ESP_LINK_RELRO_SPEC }, \
|
|
{ "esp_link_pie", ESP_LINK_PIE_SPEC }, \
|
|
{ "esp_link_pie_check", ESP_LINK_PIE_CHECK_SPEC }, \
|
|
{ "esp_driver_self", ESP_DRIVER_SELF_SPEC }, \
|