Re: [PING] Re: Add check for -no-pie if the compiler default to -fPIE

[Andrei Borzenkov]

09.11.2016 01:01, Magnus Granberg пишет:
> söndag 6 november 2016 kl. 10:05:53 CET skrev du:
>> 21.10.2016 00:26, Magnus Granberg пишет:
>>> lördag 21 maj 2016 kl. 20:53:48 CEST skrev du:
>>>> On Saturday 21 May 2016 19.26.18 you wrote:
>>>>> 21.05.2016 19:02, Magnus Granberg пишет:
>>>>>> On Saturday 21 May 2016 18.55.11 you wrote:
>>>>>>> 21.05.2016 17:47, Magnus Granberg пишет:
>>>>>>>> When Grub is compile with gcc 6.1 that have --enable-defult-pie set.
>>>>>>>> It fail with.
>>>>>>>> -ffreestanding   -m32 -Wl,-melf_i386 -Wl,--build-id=none  -nostdlib
>>>>>>>> -Wl,-N
>>>>>>>> -Wl,-r,-d   - o trig.module  trig_module-trigtables.o
>>>>>>>> grep 'MARKER' gcry_whirlpool.marker.new > gcry_whirlpool.marker; rm
>>>>>>>> -f
>>>>>>>> gcry_whirlpool.marker.new
>>>>>>>> /usr/lib/gcc/x86_64-pc-linux-gnu/6.1.0/../../../../x86_64-pc-linux-gn
>>>>>>>> u
>>>>>>>> /b
>>>>>>>> in
>>>>>>>> /ld: -r and - shared may not be used together
>>>>>>>> collect2: error: ld returned 1 exit status
>>>>>>>> Makefile:26993: recipe for target 'trig.module' failed
>>>>>>>>
>>>>>>>>
>>>>>>>> 2016-05-21  Magnus Granberg  <address@hidden>
>>>>>>>>
>>>>>>>>        acinclude.m4: Add check for -no-pie.    configure.ac: Add 
>>>>>>>> -no-pie to
>>>>>>>>
>>>>>>>> TARGET_LDFLAGS if needed.
>>>>>>>> ...
>>>>>>>
>>>>>>> Please test with current master:
>>>>>>>
>>>>>>> commit f4d35d49e32c29183b3492da18ea480d91716efe
>>>>>>> Author: Andrei Borzenkov <address@hidden>
>>>>>>> Date:   Tue Mar 22 20:12:22 2016 +0300
>>>>>>>
>>>>>>>     configure: set -fno-pie together with -fno-PIE
>>>>>>
>>>>>> Still fail the same way
>>>>>
>>>>> Please send full config.log and output of make.
>>>>
>>>> Gcc 6.1 pass -pie to the linker if is configure with --enable-default-pie
>>>> When linking with -r it don't mix well with -pie/-shared
>>>> Gentoo bug https://bugs.gentoo.org/show_bug.cgi?id=583042 with logs
>>>> Patch updated
>>>
>>> Any progres on this?
>>
>> My apologies. Do we really need any explicit check for this? As far as I
>> can tell, options -fpie, -fPIE, -pie appeared in the same GCC release
>> (at least they first mentioned in 3.4 documentation together). Manual
>> also says that -fpie/-fPIE and -pie must be used together.
>>
> https://gcc.gnu.org/gcc-6/changes.html (Other significant improvements)
> gcc 6.x is the only compiler that can enable -fPIE -pie as default
> without passing it on the command line. Debian/Ubuntu are testing to use this 

As far as I can tell, it is default on 64 bit in Ubuntu 16.10.

> as we do in Gentoo hardened. we allready disable -fPIE if needed but not -pie
> 
>> We do use $CC for linker - at least, by default. So it appears we should
>> be able to simply set -no-pie, no?
>>
> Is only gcc 6.X and newer linker that support -no-pie.
>  

address@hidden:/tmp$ gcc --version
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

address@hidden:/tmp$ gcc -o foo -no-pie -fno-pie foo.c
foo.c:1:1: warning: return type defaults to ‘int’ [-Wimplicit-int]
 main() {}
 ^

>> Does clang support -fpie/-fPIE/-(no-)pie options? I do not see them in
>> help output, but it does not say much.
>>
> Clang support -fPIE/-fpie but i don't know if it support -no-pie

It does not look so.

OK, so to summarize my understanding.

1. GNU ld itself needs explicit -pie option and defaults to equivalent
of -no-pie

2. GCC spec can be changed to enable -pie by default for linker which is
being done now by distributions

3. clang seems to default to -no-pie and require explicit -pie to linker
to enable it

So we need to care only about GCC case, so far clang default is OK for us.

Is my understanding correct?
Which means, so far we only need to care about GCC case