Re: [PATCH] BaseTools/tools_def IA32: disable PIE code generation explicitly

From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: "Gao, Liming" <liming.gao@intel.com>
Cc: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>,
	"lersek@redhat.com" <lersek@redhat.com>,
	 "zenith432@users.sourceforge.net"
	<zenith432@users.sourceforge.net>
Subject: Re: [PATCH] BaseTools/tools_def IA32: disable PIE code generation explicitly
Date: Mon, 11 Jun 2018 18:25:34 +0200	[thread overview]
Message-ID: <CAKv+Gu-pFeexQyaAwR+7JVodupXYaYudK0ZpZ0bo1+KpV8yPoA@mail.gmail.com> (raw)
In-Reply-To: <4A89E2EF3DFEDB4C8BFDE51014F606A14E295979@SHSMSX104.ccr.corp.intel.com>

On 11 June 2018 at 18:09, Gao, Liming <liming.gao@intel.com> wrote:
> Ard:
>   GCC49 tool chain can be used by GCC4.9 and above compiler. It provides the GCC setting without LTO. GCC5 tool chain provides GCC setting with LTO. So, I suggest to disable it also in GCC49 tool chain.
>

OK that works for me.

>> -----Original Message-----
>> From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org]
>> Sent: Tuesday, June 12, 2018 12:04 AM
>> To: Gao, Liming <liming.gao@intel.com>
>> Cc: edk2-devel@lists.01.org; lersek@redhat.com; zenith432@users.sourceforge.net
>> Subject: Re: [edk2] [PATCH] BaseTools/tools_def IA32: disable PIE code generation explicitly
>>
>> On 11 June 2018 at 18:00, Gao, Liming <liming.gao@intel.com> wrote:
>> > Ard:
>> >   Is this option required in GCC49 tool chain? Or, this option is only required when lto is enabled?
>> >
>>
>> It has nothing to do with LTO.
>>
>> In theory, it could be required for any toolchain that supports -fpic
>> and or -fpie. However, not all 4.x toolchains support -fpie and so
>> they don't support -fno-pie either.
>>
>> Given that the distros only changed this default recently (in the 5.x
>> timeframe or later), it makes sense to only disable it for GCC5,
>> although it is safe to disable it for GCC49 as well.
>>
>> >> -----Original Message-----
>> >> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Ard Biesheuvel
>> >> Sent: Monday, June 11, 2018 4:53 PM
>> >> To: Gao, Liming <liming.gao@intel.com>
>> >> Cc: edk2-devel@lists.01.org; lersek@redhat.com; zenith432@users.sourceforge.net
>> >> Subject: Re: [edk2] [PATCH] BaseTools/tools_def IA32: disable PIE code generation explicitly
>> >>
>> >> On 11 June 2018 at 10:38, Gao, Liming <liming.gao@intel.com> wrote:
>> >> > Ard:
>> >> >   Do you mean the default GCC compiler disables PIC and PIE for IA32 arch? But now, some distribution GCC compiler enables
>> PIC
>> >> and PIE by default. So, we have to obviously disable PIC and PIE in tools_def.txt.
>> >> >
>> >>
>> >> Yes. On my x86 Ubuntu 18.04 LTS system:
>> >>
>> >> $ gcc -v
>> >> Using built-in specs.
>> >> COLLECT_GCC=gcc
>> >> COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper
>> >> OFFLOAD_TARGET_NAMES=nvptx-none
>> >> OFFLOAD_TARGET_DEFAULT=1
>> >> Target: x86_64-linux-gnu
>> >> Configured with: ../src/configure -v --with-pkgversion='Ubuntu
>> >> 7.3.0-16ubuntu3' --with-bugurl=file:///usr/share/doc/gcc-7/README.Bugs
>> >> --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++
>> >> --prefix=/usr --with-gcc-major-version-only
>> >> --with-as=/usr/bin/x86_64-linux-gnu-as
>> >> --with-ld=/usr/bin/x86_64-linux-gnu-ld --program-suffix=-7
>> >> --program-prefix=x86_64-linux-gnu- --enable-shared
>> >> --enable-linker-build-id --libexecdir=/usr/lib
>> >> --without-included-gettext --enable-threads=posix --libdir=/usr/lib
>> >> --enable-nls --with-sysroot=/ --enable-clocale=gnu
>> >> --enable-libstdcxx-debug --enable-libstdcxx-time=yes
>> >> --with-default-libstdcxx-abi=new --enable-gnu-unique-object
>> >> --disable-vtable-verify --enable-libmpx --enable-plugin
>> >> --enable-default-pie --with-system-zlib --with-target-system-zlib
>> >> --enable-objc-gc=auto --enable-multiarch --disable-werror
>> >> --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32
>> >> --enable-multilib --with-tune=generic
>> >> --enable-offload-targets=nvptx-none --without-cuda-driver
>> >> --enable-checking=release --build=x86_64-linux-gnu
>> >> --host=x86_64-linux-gnu --target=x86_64-linux-gnu
>> >> Thread model: posix
>> >> gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)
>> >>
>> >>
>> >> Notice the '--enable-default-pie' 4 lines from the bottom.
>> >>
>> >>
>> >>
>> >> >>-----Original Message-----
>> >> >>From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org]
>> >> >>Sent: Monday, June 11, 2018 3:42 PM
>> >> >>To: edk2-devel@lists.01.org
>> >> >>Cc: Zhu, Yonghong <yonghong.zhu@intel.com>; Gao, Liming
>> >> >><liming.gao@intel.com>; lersek@redhat.com; Shi, Steven
>> >> >><steven.shi@intel.com>; zenith432@users.sourceforge.net; Ard Biesheuvel
>> >> >><ard.biesheuvel@linaro.org>
>> >> >>Subject: [PATCH] BaseTools/tools_def IA32: disable PIE code generation
>> >> >>explicitly
>> >> >>
>> >> >>As a security measure, some distros now build their GCC toolchains with
>> >> >>PIE code generation enabled by default, because it is a prerequisite
>> >> >>for ASLR to be enabled when running the executable.
>> >> >>
>> >> >>This typically results in slightly larger code, but it also generates
>> >> >>ELF relocations that our tooling cannot deal with, so let's disable it
>> >> >>explicitly when using GCC5 for IA32. (Note that this does not apply to
>> >> >>X64: it uses PIE code deliberately in some cases, and our tooling does
>> >> >>deal with the resuling relocations)
>> >> >>
>> >> >>Contributed-under: TianoCore Contribution Agreement 1.1
>> >> >>Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>> >> >>---
>> >> >> BaseTools/Conf/tools_def.template | 6 +++---
>> >> >> 1 file changed, 3 insertions(+), 3 deletions(-)
>> >> >>
>> >> >>diff --git a/BaseTools/Conf/tools_def.template
>> >> >>b/BaseTools/Conf/tools_def.template
>> >> >>index 7e9c915755ed..ab57f9c706e3 100755
>> >> >>--- a/BaseTools/Conf/tools_def.template
>> >> >>+++ b/BaseTools/Conf/tools_def.template
>> >> >>@@ -4670,7 +4670,7 @@ DEFINE GCC49_AARCH64_DLINK2_FLAGS    =
>> >> >>DEF(GCC48_AARCH64_DLINK2_FLAGS)
>> >> >> DEFINE GCC49_ARM_ASLDLINK_FLAGS      =
>> >> >>DEF(GCC48_ARM_ASLDLINK_FLAGS)
>> >> >> DEFINE GCC49_AARCH64_ASLDLINK_FLAGS  =
>> >> >>DEF(GCC48_AARCH64_ASLDLINK_FLAGS)
>> >> >>
>> >> >>-DEFINE GCC5_IA32_CC_FLAGS            = DEF(GCC49_IA32_CC_FLAGS)
>> >> >>+DEFINE GCC5_IA32_CC_FLAGS            = DEF(GCC49_IA32_CC_FLAGS) -fno-pic
>> >> >>-fno-pie
>> >> >> DEFINE GCC5_X64_CC_FLAGS             = DEF(GCC49_X64_CC_FLAGS)
>> >> >> DEFINE GCC5_IA32_X64_DLINK_COMMON    =
>> >> >>DEF(GCC49_IA32_X64_DLINK_COMMON)
>> >> >> DEFINE GCC5_IA32_X64_ASLDLINK_FLAGS  =
>> >> >>DEF(GCC49_IA32_X64_ASLDLINK_FLAGS)
>> >> >>@@ -5502,9 +5502,9 @@ RELEASE_GCC49_AARCH64_DLINK_FLAGS  =
>> >> >>DEF(GCC49_AARCH64_DLINK_FLAGS)
>> >> >> *_GCC5_IA32_RC_PATH              = DEF(GCC5_IA32_PREFIX)objcopy
>> >> >>
>> >> >> *_GCC5_IA32_ASLCC_FLAGS          = DEF(GCC_ASLCC_FLAGS) -m32 -fno-lto
>> >> >>-*_GCC5_IA32_ASLDLINK_FLAGS       = DEF(GCC5_IA32_X64_ASLDLINK_FLAGS)
>> >> >>-Wl,-m,elf_i386
>> >> >>+*_GCC5_IA32_ASLDLINK_FLAGS       =
>> >> >>DEF(GCC5_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_i386 -no-pie
>> >> >> *_GCC5_IA32_ASM_FLAGS            = DEF(GCC5_ASM_FLAGS) -m32 -
>> >> >>march=i386
>> >> >>-*_GCC5_IA32_DLINK2_FLAGS         = DEF(GCC5_IA32_DLINK2_FLAGS)
>> >> >>+*_GCC5_IA32_DLINK2_FLAGS         = DEF(GCC5_IA32_DLINK2_FLAGS) -no-
>> >> >>pie
>> >> >> *_GCC5_IA32_RC_FLAGS             = DEF(GCC_IA32_RC_FLAGS)
>> >> >> *_GCC5_IA32_OBJCOPY_FLAGS        =
>> >> >> *_GCC5_IA32_NASM_FLAGS           = -f elf32
>> >> >>--
>> >> >>2.17.1
>> >> >
>> >> _______________________________________________
>> >> edk2-devel mailing list
>> >> edk2-devel@lists.01.org
>> >> https://lists.01.org/mailman/listinfo/edk2-devel