From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:4001:c0b::22c; helo=mail-it0-x22c.google.com; envelope-from=ard.biesheuvel@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C0A28209884B6 for ; Mon, 11 Jun 2018 09:25:35 -0700 (PDT) Received: by mail-it0-x22c.google.com with SMTP id 188-v6so10658161ita.5 for ; Mon, 11 Jun 2018 09:25:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=KO0lmq5+K9a3JApWPXlnaBCj582O2E1bXxtSlUytdfY=; b=HYkm0edE9EQQ9rF6VlepFoVAlDWjNxHhopO1Onc1rpzUBPjdSCAMnlSEX8tSywtEtM DtB2xSN77l/qGmWv4L7Iv1H5EMes3RVpATzBUc8x/ypIv2ThSnB4fFpgIy/xdCxMuq8v yIE/tp/L+i+ic4XIDUe08gHOgVoIVYaiRR9xc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KO0lmq5+K9a3JApWPXlnaBCj582O2E1bXxtSlUytdfY=; b=UrRiq8AcjDEEVUSRAcP2a2YH2qsGxDl6Z4iZMbklTP0ywODXAz/t47QHI0g7Ewm0yN TR9INa2oR1qEKXLPTmbPDZgLIQk8KgQEvgV1xGvTnsFjm05CB3O8LaX2UcXwCCIzYXxM RdlAIOM39iB2C/pp3mREMF75zTmhdCPuf8WI0IAjl++Y95Az5vmYEO840FhoY2shUE7O L5FvrQTdmtUtyfh4rpGJ7a/tU75CYuNxWhX+XQwS66NYy0cF4zjykWPMKIfHPMKal0sQ Ta1rzb98eDqp3DCcMHuvOx+rspKv1E5aUwb3pCJuLv3P3l58wJ+6UVjQbLQK2FuHbSWI IV+Q== X-Gm-Message-State: APt69E3vYbozLYQTPPxMJYZx8xKB40ClVLYctni+lGQf6b1PMCtfEt3p K1GrVW3z2IhVKgHsu/xEH0vRePxQCFPMnMAfOI5AdhuE X-Google-Smtp-Source: ADUXVKKRjPMh37hs/K2UcGjaYPKeg9yioN3irCYJA7QuMhk7qHC3taR0ySfKWBUwkYGQfhr88GBRMu8JIvQ25k0okzA= X-Received: by 2002:a24:e105:: with SMTP id n5-v6mr11044225ith.68.1528734334792; Mon, 11 Jun 2018 09:25:34 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a6b:bbc7:0:0:0:0:0 with HTTP; Mon, 11 Jun 2018 09:25:34 -0700 (PDT) In-Reply-To: <4A89E2EF3DFEDB4C8BFDE51014F606A14E295979@SHSMSX104.ccr.corp.intel.com> References: <20180611074227.30625-1-ard.biesheuvel@linaro.org> <4A89E2EF3DFEDB4C8BFDE51014F606A14E295663@SHSMSX104.ccr.corp.intel.com> <4A89E2EF3DFEDB4C8BFDE51014F606A14E295948@SHSMSX104.ccr.corp.intel.com> <4A89E2EF3DFEDB4C8BFDE51014F606A14E295979@SHSMSX104.ccr.corp.intel.com> From: Ard Biesheuvel Date: Mon, 11 Jun 2018 18:25:34 +0200 Message-ID: To: "Gao, Liming" Cc: "edk2-devel@lists.01.org" , "lersek@redhat.com" , "zenith432@users.sourceforge.net" Subject: Re: [PATCH] BaseTools/tools_def IA32: disable PIE code generation explicitly X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2018 16:25:36 -0000 Content-Type: text/plain; charset="UTF-8" On 11 June 2018 at 18:09, Gao, Liming wrote: > Ard: > GCC49 tool chain can be used by GCC4.9 and above compiler. It provides the GCC setting without LTO. GCC5 tool chain provides GCC setting with LTO. So, I suggest to disable it also in GCC49 tool chain. > OK that works for me. >> -----Original Message----- >> From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] >> Sent: Tuesday, June 12, 2018 12:04 AM >> To: Gao, Liming >> Cc: edk2-devel@lists.01.org; lersek@redhat.com; zenith432@users.sourceforge.net >> Subject: Re: [edk2] [PATCH] BaseTools/tools_def IA32: disable PIE code generation explicitly >> >> On 11 June 2018 at 18:00, Gao, Liming wrote: >> > Ard: >> > Is this option required in GCC49 tool chain? Or, this option is only required when lto is enabled? >> > >> >> It has nothing to do with LTO. >> >> In theory, it could be required for any toolchain that supports -fpic >> and or -fpie. However, not all 4.x toolchains support -fpie and so >> they don't support -fno-pie either. >> >> Given that the distros only changed this default recently (in the 5.x >> timeframe or later), it makes sense to only disable it for GCC5, >> although it is safe to disable it for GCC49 as well. >> >> >> -----Original Message----- >> >> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Ard Biesheuvel >> >> Sent: Monday, June 11, 2018 4:53 PM >> >> To: Gao, Liming >> >> Cc: edk2-devel@lists.01.org; lersek@redhat.com; zenith432@users.sourceforge.net >> >> Subject: Re: [edk2] [PATCH] BaseTools/tools_def IA32: disable PIE code generation explicitly >> >> >> >> On 11 June 2018 at 10:38, Gao, Liming wrote: >> >> > Ard: >> >> > Do you mean the default GCC compiler disables PIC and PIE for IA32 arch? But now, some distribution GCC compiler enables >> PIC >> >> and PIE by default. So, we have to obviously disable PIC and PIE in tools_def.txt. >> >> > >> >> >> >> Yes. On my x86 Ubuntu 18.04 LTS system: >> >> >> >> $ gcc -v >> >> Using built-in specs. >> >> COLLECT_GCC=gcc >> >> COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper >> >> OFFLOAD_TARGET_NAMES=nvptx-none >> >> OFFLOAD_TARGET_DEFAULT=1 >> >> Target: x86_64-linux-gnu >> >> Configured with: ../src/configure -v --with-pkgversion='Ubuntu >> >> 7.3.0-16ubuntu3' --with-bugurl=file:///usr/share/doc/gcc-7/README.Bugs >> >> --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ >> >> --prefix=/usr --with-gcc-major-version-only >> >> --with-as=/usr/bin/x86_64-linux-gnu-as >> >> --with-ld=/usr/bin/x86_64-linux-gnu-ld --program-suffix=-7 >> >> --program-prefix=x86_64-linux-gnu- --enable-shared >> >> --enable-linker-build-id --libexecdir=/usr/lib >> >> --without-included-gettext --enable-threads=posix --libdir=/usr/lib >> >> --enable-nls --with-sysroot=/ --enable-clocale=gnu >> >> --enable-libstdcxx-debug --enable-libstdcxx-time=yes >> >> --with-default-libstdcxx-abi=new --enable-gnu-unique-object >> >> --disable-vtable-verify --enable-libmpx --enable-plugin >> >> --enable-default-pie --with-system-zlib --with-target-system-zlib >> >> --enable-objc-gc=auto --enable-multiarch --disable-werror >> >> --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 >> >> --enable-multilib --with-tune=generic >> >> --enable-offload-targets=nvptx-none --without-cuda-driver >> >> --enable-checking=release --build=x86_64-linux-gnu >> >> --host=x86_64-linux-gnu --target=x86_64-linux-gnu >> >> Thread model: posix >> >> gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3) >> >> >> >> >> >> Notice the '--enable-default-pie' 4 lines from the bottom. >> >> >> >> >> >> >> >> >>-----Original Message----- >> >> >>From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org] >> >> >>Sent: Monday, June 11, 2018 3:42 PM >> >> >>To: edk2-devel@lists.01.org >> >> >>Cc: Zhu, Yonghong ; Gao, Liming >> >> >>; lersek@redhat.com; Shi, Steven >> >> >>; zenith432@users.sourceforge.net; Ard Biesheuvel >> >> >> >> >> >>Subject: [PATCH] BaseTools/tools_def IA32: disable PIE code generation >> >> >>explicitly >> >> >> >> >> >>As a security measure, some distros now build their GCC toolchains with >> >> >>PIE code generation enabled by default, because it is a prerequisite >> >> >>for ASLR to be enabled when running the executable. >> >> >> >> >> >>This typically results in slightly larger code, but it also generates >> >> >>ELF relocations that our tooling cannot deal with, so let's disable it >> >> >>explicitly when using GCC5 for IA32. (Note that this does not apply to >> >> >>X64: it uses PIE code deliberately in some cases, and our tooling does >> >> >>deal with the resuling relocations) >> >> >> >> >> >>Contributed-under: TianoCore Contribution Agreement 1.1 >> >> >>Signed-off-by: Ard Biesheuvel >> >> >>--- >> >> >> BaseTools/Conf/tools_def.template | 6 +++--- >> >> >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >> >> >> >> >>diff --git a/BaseTools/Conf/tools_def.template >> >> >>b/BaseTools/Conf/tools_def.template >> >> >>index 7e9c915755ed..ab57f9c706e3 100755 >> >> >>--- a/BaseTools/Conf/tools_def.template >> >> >>+++ b/BaseTools/Conf/tools_def.template >> >> >>@@ -4670,7 +4670,7 @@ DEFINE GCC49_AARCH64_DLINK2_FLAGS = >> >> >>DEF(GCC48_AARCH64_DLINK2_FLAGS) >> >> >> DEFINE GCC49_ARM_ASLDLINK_FLAGS = >> >> >>DEF(GCC48_ARM_ASLDLINK_FLAGS) >> >> >> DEFINE GCC49_AARCH64_ASLDLINK_FLAGS = >> >> >>DEF(GCC48_AARCH64_ASLDLINK_FLAGS) >> >> >> >> >> >>-DEFINE GCC5_IA32_CC_FLAGS = DEF(GCC49_IA32_CC_FLAGS) >> >> >>+DEFINE GCC5_IA32_CC_FLAGS = DEF(GCC49_IA32_CC_FLAGS) -fno-pic >> >> >>-fno-pie >> >> >> DEFINE GCC5_X64_CC_FLAGS = DEF(GCC49_X64_CC_FLAGS) >> >> >> DEFINE GCC5_IA32_X64_DLINK_COMMON = >> >> >>DEF(GCC49_IA32_X64_DLINK_COMMON) >> >> >> DEFINE GCC5_IA32_X64_ASLDLINK_FLAGS = >> >> >>DEF(GCC49_IA32_X64_ASLDLINK_FLAGS) >> >> >>@@ -5502,9 +5502,9 @@ RELEASE_GCC49_AARCH64_DLINK_FLAGS = >> >> >>DEF(GCC49_AARCH64_DLINK_FLAGS) >> >> >> *_GCC5_IA32_RC_PATH = DEF(GCC5_IA32_PREFIX)objcopy >> >> >> >> >> >> *_GCC5_IA32_ASLCC_FLAGS = DEF(GCC_ASLCC_FLAGS) -m32 -fno-lto >> >> >>-*_GCC5_IA32_ASLDLINK_FLAGS = DEF(GCC5_IA32_X64_ASLDLINK_FLAGS) >> >> >>-Wl,-m,elf_i386 >> >> >>+*_GCC5_IA32_ASLDLINK_FLAGS = >> >> >>DEF(GCC5_IA32_X64_ASLDLINK_FLAGS) -Wl,-m,elf_i386 -no-pie >> >> >> *_GCC5_IA32_ASM_FLAGS = DEF(GCC5_ASM_FLAGS) -m32 - >> >> >>march=i386 >> >> >>-*_GCC5_IA32_DLINK2_FLAGS = DEF(GCC5_IA32_DLINK2_FLAGS) >> >> >>+*_GCC5_IA32_DLINK2_FLAGS = DEF(GCC5_IA32_DLINK2_FLAGS) -no- >> >> >>pie >> >> >> *_GCC5_IA32_RC_FLAGS = DEF(GCC_IA32_RC_FLAGS) >> >> >> *_GCC5_IA32_OBJCOPY_FLAGS = >> >> >> *_GCC5_IA32_NASM_FLAGS = -f elf32 >> >> >>-- >> >> >>2.17.1 >> >> > >> >> _______________________________________________ >> >> edk2-devel mailing list >> >> edk2-devel@lists.01.org >> >> https://lists.01.org/mailman/listinfo/edk2-devel