kumquat-buildroot/package/glibc/glibc.mk

208 lines
6.6 KiB
Makefile
Raw Normal View History

################################################################################
#
# glibc
#
################################################################################
package/glibc: switch to using the maintenance branch glibc upstream has ruled against doing regular point-releases, but they do have a lot of interesting and important fixes for regressions and security. Backporting each patch, or cherry-picking individual patches is off limits for us, so we just switch to using the currently-latest HEAD of the maintenance branch instead. The version number is obtained with: $ git describe --match 'glibc-*' --abbrev=40 origin/release/2.26/master The alternative options were: - download the tarball from the git tree --> does not work; not an option - download the 2.26 tarball, and bundle the individual patches in Buildroot --> maintenance of patches is a burden; not an option - download the 2.26 tarball, maintain the list of patches to download from the git tree --> not an option for the same reason So we end up just doing a git clone. The git tree is today about ten times the size of the tarball, so a rough estimate makes it at about ten times the download time. Also upstream doesn't officially provide an https download location [1]. There is one but it's not reliable, sometimes the connection time out and end-up with a corrupted git repo: fatal: unable to access 'https://sourceware.org/git/glibc.git/': Failed to connect to sourceware.org port 443: Connection timed out So switch to using a git mirror from github which is updated once a day [2]. This allow at the same time to clone the git repository faster. Note: The glibc 2.26 patches are not kept for the arc toolchain since they are fixing an issue with the new float128 support introduced in x86, x86_64 and powerpc64le. [1] https://sourceware.org/git/?p=glibc.git;a=summary [2] https://github.com/bminor/glibc.git Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Romain Naour <romain.naour@openwide.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Evgeniy Didin <didin@synopsys.com> CC: Alexey Brodkin <abrodkin@synopsys.com> [Romain: bump 4b692dffb95ac4812b161eb6a16113d7e824982e] Signed-off-by: Romain Naour <romain.naour@gmail.com> [yann.morin.1998@free.fr: update comment to never decide on the mirror] Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Reviewed-by: Romain Naour <romain.naour@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-10-29 10:52:48 +01:00
# Generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
# When updating the version, please also update localedef
GLIBC_VERSION = 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701
package/glibc: switch to using the maintenance branch glibc upstream has ruled against doing regular point-releases, but they do have a lot of interesting and important fixes for regressions and security. Backporting each patch, or cherry-picking individual patches is off limits for us, so we just switch to using the currently-latest HEAD of the maintenance branch instead. The version number is obtained with: $ git describe --match 'glibc-*' --abbrev=40 origin/release/2.26/master The alternative options were: - download the tarball from the git tree --> does not work; not an option - download the 2.26 tarball, and bundle the individual patches in Buildroot --> maintenance of patches is a burden; not an option - download the 2.26 tarball, maintain the list of patches to download from the git tree --> not an option for the same reason So we end up just doing a git clone. The git tree is today about ten times the size of the tarball, so a rough estimate makes it at about ten times the download time. Also upstream doesn't officially provide an https download location [1]. There is one but it's not reliable, sometimes the connection time out and end-up with a corrupted git repo: fatal: unable to access 'https://sourceware.org/git/glibc.git/': Failed to connect to sourceware.org port 443: Connection timed out So switch to using a git mirror from github which is updated once a day [2]. This allow at the same time to clone the git repository faster. Note: The glibc 2.26 patches are not kept for the arc toolchain since they are fixing an issue with the new float128 support introduced in x86, x86_64 and powerpc64le. [1] https://sourceware.org/git/?p=glibc.git;a=summary [2] https://github.com/bminor/glibc.git Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Romain Naour <romain.naour@openwide.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Evgeniy Didin <didin@synopsys.com> CC: Alexey Brodkin <abrodkin@synopsys.com> [Romain: bump 4b692dffb95ac4812b161eb6a16113d7e824982e] Signed-off-by: Romain Naour <romain.naour@gmail.com> [yann.morin.1998@free.fr: update comment to never decide on the mirror] Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Reviewed-by: Romain Naour <romain.naour@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-10-29 10:52:48 +01:00
# Upstream doesn't officially provide an https download link.
# There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
# sometimes the connection times out. So use an unofficial github mirror.
# When updating the version, check it on the official repository;
# *NEVER* decide on a version string by looking at the mirror.
# Then check that the mirror has been synced already (happens once a day.)
GLIBC_SITE = $(call github,bminor,glibc,$(GLIBC_VERSION))
GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library)
GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES
GLIBC_CPE_ID_VENDOR = gnu
# Extract the base version (e.g. 2.38) from GLIBC_VERSION) in order to
# allow proper matching with the CPE database.
GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
# Fixed by b25508dd774b617f99419bdc3cf2ace4560cd2d6, which is between
# 2.38 and the version we're really using
GLIBC_IGNORE_CVES += CVE-2023-4527
# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between
# 2.38 and the version we're really using.
GLIBC_IGNORE_CVES += CVE-2023-4911
# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
# 2.38 and the version we're really using.
GLIBC_IGNORE_CVES += CVE-2023-5156
# glibc is part of the toolchain so disable the toolchain dependency
GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
# Before glibc is configured, we must have the first stage
# cross-compiler and the kernel headers
GLIBC_DEPENDENCIES = host-gcc-initial linux-headers host-bison host-gawk \
$(BR2_MAKE_HOST_DEPENDENCY) $(BR2_PYTHON3_HOST_DEPENDENCY)
GLIBC_SUBDIR = build
GLIBC_INSTALL_STAGING = YES
GLIBC_INSTALL_STAGING_OPTS = install_root=$(STAGING_DIR) install
# Thumb build is broken, build in ARM mode
ifeq ($(BR2_ARM_INSTRUCTIONS_THUMB),y)
GLIBC_EXTRA_CFLAGS += -marm
endif
# MIPS64 defaults to n32 so pass the correct -mabi if
# we are using a different ABI. OABI32 is also used
# in MIPS so we pass -mabi=32 in this case as well
# even though it's not strictly necessary.
ifeq ($(BR2_MIPS_NABI64),y)
GLIBC_EXTRA_CFLAGS += -mabi=64
else ifeq ($(BR2_MIPS_OABI32),y)
GLIBC_EXTRA_CFLAGS += -mabi=32
endif
ifeq ($(BR2_ENABLE_DEBUG),y)
GLIBC_EXTRA_CFLAGS += -g
endif
# glibc explicitly requires compile barriers between files
ifeq ($(BR2_TOOLCHAIN_GCC_AT_LEAST_4_7),y)
GLIBC_EXTRA_CFLAGS += -fno-lto
endif
# The stubs.h header is not installed by install-headers, but is
# needed for the gcc build. An empty stubs.h will work, as explained
# in http://gcc.gnu.org/ml/gcc/2002-01/msg00900.html. The same trick
# is used by Crosstool-NG.
ifeq ($(BR2_TOOLCHAIN_BUILDROOT_GLIBC),y)
define GLIBC_ADD_MISSING_STUB_H
mkdir -p $(STAGING_DIR)/usr/include/gnu
touch $(STAGING_DIR)/usr/include/gnu/stubs.h
endef
endif
GLIBC_CONF_ENV = \
ac_cv_path_BASH_SHELL=/bin/$(if $(BR2_PACKAGE_BASH),bash,sh) \
libc_cv_forced_unwind=yes \
libc_cv_ssp=no
# POSIX shell does not support localization, so remove the corresponding
# syntax from ldd if bash is not selected.
ifeq ($(BR2_PACKAGE_BASH),)
define GLIBC_LDD_NO_BASH
$(SED) 's/$$"/"/g' $(@D)/elf/ldd.bash.in
endef
GLIBC_POST_PATCH_HOOKS += GLIBC_LDD_NO_BASH
endif
# Override the default library locations of /lib64/<abi> and
# /usr/lib64/<abi>/ for RISC-V.
ifeq ($(BR2_riscv),y)
ifeq ($(BR2_RISCV_64),y)
GLIBC_CONF_ENV += libc_cv_slibdir=/lib64 libc_cv_rtlddir=/lib
else
GLIBC_CONF_ENV += libc_cv_slibdir=/lib32 libc_cv_rtlddir=/lib
endif
endif
# glibc requires make >= 4.0 since 2.28 release.
# https://www.sourceware.org/ml/libc-alpha/2018-08/msg00003.html
GLIBC_MAKE = $(BR2_MAKE)
GLIBC_CONF_ENV += ac_cv_prog_MAKE="$(BR2_MAKE)"
package/glibc: allow runing on kernels older than used for the headers Currently, we configure glibc to not add compatibility support for kernels older than the one used for the headers. This is on the expectation that the system will never run on a kernel that is older than the one used for the headers or, when Buildroot builds the kernel, on another, older kernel. However, in some situations, it is possible to build for a generic system, where the kernel may be a different version. This can be the case, for example, when Building an image that is to be used in a container that can run on a range of machines each with different kernel versions. In such a case, it is interesting to build glibc in a way as to take better advantage of the newer kernels, and thus using newer kernel headers, while still allowing running on older kernels, and thus carrying more compatibility code. We add an option to glibc to allow the user to enable compatibility shims. To simplify the case, when that option is enabled, we just let glibc enable as old compatibility shims as supported by the current architecture. The code size increase is very small. For an ARM Cortex-A7, with gcc-10.3.0, the delta is as follows (other files installed by glibc had no size delta; sizes in bytes): file | no compat | compat | delta ----------------------+-----------+-----------+------- ld-linux-armhf.so.3 | 200216 | 200284 | + 68 libc.so.6 | 1814496 | 1823120 | +8624 ------+------- Total | +8692 No runtime overhead has been measured; the overhead is most probably in the measurement noise. Indeed, the compatibility shims are very lightweight. For example, there are 9 arch-generic shims: renameat2(), execveat(), mlock2(), statx(), faccessat2(), close_range(), time64-related syscall shenanigans, a waitid() feature, and a futex operation (LOCK_PI2) and then each arch may define a few others. i386 has less than 20 (mostly related to socket options, and one for the ordering of the clone() arguments), while ARM seems to have only two (mlock2() and a configurable futex feature). Note: however, as Arnout pointed out, some programs may still actually fail to run even with such compatibility shim, if they really expect the shimed syscalls to really exist and have no fallback (and/or no proper error-handling). Still, in the vast majority of cases, those compatibility shims are enough to have a system running. Signed-off-by: Yann E. MORIN <yann.morin@orange.com> Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com> Cc: Arnout Vandecappelle <arnout@mind.be> Tested-by: Alexey Brodkin <abrodkin@synopsys.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-02-02 14:48:38 +01:00
ifeq ($(BR2_PACKAGE_GLIBC_KERNEL_COMPAT),)
GLIBC_CONF_OPTS += --enable-kernel=$(call qstrip,$(BR2_TOOLCHAIN_HEADERS_AT_LEAST))
endif
# Even though we use the autotools-package infrastructure, we have to
# override the default configure commands for several reasons:
#
# 1. We have to build out-of-tree, but we can't use the same
# 'symbolic link to configure' used with the gcc packages.
#
# 2. We have to execute the configure script with bash and not sh.
#
# Glibc nowadays can be build with optimization flags f.e. -Os
GLIBC_CFLAGS = $(TARGET_OPTIMIZATION)
# crash in qemu-system-nios2 with -Os
ifeq ($(BR2_nios2),y)
GLIBC_CFLAGS += -O2
endif
# glibc can't be built without optimization
ifeq ($(BR2_OPTIMIZE_0),y)
GLIBC_CFLAGS += -O1
endif
# glibc can't be built with Optimize for fast
ifeq ($(BR2_OPTIMIZE_FAST),y)
GLIBC_CFLAGS += -O2
endif
define GLIBC_CONFIGURE_CMDS
mkdir -p $(@D)/build
# Do the configuration
(cd $(@D)/build; \
$(TARGET_CONFIGURE_OPTS) \
CFLAGS="$(GLIBC_CFLAGS) $(GLIBC_EXTRA_CFLAGS)" CPPFLAGS="" \
CXXFLAGS="$(GLIBC_CFLAGS) $(GLIBC_EXTRA_CFLAGS)" \
$(GLIBC_CONF_ENV) \
$(SHELL) $(@D)/configure \
--target=$(GNU_TARGET_NAME) \
--host=$(GNU_TARGET_NAME) \
--build=$(GNU_HOST_NAME) \
--prefix=/usr \
--enable-shared \
$(if $(BR2_x86_64),--enable-lock-elision) \
--with-pkgversion="Buildroot" \
--disable-profile \
package/glibc: disable Werror for gcc 10 build Currently glibc 2.30 is build by default with Werror enabled but it has only been tested with compiler version available at the time of the release [1] (gcc 6.2 up to gcc 9.2.1). It's recommended to use those version with glibc 2.30. For the same reason why we remove Werror in packages's compiler flags. Building with Werror is not bulletproof when we start using a newer compiler that introduce new warnings. This is the case here with gcc 10, as reported by Yegor Yefremov [2]. Fixing compiler warnings would require backporting many patches [3] not even backported by Glibc maintainers to the 2.30 stable branch. Instead, disable Werror by using --disable-werror. Most (if not all) gcc 10 warnings will be fixed with Glibc 2.31. [1] https://sourceware.org/git/?p=glibc.git;a=blob;f=INSTALL;h=62e78725f57080a1cb638cccd28ca3c2ffc5a22c#l466 [2] http://lists.busybox.net/pipermail/buildroot/2020-June/285715.html [3] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=cba932a5a9e91cffd7f4172d7e91f9b2efb1f84b https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=de18a7061c9bdff73d66502c55d6a3ea671fc6d9 https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=49348beafe9ba150c9bd48595b3f372299bddbb0 https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=70c6e15654928c603c6d24bd01cf62e7a8e2ce9b https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=c7bf5ceab6ec776ac7350d3b0190776bf532ac54 https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=e1d559f337de2c8ab68a6749dfe873477c883807 Signed-off-by: Romain Naour <romain.naour@gmail.com> Cc: Yegor Yefremov <yegorslists@googlemail.com> Tested-by: Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-06-28 22:16:12 +02:00
--disable-werror \
--without-gd \
package/glibc: allow runing on kernels older than used for the headers Currently, we configure glibc to not add compatibility support for kernels older than the one used for the headers. This is on the expectation that the system will never run on a kernel that is older than the one used for the headers or, when Buildroot builds the kernel, on another, older kernel. However, in some situations, it is possible to build for a generic system, where the kernel may be a different version. This can be the case, for example, when Building an image that is to be used in a container that can run on a range of machines each with different kernel versions. In such a case, it is interesting to build glibc in a way as to take better advantage of the newer kernels, and thus using newer kernel headers, while still allowing running on older kernels, and thus carrying more compatibility code. We add an option to glibc to allow the user to enable compatibility shims. To simplify the case, when that option is enabled, we just let glibc enable as old compatibility shims as supported by the current architecture. The code size increase is very small. For an ARM Cortex-A7, with gcc-10.3.0, the delta is as follows (other files installed by glibc had no size delta; sizes in bytes): file | no compat | compat | delta ----------------------+-----------+-----------+------- ld-linux-armhf.so.3 | 200216 | 200284 | + 68 libc.so.6 | 1814496 | 1823120 | +8624 ------+------- Total | +8692 No runtime overhead has been measured; the overhead is most probably in the measurement noise. Indeed, the compatibility shims are very lightweight. For example, there are 9 arch-generic shims: renameat2(), execveat(), mlock2(), statx(), faccessat2(), close_range(), time64-related syscall shenanigans, a waitid() feature, and a futex operation (LOCK_PI2) and then each arch may define a few others. i386 has less than 20 (mostly related to socket options, and one for the ordering of the clone() arguments), while ARM seems to have only two (mlock2() and a configurable futex feature). Note: however, as Arnout pointed out, some programs may still actually fail to run even with such compatibility shim, if they really expect the shimed syscalls to really exist and have no fallback (and/or no proper error-handling). Still, in the vast majority of cases, those compatibility shims are enough to have a system running. Signed-off-by: Yann E. MORIN <yann.morin@orange.com> Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com> Cc: Arnout Vandecappelle <arnout@mind.be> Tested-by: Alexey Brodkin <abrodkin@synopsys.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-02-02 14:48:38 +01:00
--with-headers=$(STAGING_DIR)/usr/include \
package/{glibc, localedef}: bump to version 2.38-13-g92201f16cbcfd9eafe314ef6654be2ea7ba25675 Enable mathvec explicitly on aarch64(be) since it's now enabled by default [1]. aarch64 mathvec requires at gcc-10 but Buildroot already provide gcc-11 as minimum version. Don't use --enable-fortify-source for now in order to keep original behavior while doing the glibc version bump (and because some architecture doesn't support well fortify-source, i.e Microblaze). Postpone this change to a follow up commit. Keep the "deprecated" libcrypt enabled just in case if some application are not yet ready to use an alternative such as libxcrypt. Security related changes: CVE-2023-25139: When the printf family of functions is called with a format specifier that uses an <apostrophe> (enable grouping) and a minimum width specifier, the resulting output could be larger than reasonably expected by a caller that computed a tight bound on the buffer size. The resulting larger than expected output could result in a buffer overflow in the printf family of functions. See: https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00010.html Runtime tested with Qemu on Gitlab-ci: https://gitlab.com/kubu93/buildroot/-/pipelines/998435203 https://gitlab.com/buildroot.org/toolchains-builder/-/pipelines/998926028 [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=cd94326a1326c4e3f1ee7a8d0a161cc0bdcaf07e Signed-off-by: Romain Naour <romain.naour@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2023-09-11 23:09:16 +02:00
$(if $(BR2_aarch64)$(BR2_aarch64_be),--enable-mathvec) \
--enable-crypt \
package/glibc: allow runing on kernels older than used for the headers Currently, we configure glibc to not add compatibility support for kernels older than the one used for the headers. This is on the expectation that the system will never run on a kernel that is older than the one used for the headers or, when Buildroot builds the kernel, on another, older kernel. However, in some situations, it is possible to build for a generic system, where the kernel may be a different version. This can be the case, for example, when Building an image that is to be used in a container that can run on a range of machines each with different kernel versions. In such a case, it is interesting to build glibc in a way as to take better advantage of the newer kernels, and thus using newer kernel headers, while still allowing running on older kernels, and thus carrying more compatibility code. We add an option to glibc to allow the user to enable compatibility shims. To simplify the case, when that option is enabled, we just let glibc enable as old compatibility shims as supported by the current architecture. The code size increase is very small. For an ARM Cortex-A7, with gcc-10.3.0, the delta is as follows (other files installed by glibc had no size delta; sizes in bytes): file | no compat | compat | delta ----------------------+-----------+-----------+------- ld-linux-armhf.so.3 | 200216 | 200284 | + 68 libc.so.6 | 1814496 | 1823120 | +8624 ------+------- Total | +8692 No runtime overhead has been measured; the overhead is most probably in the measurement noise. Indeed, the compatibility shims are very lightweight. For example, there are 9 arch-generic shims: renameat2(), execveat(), mlock2(), statx(), faccessat2(), close_range(), time64-related syscall shenanigans, a waitid() feature, and a futex operation (LOCK_PI2) and then each arch may define a few others. i386 has less than 20 (mostly related to socket options, and one for the ordering of the clone() arguments), while ARM seems to have only two (mlock2() and a configurable futex feature). Note: however, as Arnout pointed out, some programs may still actually fail to run even with such compatibility shim, if they really expect the shimed syscalls to really exist and have no fallback (and/or no proper error-handling). Still, in the vast majority of cases, those compatibility shims are enough to have a system running. Signed-off-by: Yann E. MORIN <yann.morin@orange.com> Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com> Cc: Arnout Vandecappelle <arnout@mind.be> Tested-by: Alexey Brodkin <abrodkin@synopsys.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2022-02-02 14:48:38 +01:00
$(GLIBC_CONF_OPTS))
$(GLIBC_ADD_MISSING_STUB_H)
endef
#
# We also override the install to target commands since we only want
# to install the libraries, and nothing more.
#
GLIBC_LIBS_LIB = \
ld*.so.* libanl.so.* libc.so.* libcrypt.so.* libdl.so.* libgcc_s.so.* \
libm.so.* libpthread.so.* libresolv.so.* librt.so.* \
libutil.so.* libnss_files.so.* libnss_dns.so.* libmvec.so.*
ifeq ($(BR2_PACKAGE_GDB),y)
GLIBC_LIBS_LIB += libthread_db.so.*
endif
ifeq ($(BR2_PACKAGE_GLIBC_UTILS),y)
GLIBC_TARGET_UTILS_USR_BIN = posix/getconf elf/ldd
GLIBC_TARGET_UTILS_SBIN = elf/ldconfig
ifeq ($(BR2_SYSTEM_ENABLE_NLS),y)
GLIBC_TARGET_UTILS_USR_BIN += locale/locale
endif
endif
define GLIBC_INSTALL_TARGET_CMDS
for libpattern in $(GLIBC_LIBS_LIB); do \
$(call copy_toolchain_lib_root,$$libpattern) ; \
done
$(foreach util,$(GLIBC_TARGET_UTILS_USR_BIN), \
$(INSTALL) -D -m 0755 $(@D)/build/$(util) $(TARGET_DIR)/usr/bin/$(notdir $(util))
)
$(foreach util,$(GLIBC_TARGET_UTILS_SBIN), \
$(INSTALL) -D -m 0755 $(@D)/build/$(util) $(TARGET_DIR)/sbin/$(notdir $(util))
)
endef
$(eval $(autotools-package))