toolchain: allow PIC/PIE without RELRO

In commit 7484c1c3b8 (toolchain/toolchain-wrapper: add BR2_RELRO_), we added the PIC/PIE flags, but based on the RELRO_FULL condition. It is however totally possible to do a PIC/PIE executable without RELRO_FULL, as it is also valid to do a PIC/PIE build with RELRO_PARTIAL. Add a new option that now governs the PIC/PIE flags. Note: it is unknown if RELRO_FULL really needs PIC/PIE or not, so we keep the current situation, where RELRO-FULL forces PIC/PIE compilation. Decoupling can come later from an interested party. Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com> Cc: Matt Weber <matthew.weber@rockwellcollins.com> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-03-12 13:09:36 +01:00 · 2019-03-12 13:09:36 +01:00 · 814f6e19e7
commit 814f6e19e7
parent 51db8974f7
3 changed files with 13 additions and 1 deletions
--- a/Config.in
+++ b/Config.in
@ -712,6 +712,13 @@ endmenu

 comment "Security Hardening Options"

+config BR2_PIC_PIE
+	bool "Build code with PIC/PIE"
+	depends on BR2_SHARED_LIBS
+	help
+	  Generate Position-Independent Code (PIC) and link
+	  Position-Independent Executables (PIE).
+
 choice
 	bool "Stack Smashing Protection"
 	default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
@ -794,6 +801,7 @@ config BR2_RELRO_PARTIAL

 config BR2_RELRO_FULL
 	bool "Full"
+	select BR2_PIC_PIE
 	help
 	  This option includes the partial configuration, but also marks
 	  the GOT as read-only at the cost of initialization time during
--- a/toolchain/toolchain-wrapper.c
+++ b/toolchain/toolchain-wrapper.c
@ -367,7 +367,7 @@ int main(int argc, char **argv)
 		*cur++ = "-Wno-builtin-macro-redefined";
 	}

-#ifdef BR2_RELRO_FULL
+#ifdef BR2_PIC_PIE
 	/* Patterned after Fedora/Gentoo hardening approaches.
 	 * https://fedoraproject.org/wiki/Changes/Harden_All_Packages
 	 * https://wiki.gentoo.org/wiki/Hardened/Toolchain#Position_Independent_Executables_.28PIEs.29
--- a/toolchain/toolchain-wrapper.mk
+++ b/toolchain/toolchain-wrapper.mk
@ -49,6 +49,10 @@ ifeq ($(BR2_CCACHE_USE_BASEDIR),y)
 TOOLCHAIN_WRAPPER_ARGS += -DBR_CCACHE_BASEDIR='"$(BASE_DIR)"'
 endif

+ifeq ($(BR2_PIC_PIE),y)
+TOOLCHAIN_WRAPPER_ARGS += -DBR2_PIC_PIE
+endif
+
 ifeq ($(BR2_RELRO_PARTIAL),y)
 TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_PARTIAL
 else ifeq ($(BR2_RELRO_FULL),y)