1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
This is PIEworld
================
Toolchain modified to build everything that isn't -fPIC, as -fPIE.
gcc:
----
1) Built with PIE-default, SSP-default, RELRO and BIND_NOW
2) Non-PIC crtstuff built -fno-PIE (crtbegin.o, crtend.o)
3) Specs permit -static && -fPIE (but not -pie)
glibc:
------
1) Built with PIE-default, SSP off, RELRO and BIND_NOW
2) Non-PIC crtstuff built -fno-PIE (crt1.o - note; crtn.o, crti.o, Scrt1.o all built -fPIC)
3) Make pic-default configure check ignore -fPIE.
4) Link all apps PIE, adjust TLS initialisation to avoid using the TLS before it's ready.
The results are:
crt*S.o, crtn.o, crti.o & Scrt1.o are -fPIC, all other crtfiles are -fno-PIE.
Code archives lib*.a are -fPIE
Note that since lib*.a are not available -fno-PIE, building static binaries actually creates
binaries containing PIE code, although the executable has a fixed location.
Upgrade path
------------
From hardened gcc-3/glibc-2.3:
1) Switch to vanilla compiler
2) USE="-hardened" emerge --oneshot =sys-libs/glibc-2.5
3) USE="-hardened" emerge --oneshot =sys-devel/gcc-4.1.1-r3
4) switch to hardened compiler
5) emerge --oneshot =sys-libs/glibc-2.5
6) emerge --oneshot =sys-devel/gcc-4.1.1-r3
TODO
----
1) Check all lib*.a that don't have a .so - should they be -fPIC rather than -fPIE?
|
GitWeb
