Makefile: link with --no-warn-rwx-segments

Message ID	20221207204943.1352360-1-trini@konsulko.com
State	Accepted
Commit	1e1c51f8ace8717f972ccad37616e3b6488e92ad
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Tom Rini <trini@konsulko.com> To: u-boot@lists.denx.de Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>, Ilias Apalodimas <ilias.apalodimas@linaro.org> Subject: [PATCH] Makefile: link with --no-warn-rwx-segments Date: Wed, 7 Dec 2022 15:49:43 -0500 Message-Id: <20221207204943.1352360-1-trini@konsulko.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	Makefile: link with --no-warn-rwx-segments \| expand Makefile: link with --no-warn-rwx-segments

Message ID

20221207204943.1352360-1-trini@konsulko.com

State

Accepted

Commit

1e1c51f8ace8717f972ccad37616e3b6488e92ad

Delegated to:

Tom Rini

Headers

show

Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=konsulko.com header.i=@konsulko.com header.a=rsa-sha256
 header.s=google header.b=uX01tu3s;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4NS8YJ2GTJz23pD
	for <incoming@patchwork.ozlabs.org>; Thu,  8 Dec 2022 07:49:56 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id E1EF282A12;
	Wed,  7 Dec 2022 21:49:51 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=konsulko.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 unprotected) header.d=konsulko.com header.i=@konsulko.com
 header.b="uX01tu3s";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 1A73B83600; Wed,  7 Dec 2022 21:49:50 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
 autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com
 [IPv6:2a00:1450:4864:20::429])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 538E182A0A
 for <u-boot@lists.denx.de>; Wed,  7 Dec 2022 21:49:46 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=konsulko.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=trini@konsulko.com
Received: by mail-wr1-x429.google.com with SMTP id o5so29926066wrm.1
 for <u-boot@lists.denx.de>; Wed, 07 Dec 2022 12:49:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com;
 s=google;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=igTz9+Wv8BWnFvEKeJH271QfJjb9VCR9bMarsHVQeuo=;
 b=uX01tu3sPJf9/Fu2/1miTXf15HHWESe7G2VG91/zj44E0dMNI2mloKN59SWu9cuNUk
 vgvzw9IDRxbu+j1a10A7jdMq0QPLQ2mkqltRN8dWIneazWVubdoVY9WjfsRCB1zM3gai
 l/pYCuYTyetm1ewzuw7qRvfV0/0tOHC6h1daQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=igTz9+Wv8BWnFvEKeJH271QfJjb9VCR9bMarsHVQeuo=;
 b=xAJljzMoO+YemUKP9Pgj/cHIUWaufPbc6Lh5lgBRayAUKAw2K3rQuuLE4oE6qSnxHZ
 UU3eijp+jM2AotBCdPbX3wYeqCzDAR1CtH/4+PDz73NeLRGGipcG1tA1L0An75UzMjIo
 zWjyKCevpWHSf4vEdM02u+ckZwe3Fnmr+HlRs+ddN3IZ1BWLhYKtt/1ZLYsu6K0UlpZV
 2k48B330wjroAfHE1Epvi7GGia9/O3y7wiA6EFudSJ6MhQocrRmcCAATqDIMZH6xh8RX
 gjvriTswGTg+tF5mdGLImjejSWPz9Uv+wD1aZy9AZSXgp60tPt1Jk0pN24FA3tx61f6D
 IReA==
X-Gm-Message-State: ANoB5pmbf0zmMCBxMZZXotTOtdM4wvh/QkJcAhxfLJrbLbx11XvGCUGJ
 qxCzn0hQ0xhwkRlvYnIuKU4DfQl79zJGeBmO
X-Google-Smtp-Source: 
 AA0mqf5HKS+NxzNkmgyfmDxY/dlQDPbo1E//zkSeex1U8wJDNyMuMRf2F0Ajen4ta9rhdy7/eikmLw==
X-Received: by 2002:a05:6000:114e:b0:242:257f:3006 with SMTP id
 d14-20020a056000114e00b00242257f3006mr21947285wrx.147.1670446185615;
 Wed, 07 Dec 2022 12:49:45 -0800 (PST)
Received: from bill-the-cat.lan
 (2603-6081-7b00-6400-158f-15c0-8c6a-f9d3.res6.spectrum.com.
 [2603:6081:7b00:6400:158f:15c0:8c6a:f9d3])
 by smtp.gmail.com with ESMTPSA id
 z16-20020a5d4d10000000b00241c712916fsm24849372wrt.0.2022.12.07.12.49.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 07 Dec 2022 12:49:45 -0800 (PST)
From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>
Subject: [PATCH] Makefile: link with --no-warn-rwx-segments
Date: Wed,  7 Dec 2022 15:49:43 -0500
Message-Id: <20221207204943.1352360-1-trini@konsulko.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

Series

Makefile: link with --no-warn-rwx-segments | expand

Commit Message

Tom Rini Dec. 7, 2022, 8:49 p.m. UTC

We borrow from the Linux Kernel 0d362be5b142 ("Makefile: link with -z
noexecstack --no-warn-rwx-segments") here to disable the RWX segment
linking warnings. We do not also bring in -z noexecstack as that
requires auditing and using ".note.GNU-stack" on assembly functions
which do need this feature. Further, we now introduce KBUILD_EFILDFLAGS
so that we can also pass --no-warn-rwx-segments when linking EFI
applications, and those do explicitly pass -z execstack.

Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
---
 Makefile             | 2 ++
 scripts/Makefile.lib | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

Comments

Nick Desaulniers Dec. 9, 2022, 7:25 p.m. UTC | #1

On Wed, Dec 07, 2022 at 03:49:43PM -0500, Tom Rini wrote:
> We borrow from the Linux Kernel 0d362be5b142 ("Makefile: link with -z
> noexecstack --no-warn-rwx-segments") here to disable the RWX segment

Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>

> linking warnings. We do not also bring in -z noexecstack as that
> requires auditing and using ".note.GNU-stack" on assembly functions
> which do need this feature. Further, we now introduce KBUILD_EFILDFLAGS

It took me a second to realize this is kbuild flags for the linker for
EFI. Looked like a type of KBUILD_FIELD_FLAGS initially to me.

> so that we can also pass --no-warn-rwx-segments when linking EFI
> applications, and those do explicitly pass -z execstack.
> 
> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> Signed-off-by: Tom Rini <trini@konsulko.com>
> ---
>  Makefile             | 2 ++
>  scripts/Makefile.lib | 6 ++++--
>  2 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/Makefile b/Makefile
> index 11efc4180414..839733836d9b 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -806,6 +806,8 @@ KBUILD_CPPFLAGS += $(KCPPFLAGS)
>  KBUILD_AFLAGS += $(KAFLAGS)
>  KBUILD_CFLAGS += $(KCFLAGS)
>  
> +KBUILD_LDFLAGS  += $(call ld-option,--no-warn-rwx-segments)
> +
>  KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g)
>  
>  # Use UBOOTINCLUDE when you must reference the include/ directory.
> diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> index 8e13bf2b986d..ac45a8847859 100644
> --- a/scripts/Makefile.lib
> +++ b/scripts/Makefile.lib
> @@ -425,9 +425,11 @@ cmd_efi_objcopy = $(OBJCOPY) -j .header -j .text -j .sdata -j .data -j \
>  $(obj)/%.efi: $(obj)/%_efi.so
>  	$(call cmd,efi_objcopy)
>  
> +KBUILD_EFILDFLAGS = -nostdlib -zexecstack -znocombreloc -znorelro
> +KBUILD_EFILDFLAGS += $(call ld-option,--no-warn-rwx-segments)
>  quiet_cmd_efi_ld = LD      $@
> -cmd_efi_ld = $(LD) -nostdlib -zexecstack -znocombreloc -T $(EFI_LDS_PATH) \
> -		-shared -Bsymbolic -znorelro -s $^ -o $@
> +cmd_efi_ld = $(LD) $(KBUILD_EFILDFLAGS) -T $(EFI_LDS_PATH) \
> +		-shared -Bsymbolic -s $^ -o $@
>  
>  EFI_LDS_PATH = $(srctree)/arch/$(ARCH)/lib/$(EFI_LDS)
>  
> -- 
> 2.25.1
> 
>

Ilias Apalodimas Dec. 9, 2022, 7:29 p.m. UTC | #2

On Wed, Dec 07, 2022 at 03:49:43PM -0500, Tom Rini wrote:
> We borrow from the Linux Kernel 0d362be5b142 ("Makefile: link with -z
> noexecstack --no-warn-rwx-segments") here to disable the RWX segment
> linking warnings. We do not also bring in -z noexecstack as that
> requires auditing and using ".note.GNU-stack" on assembly functions
> which do need this feature. Further, we now introduce KBUILD_EFILDFLAGS
> so that we can also pass --no-warn-rwx-segments when linking EFI
> applications, and those do explicitly pass -z execstack.
> 
> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> Signed-off-by: Tom Rini <trini@konsulko.com>
> ---
>  Makefile             | 2 ++
>  scripts/Makefile.lib | 6 ++++--
>  2 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/Makefile b/Makefile
> index 11efc4180414..839733836d9b 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -806,6 +806,8 @@ KBUILD_CPPFLAGS += $(KCPPFLAGS)
>  KBUILD_AFLAGS += $(KAFLAGS)
>  KBUILD_CFLAGS += $(KCFLAGS)
>  
> +KBUILD_LDFLAGS  += $(call ld-option,--no-warn-rwx-segments)
> +
>  KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g)
>  
>  # Use UBOOTINCLUDE when you must reference the include/ directory.
> diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
> index 8e13bf2b986d..ac45a8847859 100644
> --- a/scripts/Makefile.lib
> +++ b/scripts/Makefile.lib
> @@ -425,9 +425,11 @@ cmd_efi_objcopy = $(OBJCOPY) -j .header -j .text -j .sdata -j .data -j \
>  $(obj)/%.efi: $(obj)/%_efi.so
>  	$(call cmd,efi_objcopy)
>  
> +KBUILD_EFILDFLAGS = -nostdlib -zexecstack -znocombreloc -znorelro
> +KBUILD_EFILDFLAGS += $(call ld-option,--no-warn-rwx-segments)
>  quiet_cmd_efi_ld = LD      $@
> -cmd_efi_ld = $(LD) -nostdlib -zexecstack -znocombreloc -T $(EFI_LDS_PATH) \
> -		-shared -Bsymbolic -znorelro -s $^ -o $@
> +cmd_efi_ld = $(LD) $(KBUILD_EFILDFLAGS) -T $(EFI_LDS_PATH) \
> +		-shared -Bsymbolic -s $^ -o $@
>  
>  EFI_LDS_PATH = $(srctree)/arch/$(ARCH)/lib/$(EFI_LDS)
>  
> -- 
> 2.25.1
> 

Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Tom Rini Dec. 13, 2022, 4:36 p.m. UTC | #3

On Wed, Dec 07, 2022 at 03:49:43PM -0500, Tom Rini wrote:

> We borrow from the Linux Kernel 0d362be5b142 ("Makefile: link with -z
> noexecstack --no-warn-rwx-segments") here to disable the RWX segment
> linking warnings. We do not also bring in -z noexecstack as that
> requires auditing and using ".note.GNU-stack" on assembly functions
> which do need this feature. Further, we now introduce KBUILD_EFILDFLAGS
> so that we can also pass --no-warn-rwx-segments when linking EFI
> applications, and those do explicitly pass -z execstack.
> 
> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> Signed-off-by: Tom Rini <trini@konsulko.com>
> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/next, thanks!

diff --git a/Makefile b/Makefile
index 11efc4180414..839733836d9b 100644
--- a/Makefile
+++ b/Makefile
@@ -806,6 +806,8 @@  KBUILD_CPPFLAGS += $(KCPPFLAGS)
 KBUILD_AFLAGS += $(KAFLAGS)
 KBUILD_CFLAGS += $(KCFLAGS)
 
+KBUILD_LDFLAGS  += $(call ld-option,--no-warn-rwx-segments)
+
 KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g)
 
 # Use UBOOTINCLUDE when you must reference the include/ directory.
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 8e13bf2b986d..ac45a8847859 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -425,9 +425,11 @@  cmd_efi_objcopy = $(OBJCOPY) -j .header -j .text -j .sdata -j .data -j \
 $(obj)/%.efi: $(obj)/%_efi.so
 	$(call cmd,efi_objcopy)
 
+KBUILD_EFILDFLAGS = -nostdlib -zexecstack -znocombreloc -znorelro
+KBUILD_EFILDFLAGS += $(call ld-option,--no-warn-rwx-segments)
 quiet_cmd_efi_ld = LD      $@
-cmd_efi_ld = $(LD) -nostdlib -zexecstack -znocombreloc -T $(EFI_LDS_PATH) \
-		-shared -Bsymbolic -znorelro -s $^ -o $@
+cmd_efi_ld = $(LD) $(KBUILD_EFILDFLAGS) -T $(EFI_LDS_PATH) \
+		-shared -Bsymbolic -s $^ -o $@
 
 EFI_LDS_PATH = $(srctree)/arch/$(ARCH)/lib/$(EFI_LDS)

Makefile: link with --no-warn-rwx-segments

Commit Message

Comments

Patch