Try creating crtbeginTS.o - crtbeginT.o +crtbeginS.o for static-pie

svn path=/; revision=163

7 files changed, 45 insertions, 177 deletions

diff --git a/hardened/toolchain/branches/pieworld/pieworld.README b/hardened/toolchain/branches/pieworld/pieworld.README
index 8111dd9..93cbb6c 100644
--- a/hardened/toolchain/branches/pieworld/pieworld.README
+++ b/hardened/toolchain/branches/pieworld/pieworld.README
@@ -38,6 +38,7 @@ From hardened gcc-3/glibc-2.3:
 TODO
 ----
 1) Check all archive lib*.a that don't have a .so - should they be -fPIC rather than -fPIE?
+   Done:
    All those that don't have a .so are best off -fPIC, which is ok for being linked into
    shared libraries, and is also ok-enough for use in executables (whereas -fPIE isn't
    good for shared libraries).
diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest b/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest
index 5a582a9..b2691fb 100644
--- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest
+++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest
@@ -54,10 +54,10 @@ AUX 4.1.0/gcc-4.1.0-fast-math-i386-Os-workaround.patch 1686 RMD160 420e02e85e261
 MD5 ab66a2c85bc3324fe4f0729927f63072 files/4.1.0/gcc-4.1.0-fast-math-i386-Os-workaround.patch 1686
 RMD160 420e02e85e261759154daf5e3c149344be57af76 files/4.1.0/gcc-4.1.0-fast-math-i386-Os-workaround.patch 1686
 SHA256 7547293b945808f63b70aafed644a43c99e19f82aaf1d2f2df8502d87ab3f01d files/4.1.0/gcc-4.1.0-fast-math-i386-Os-workaround.patch 1686
-AUX 4.1.1/gcc-4.1.1-nopie-crtstuff.patch 2211 RMD160 faba40fa9fcdec7c2c192d04cba49fc12961b5e2 SHA1 67b7594b37510172c3ba5e444d1679dbc94b7d45 SHA256 3f672da0da10fe614f7088959013b2391e908a3cfb778034661604d44e0e4cef
-MD5 fa2fdf981de9250c1601226caa8c7c77 files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 2211
-RMD160 faba40fa9fcdec7c2c192d04cba49fc12961b5e2 files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 2211
-SHA256 3f672da0da10fe614f7088959013b2391e908a3cfb778034661604d44e0e4cef files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 2211
+AUX 4.1.1/gcc-4.1.1-nopie-crtstuff.patch 3175 RMD160 6fb7284e92d0ad45e4c7893ee03a6ccd53b5fcf9 SHA1 26ac6aaf342d89ecd36046b0cb372746aed27c97 SHA256 4fd4a0ff57e538bd08907b02474e14bdfb2d6653b2bd972b6c497d69fab5bea7
+MD5 1b6432af4fa17d57f50d7c2b56d21457 files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 3175
+RMD160 6fb7284e92d0ad45e4c7893ee03a6ccd53b5fcf9 files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 3175
+SHA256 4fd4a0ff57e538bd08907b02474e14bdfb2d6653b2bd972b6c497d69fab5bea7 files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 3175
 AUX awk/fixlafiles.awk 7865 RMD160 6283a91bfa309a91f46cbff3c1c4f0d848312ba4 SHA1 0bd923243492496eceb8ec1407ed9f4ac5ad8c1a SHA256 9fccd7f4ee7170a8f05d21777974efc3f23072f501cb7d2a8e9eeea15e541249
 MD5 fed3620378df7a876d6709ddf3f7bbec files/awk/fixlafiles.awk 7865
 RMD160 6283a91bfa309a91f46cbff3c1c4f0d848312ba4 files/awk/fixlafiles.awk 7865
@@ -118,10 +118,10 @@ AUX specs/nozrelro.specs 26 RMD160 e2262ae761f699fc682536fa419a20de8e7c6096 SHA1
 MD5 3d7e9e4e50ca5244e15fecbe59aa6bb8 files/specs/nozrelro.specs 26
 RMD160 e2262ae761f699fc682536fa419a20de8e7c6096 files/specs/nozrelro.specs 26
 SHA256 a01b894e420761f5620eb050200e925a69d5e22b5fb9d34a6dbd1b5ef3e2021f files/specs/nozrelro.specs 26
-AUX specs/pie.specs 683 RMD160 5cdec57a67e014d9dbf2564d0b6037f5c4f92beb SHA1 bba8f07fc7b8e722103bce93f414de63164ef506 SHA256 9040684e347002e13c300e158e6ea49a86fd39761de3de0ffb4602bcc8bbcb2b
-MD5 814adfa547fdc93725e7fca0a3c3e0c0 files/specs/pie.specs 683
-RMD160 5cdec57a67e014d9dbf2564d0b6037f5c4f92beb files/specs/pie.specs 683
-SHA256 9040684e347002e13c300e158e6ea49a86fd39761de3de0ffb4602bcc8bbcb2b files/specs/pie.specs 683
+AUX specs/pie.specs 762 RMD160 cabd92f256e467730f99dc5c241d6858252b5c28 SHA1 c0d7ad1983f60dd53600fd58f6b2e6f008fcaee0 SHA256 3680ff0614c9ce61117efcab72fe19cb8dfaf1d403b0e6fb9b682c0f07fb48a3
+MD5 fb084bc2f1d0f66325408f3e7999f7bd files/specs/pie.specs 762
+RMD160 cabd92f256e467730f99dc5c241d6858252b5c28 files/specs/pie.specs 762
+SHA256 3680ff0614c9ce61117efcab72fe19cb8dfaf1d403b0e6fb9b682c0f07fb48a3 files/specs/pie.specs 762
 AUX specs/ssp.specs 148 RMD160 0e1a23ec7c9b6be5687d620fe4c93acb532b5c3c SHA1 7f3739c35c84df458c37d3355ddf50f746bddf1f SHA256 24dddc1260d89411294c60f3464c3b3aa14b8e7f81157a03cdf40d53cb97590a
 MD5 2bf1f08a7e56492b19340fffd7e7a3fd files/specs/ssp.specs 148
 RMD160 0e1a23ec7c9b6be5687d620fe4c93acb532b5c3c files/specs/ssp.specs 148
diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch b/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch
index 7b733d3..663a256 100644
--- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch
+++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch
@@ -1,11 +1,11 @@
 	Ensure that crtbegin.o/crtend.o/crtbeginT.o are built -fno-PIE, and
-	crtbeginS.o/crtendS.o are built -fPIC.  Note that static PIEs use
-	crtbeginS.o, not crtbeginT.o.
-	Kevin F. Quinn <kevquinn@gentoo.org> 17 Jan 2007
+	crtbeginS.o/crtendS.o are built -fPIC.  Build a new file, crtbeginTS.o,
+	for linking in "static PIEs".
+	Kevin F. Quinn <kevquinn@gentoo.org> 30 Jan 2007
 
---- gcc/Makefile.in.orig	2007-01-17 16:42:57.000000000 +0100
-+++ gcc/Makefile.in	2007-01-17 16:46:10.000000000 +0100
-@@ -1417,33 +1417,33 @@
+--- gcc/Makefile.in.orig	2007-01-30 20:12:09.000000000 +0100
++++ gcc/Makefile.in	2007-01-30 20:13:48.000000000 +0100
+@@ -1417,36 +1417,43 @@
  # constructors.
  $(T)crtbegin.o: crtstuff.c $(GCC_PASSES) $(TCONFIG_H) auto-host.h \
    gbl-ctors.h stmp-int-hdrs tsystem.h coretypes.h $(TM_H)
@@ -40,7 +40,28 @@
  $(T)crtbeginT.o: crtstuff.c $(GCC_PASSES) $(TCONFIG_H) auto-host.h \
    gbl-ctors.h stmp-int-hdrs tsystem.h coretypes.h $(TM_H)
 -	$(GCC_FOR_TARGET) $(CRTSTUFF_CFLAGS) $(CRTSTUFF_T_CFLAGS) \
-+	$(GCC_FOR_TARGET) -fno-PIE $(CRTSTUFF_CFLAGS) $(CRTSTUFF_T_CFLAGS_S) \
++	$(GCC_FOR_TARGET) -fno-PIE $(CRTSTUFF_CFLAGS) $(CRTSTUFF_T_CFLAGS) \
  	  -c $(srcdir)/crtstuff.c -DCRT_BEGIN -DCRTSTUFFT_O \
  	  -o $(T)crtbeginT$(objext)
  
++# This is a version of crtbegin for -static -fPIE links.
++$(T)crtbeginTS.o: crtstuff.c $(GCC_PASSES) $(TCONFIG_H) auto-host.h \
++  gbl-ctors.h stmp-int-hdrs tsystem.h coretypes.h $(TM_H)
++	$(GCC_FOR_TARGET) -fno-PIE $(CRTSTUFF_CFLAGS) $(CRTSTUFF_T_CFLAGS_S) \
++	  -c $(srcdir)/crtstuff.c -DCRT_BEGIN -DCRTSTUFFT_O -DCRTSTUFFS_O \
++	  -o $(T)crtbeginTS$(objext)
++
+ # Compile the start modules crt0.o and mcrt0.o that are linked with
+ # every program
+ crt0.o: s-crt0 ; @true
+--- gcc/config.gcc.orig	2007-01-30 20:12:35.000000000 +0100
++++ gcc/config.gcc	2007-01-30 20:12:53.000000000 +0100
+@@ -445,7 +445,7 @@
+   ;;
+ *-*-linux* | frv-*-*linux* | *-*-kfreebsd*-gnu | *-*-knetbsd*-gnu)
+   # Must come before *-*-gnu* (because of *-*-linux-gnu* systems).
+-  extra_parts="crtbegin.o crtbeginS.o crtbeginT.o crtend.o crtendS.o"
++  extra_parts="crtbegin.o crtbeginS.o crtbeginT.o crtbeginTS.o crtend.o crtendS.o"
+   gas=yes
+   gnu_ld=yes
+   case ${enable_threads} in
diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/specs/pie.specs b/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/specs/pie.specs
index dec64d7..6d7388b 100644
--- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/specs/pie.specs
+++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/specs/pie.specs
@@ -14,7 +14,7 @@
 %{fno-pie|fno-PIE|nopie:crtbegin.o%s;:crtbeginS.o%s}
 
 *startfile_pie_t:
-%{fno-pie|fno-PIE|nopie:crtbegin.o%s;:crtbeginS.o%s}
+%{static: %{fno-pie|fno-PIE|nopie:crtbeginT.o%s;crtbeginTS.o%s} } %{!static: %{fno-pie|fno-PIE|nopie:crtbegin.o%s;:crtbeginS.o%s} }
 
 *link_pie:
 %{pie:-pie} %{!pie: %{!A: %{!fno-pie:%{!fno-PIE: %{!shared:%{!static:%{!r: %{!nopie:-pie} }}} }} } }
diff --git a/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest b/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest
index 337758d..b52a47e 100644
--- a/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest
+++ b/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest
@@ -6,10 +6,10 @@ AUX 2.4/glibc-2.4-hardened-configure-picdefault.patch 955 RMD160 dfa5dd2c0907631
 MD5 960090668e9700a4095a79907b227b3c files/2.4/glibc-2.4-hardened-configure-picdefault.patch 955
 RMD160 dfa5dd2c09076318b7b6f53dbdf68877ebe7c258 files/2.4/glibc-2.4-hardened-configure-picdefault.patch 955
 SHA256 3314216ca2994c80f223c091bee79a06f444faf317c16eb7bbc594fa23425657 files/2.4/glibc-2.4-hardened-configure-picdefault.patch 955
-AUX 2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9431 RMD160 a6881daff550a0ca5330e0f0c78a9232f3ea627f SHA1 f1c834b5095218ece4d37410d1058d622e646fc2 SHA256 faa692f71516ed94e6d0dce60e390a9eab97f0c862d6b61d6442b031b8e8d200
-MD5 d590b7cdf1b4367ee2f7c7216b9d32e9 files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9431
-RMD160 a6881daff550a0ca5330e0f0c78a9232f3ea627f files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9431
-SHA256 faa692f71516ed94e6d0dce60e390a9eab97f0c862d6b61d6442b031b8e8d200 files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9431
+AUX 2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9436 RMD160 7f0c48ca72deae8d5ae4074765c93117814f7eaa SHA1 3c5b5fb599d621b2803ef6ff93b355cd16929ddd SHA256 1f777d27370e1868db88a0801ee9f1acae5295b2ec87754e861fa934fd290645
+MD5 c76c013b30eff912af508f7274cb4dd8 files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9436
+RMD160 7f0c48ca72deae8d5ae4074765c93117814f7eaa files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9436
+SHA256 1f777d27370e1868db88a0801ee9f1acae5295b2ec87754e861fa934fd290645 files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9436
 AUX 2.4/glibc-2.4-hardened-pie.patch 1629 RMD160 cd0dfdb10a86560d4c36ac04b7642b06ae41b3cd SHA1 990fc9a4f88d86f524030bdd2cb953eb781784a3 SHA256 a44ef5ef5490663fea6de10f9ecccbd45f1fb5bdb49abefb49527dfc14fa0977
 MD5 51135a389633ff99dbd3f3d715821454 files/2.4/glibc-2.4-hardened-pie.patch 1629
 RMD160 cd0dfdb10a86560d4c36ac04b7642b06ae41b3cd files/2.4/glibc-2.4-hardened-pie.patch 1629
diff --git a/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch b/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch
index adea74e..dc7e9d2 100644
--- a/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch
+++ b/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch
@@ -3,9 +3,9 @@
 
 	First, any syscalls in PIEs must be of the PIC variant, otherwise
 	textrels ensue.  Then, any syscalls made before the initialisation
-	of the TLS will fail on i386, as the sysenter variant on i386 use
-	the TLS, giving rise to a chicken-and-egg situation.  This patcg
-	defines a syscall variant that doesn't use sysenter, even when the sysenter
+	of the TLS will fail on i386, as the sysenter variant on i386 uses
+	the TLS, giving rise to a chicken-and-egg situation.  This patch
+	defines a PIC syscall variant that doesn't use sysenter, even when the sysenter
 	version is normally used, and uses the non-sysenter version for the brk
 	syscall that is performed by the TLS initialisation.  Further, the TLS
 	initialisation is moved in this case prior to the initialisation of
diff --git a/hardened/toolchain/branches/pieworld/toolchain.README b/hardened/toolchain/branches/pieworld/toolchain.README
deleted file mode 100644
index 6e65198..0000000
--- a/hardened/toolchain/branches/pieworld/toolchain.README
+++ /dev/null
@@ -1,154 +0,0 @@
-NOTES
-=====
-
-Non-PIE support is a mess (well, strictly speaking it's broken)
-So far, crt{begin,end}.o are now correctly built no-PIE.
-However, libgcc.a/libgcc_eh.a, libc.a, libpthread.a, libieee.a, libgcov.a
-are built PIE.  This ok for linking PIEs, but rubbish for doing non-PIE
-links (i.e. vanilla).  Also crtfastmath.o is only built once (there's no
-crtfastmathS.o) - so we build it PIE.
-
-So, what to do?
-
-For vanilla compiles, we need the .a's built -nopie.
-For hardened compiles, we need the .a's built -fPIE - if they ever get used
-that way.  If we can convince ourselves that when building -fPIE the .so's
-are used, then we don't need PIE versions of these .a's.
-To do this, add '-nopie' to CFLAGS for libgcc.a in gcc/Makefile.in?
-
-For libc.a - we could treat hardened as a multilib system; with the normal no-PIE
-ABI and our PIE ABI - and get glibc to build itself two ways; one for vanilla and
-one for hardened.  Or, we could try to force all .a's to be built -nopie - this
-isn't easy, however, as you can't tell from normal compilation commands whether
-it's for a .a or for an executable.
-
-I think the multiple-ABI approach is easier.  We could then drop PIE from the
-compiler variants,  leaving just relro/now and ssp combinations, which don't change
-the ABI, and do the -fPIE thing in the compiler wrapper, when ABI is PIE.
-I'm thinking of doing MULTLIB_ABIS="x86 x86_pie" and defining
-CFLAGS_x86_pie="-fpie -pie"
-LDFLAGS_x86_pie="-fpie -pie"
-LIBDIR_x86="lib"
-LIBDIR_x86_pie="libpie"
-note; the gcc-config wrapper adds CFLAGS_x86_pie to the command line, but doesn't look at LDFLAGS_<abi>
-
-
-Upgrade path for Hardened Gentoo users from glibc-2.3*/gcc-3* to glibc-2.4+/gcc-4.1+
-====================================================================================
-
-Note; references to "hardened", "non-hardened" etc refer to the toolchain, not the
-kernel.
-
-
-Generic upgrade instructions
-----------------------------
-
-There are separate instructions depending on where you start.  Instruction set (2)
-should work in all cases, provided a vanilla compiler is set via gcc-config first.
-However the most common case will be (1) - which is why it's listed first :)
-
-
-1) HARDENED SYSTEMS with hardened gcc-3 and glibc-2.3
-   Going from an existing hardened system (gcc-3.4.6 & glibc-2.3.6 hardened)
-
-  .1) emerge --oneshot sys-libs/glibc
-      build the hardened version of glibc-2.4 (with the gcc-3 hardened compiler)
-
-  .2) emerge --oneshot sys-devel/gcc
-      build the hardened gcc-4.1.1 with the hardened gcc-3.4.6
-      
-  .3) emerge --oneshot sys-libs/glibc
-      rebuild the hardened version of glibc-2.4 (with the gcc-4 hardened compiler)
-
-
-2) NON-HARDENED SYSTEMS with gcc-4.1.1 and glibc-2.4 (no -hardened compiler available)
-   Going from non-hardened stage3 2006.1:
-   This starts from non-hardened gcc-4.1.1 and glibc-2.4
-
-  .1) Switch profile to the hardened profile
-      This means remaking the softlink /etc/make.conf to a hardened profile.
-	  Do not confuse this with selecting a hardened compiler with gcc-config (which
-	  you can't do anyway from the standard 2006.1 stage3).
-
-  .2) emerge --oneshot sys-libs/glibc
-      Build glibc with support for both gcc-3 and gcc-4 stack protectiona.
-
-  .3) USE="-hardened" emerge --oneshot sys-devel/gcc
-      Build gcc-4 non-hardened, but including split-specs so it can build
-	  hardened objects later.
-
-  .4) gcc-config to the (now available) hardened variant of the compiler.
-
-  .5) emerge --oneshot sys-libs/glibc
-      Build the hardened version of glibc-2.4 (with the gcc-4 hardened compiler)
-
-  .6) emerge --oneshot sys-devel/gcc
-      This will build gcc itself hardened (in particular, building the static libraries PIE)
-
-
-3) NON-HARDENED SYSTEMS with a -hardened gcc available
-
-  .1) gcc-config to the -hardened gcc
-
-  .2) emerge --oneshot sys-libs/glibc
-      Build glibc with support for both gcc-3 and gcc-4 stack protectiona.
-
-  .3) emerge --oneshot sys-devel/gcc
-      build the hardened gcc-4.1.1 with a hardened gcc
-
-  .4) emerge --oneshot sys-libs/glibc
-      rebuild the hardened version of glibc-2.4 (with the gcc-4 hardened compiler)
-
-
-Platform-specific notes
------------------------
-
-sparc
-For gcc-4 SSP to work, glibc must be 2.4 or higher.  Glibc-2.4 is nptl-only, so this means
-it's not available on 32-bit sparc (sparcv8).
-
-
-
-
-Toolchain mods for hardened gcc-4.x/glibc-2.4
-=============================================
-
-* glibc __stack_chk_fail implementation written so that it's ok when glibc built with SSP
-  Implement stderr & syslog messaging, SIGKILL and _exit to provide a secure termination
-  (the one supplied by glibc is for debug purposes only), and all via inline syscalls
-  avoiding any function calls (which would potentially invoke __stack_chk_fail).
-  Note; building glibc with ssp-all is causing too many problems at the moment, so for
-  now it's set to build without ssp.
-  Sorted out the PIE building better (replaces the filter-ldflags -pie with something
-  more sensible).
-  (done) Use SIG_ABRT instead of SIG_KILL - means doing the sigset stuff.
-  (done) Use INTERNAL_SYSCALL (check vsyscall page isn't user modifiable)
-
-* gcc minispecs for gcc-4.1.1 and gcc-3.4.6, from psm
-  Much simplified gcc patching for hardened compiler; use of minispecs to generate
-  the relevant specs files.  Involves a few changes in toolchain.eclass and
-  flag-o-matic.eclass.
-
-* Specs switching handled by the wrappers, rather than the gcc-specs-env patch
-  (app-admin/eselect-compiler only).  This gives us ccache reliability, as for
-  gcc itself the specs are specified on the command line as normal.
-  May not be a good idea - doing it gcc itself guarantees it'll happen even if
-  the wrappers aren't used (is that ever the case?).
-  Further investigation ongoing to manage filtering; considering doing this by
-  adjusting GCC_SPECS, although it may be better as a separate variable (perhaps
-  as part of COMPILER_FEATURES - see bug #128810)
-
-Still cooking
-
-* Look into -DFORTIFY_SOURCE=2, -msecure-plt for ppc
-
-
-Status summary:
-===============
-
-glibc ok (builds itself non-ssp)
-gcc ok (ish)
-   Needs distfile gcc-4.1.1-piepatches-v9.0.6.tar.bz2 from toolchain/distfiles
-   (or gcc-3.4.6-piepatches-v9.0.5.tar.bz2 for gcc-3.4.6)
-
-