* [PATCH 2/2] treewide: use non-executable stack annotations for blobs
2023-04-24 11:55 [PATCH 1/2] test: self: printf: compile test with -Wno-format-security Ahmad Fatoum
@ 2023-04-24 11:55 ` Ahmad Fatoum
2023-05-02 9:17 ` [PATCH 1/2] test: self: printf: compile test with -Wno-format-security Sascha Hauer
1 sibling, 0 replies; 3+ messages in thread
From: Ahmad Fatoum @ 2023-04-24 11:55 UTC (permalink / raw)
To: barebox; +Cc: Ahmad Fatoum
We are building the non-sandbox platforms with -z noexecstack, because
the ELF section attributes don't matter. This is different for sandbox,
where we compile assembly files directly only for embedding blobs.
This currently yields a build warning:
binutils-2.39/bin/ld: warning: defaultenv/defaultenv-2-reboot-mode.bbenv.gz.o:
missing .note.GNU-stack section implies executable stack
binutils-2.39/bin/ld: NOTE: This behaviour is deprecated and will be removed
in a future version of the linker
Let's add the non-executable stack annotations, so sandbox may run with
non-executable stack. This way we are left with a single linker
warning that needs to be resolved:
binutils-2.39/bin/ld: warning: barebox has a LOAD segment with RWX permissions
Signed-off-by: Ahmad Fatoum <ahmad@a3f.at>
---
lib/logo/Makefile | 1 +
scripts/Makefile.lib | 2 ++
scripts/gen-dtb-s | 1 +
scripts/gen-dtbo-s | 1 +
4 files changed, 5 insertions(+)
diff --git a/lib/logo/Makefile b/lib/logo/Makefile
index 382701fb365c..9c14105e88bf 100644
--- a/lib/logo/Makefile
+++ b/lib/logo/Makefile
@@ -26,6 +26,7 @@ quiet_cmd_logo_S = LOGO.S $@
cmd_logo_S = \
( \
echo '\#include <asm/barebox.lds.h>'; \
+ echo '.section .note.GNU-stack,"",%progbits'; \
echo '.section .bblogo.rodata.$(subst -,_,$(*F)),"a"'; \
echo '.balign STRUCT_ALIGNMENT'; \
echo '.global __bblogo_$(subst -,_,$(*F))_start'; \
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 51beff56aeb8..90cfa579e5d5 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -391,6 +391,7 @@ quiet_cmd_env_S = ENV.S $@
cmd_env_S = \
( \
echo '\#include <asm/barebox.lds.h>'; \
+ echo '.section .note.GNU-stack,"",%progbits'; \
echo '.section .bbenv.rodata.$(subst -,_,$(*F)),"a"'; \
echo '.balign STRUCT_ALIGNMENT'; \
echo '.global __bbenv_$(subst -,_,$(*F))_start'; \
@@ -540,6 +541,7 @@ quiet_cmd_imximage__S_dcd= DCD_S $@
cmd_imximage_S_dcd= \
( \
echo '\#include <asm/barebox.lds.h>'; \
+ echo '.section .note.GNU-stack,"",%progbits'; \
echo '.balign STRUCT_ALIGNMENT'; \
echo '.global $(subst -,_,$(*F))_start'; \
echo '$(subst -,_,$(*F))_start:'; \
diff --git a/scripts/gen-dtb-s b/scripts/gen-dtb-s
index f6fa1525933e..d6fbdd5aaf8a 100755
--- a/scripts/gen-dtb-s
+++ b/scripts/gen-dtb-s
@@ -6,6 +6,7 @@ imd=$3
echo "#include <asm/barebox.lds.h>"
echo "#include <asm-generic/pointer.h>"
+echo ".section .note.GNU-stack,\"\",%progbits"
le32() {
printf ".byte 0x%02x, 0x%02x, 0x%02x, 0x%02x\n" \
diff --git a/scripts/gen-dtbo-s b/scripts/gen-dtbo-s
index 06f78609ed28..a7e272a0890d 100755
--- a/scripts/gen-dtbo-s
+++ b/scripts/gen-dtbo-s
@@ -4,6 +4,7 @@ name=$1
dtbo=$2
echo "#include <asm/barebox.lds.h>"
+echo ".section .note.GNU-stack,\"\",%progbits"
echo ".section .dtb.rodata.${name}_dtbo,\"a\""
echo ".balign STRUCT_ALIGNMENT"
--
2.38.4
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] test: self: printf: compile test with -Wno-format-security
2023-04-24 11:55 [PATCH 1/2] test: self: printf: compile test with -Wno-format-security Ahmad Fatoum
2023-04-24 11:55 ` [PATCH 2/2] treewide: use non-executable stack annotations for blobs Ahmad Fatoum
@ 2023-05-02 9:17 ` Sascha Hauer
1 sibling, 0 replies; 3+ messages in thread
From: Sascha Hauer @ 2023-05-02 9:17 UTC (permalink / raw)
To: Ahmad Fatoum; +Cc: barebox
On Mon, Apr 24, 2023 at 01:55:47PM +0200, Ahmad Fatoum wrote:
> For testing purposes, the test code uses a variable for the format
> string at places, which -Wformat-security doesn't like.
>
> The printf test was copied over from the kernel, which sets
> -Wno-format-security globally. This may not be needed for barebox yet,
> but let's set at least for this one file.
>
> Signed-off-by: Ahmad Fatoum <ahmad@a3f.at>
> ---
> test/self/Makefile | 1 +
> 1 file changed, 1 insertion(+)
Applied, thanks
Sascha
>
> diff --git a/test/self/Makefile b/test/self/Makefile
> index d55d9133be23..98ebd1fd66c1 100644
> --- a/test/self/Makefile
> +++ b/test/self/Makefile
> @@ -3,6 +3,7 @@
> obj-$(CONFIG_SELFTEST) += core.o
> obj-$(CONFIG_SELFTEST_MALLOC) += malloc.o
> obj-$(CONFIG_SELFTEST_PRINTF) += printf.o
> +CFLAGS_printf.o += -Wno-format-security
> obj-$(CONFIG_SELFTEST_PROGRESS_NOTIFIER) += progress-notifier.o
> obj-$(CONFIG_SELFTEST_OF_MANIPULATION) += of_manipulation.o of_manipulation.dtb.o
> obj-$(CONFIG_SELFTEST_ENVIRONMENT_VARIABLES) += envvar.o
> --
> 2.38.4
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 3+ messages in thread