Disable using 'scv' instruction for syscalls. All syscalls will
use 'sc' instead, even if the kernel supports 'scv'. PowerPC only.
+'--enable-memory-sealing'
+ Build glibc libraries, programs, and the testsuite with memory
+ sealing support (GNU_PROPERTY_MEMORY_SEAL). It does not disable
+ support for memory sealing, which will still be applied if the
+ program has the attribute.
+
'--build=BUILD-SYSTEM'
'--host=HOST-SYSTEM'
These options are for cross-compiling. If you specify both options
no-dt-relr-ldflag =
endif
+# Linker options to enable and disable memory sealing (GNU_PROPERTY_MEMORY_SEAL),
+# if --enable--memory-sealing is used explicit enable memory sealing for the case
+# the linker defaults to it.
+ifeq ($(have-z-memory-seal),yes)
+no-memory-seal-ldflag = -Wl,-z,nomemory-seal
+ifeq ($(enable-memory-seal),yes)
+memory-seal-ldflag = -Wl,-z,memory-seal
+else
+memory-seal-ldflag = $(no-memory-seal-ldflag)
+endif
+else
+memory-seal-ldflag =
+no-memory-seal-ldflag =
+endif
+
ifeq (no,$(build-pie-default))
pie-default = $(no-pie-ccflag)
else # build-pie-default
ifndef +link-pie
+link-pie-before-inputs = $(if $($(@F)-no-pie),$(no-pie-ldflag),-pie) \
$(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+ $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
-Wl,-O1 -nostdlib -nostartfiles \
$(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
$(relro-LDFLAGS) $(hashstyle-LDFLAGS) \
+link-static-before-inputs = -nostdlib -nostartfiles -static \
$(if $($(@F)-no-pie),$(no-pie-ldflag),$(static-pie-ldflag)) \
$(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(static-pie-dt-relr-ldflag)) \
+ $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
$(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
$(firstword $(CRT-$(@F)) $(csu-objpfx)$(real-static-start-installed-name)) \
$(+preinit) $(+prectorT)
# Command for linking test programs with crt1.o from glibc 2.0.
+link-2.0-before-inputs = -nostdlib -nostartfiles $(no-pie-ldflag) \
$(sysdep-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
- $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \
+ $(relro-LDFLAGS) $(memory-seal-ldflag) $(hashstyle-LDFLAGS) \
$(firstword $(CRT-$(@F)) $(csu-objpfx)$(start-name-2.0)) \
$(+preinit) $(+prector)
+link-2.0-before-libc = -o $@ $(+link-2.0-before-inputs) \
$(LINK.o) -shared -static-libgcc -Wl,-O1 $(sysdep-LDFLAGS) \
$(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) $(rtld-LDFLAGS) \
$(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+ $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
$(extra-B-$(@F:lib%.so=%).so) -B$(csu-objpfx) \
$(extra-B-$(@F:lib%.so=%).so) $(load-map-file) \
-Wl,-soname=lib$(libprefix)$(@F:lib%.so=%).so$($(@F)-version) \
$(LINK.o) -shared -static-libgcc $(sysdep-LDFLAGS) $(rtld-LDFLAGS) \
$(if $($(@F)-no-z-defs)$(no-z-defs),,-Wl,-z,defs) \
$(if $($(@F)-no-dt-relr),$(no-dt-relr-ldflag),$(dt-relr-ldflag)) \
+ $(if $($(@F)-no-memory-seal),$(no-memory-seal-ldflag),$(memory-seal-ldflag)) \
-B$(csu-objpfx) $(load-map-file) \
$(LDFLAGS.so) $(LDFLAGS-$(@F:%.so=%).so) \
$(link-test-modules-rpath-link) \
memory sealing will not be applied for its dependencies (and even if the
objects has the memory sealing attribute).
+* A new configure option, "--enable-memory-sealing", can be used to build
+ the GNU C Library libraries and programs with memory sealing.
+
Deprecated and removed features, and other changes affecting compatibility:
[Add deprecations, removals and changes affecting compatibility here]
enable_cet
enable_scv
enable_fortify_source
+enable_memory_sealing
with_cpu
'
ac_precious_vars='build_alias
Use -D_FORTIFY_SOURCE=[1|2|3] to control code
hardening, defaults to highest possible value
supported by the build compiler.
+ --enable-memory-sealing Build glibc libraries, programs, and the testsuite
+ with memory sealing [default=no]
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
*) as_fn_error $? "Not a valid argument for --enable-fortify-source: \"$enable_fortify_source\"" "$LINENO" 5;;
esac
+# Check whether --enable-memory-sealing was given.
+if test ${enable_memory_sealing+y}
+then :
+ enableval=$enable_memory_sealing; enable_memory_sealing=$enableval
+else case e in #(
+ e) enable_memory_sealing=no ;;
+esac
+fi
+
+
# We keep the original values in `$config_*' and never modify them, so we
# can write them unchanged into config.make. Everything else uses
# $machine, $vendor, and $os, and changes them whenever convenient.
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for linker that supports -z memory-seal" >&5
+printf %s "checking for linker that supports -z memory-seal... " >&6; }
+libc_linker_feature=no
+cat > conftest.c <<EOF
+int _start (void) { return 42; }
+EOF
+if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp
+ -Wl,-z,memory-seal -nostdlib -nostartfiles
+ -fPIC -shared -o conftest.so conftest.c
+ 1>&5'
+ { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+ (eval $ac_try) 2>&5
+ ac_status=$?
+ printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; }
+then
+ if ${CC-cc} $CFLAGS $CPPFLAGS $LDFLAGS $no_ssp -Wl,-z,memory-seal -nostdlib \
+ -nostartfiles -fPIC -shared -o conftest.so conftest.c 2>&1 \
+ | grep "warning: -z memory-seal ignored" > /dev/null 2>&1; then
+ true
+ else
+ libc_linker_feature=yes
+ fi
+fi
+rm -f conftest*
+if test $libc_linker_feature = yes; then
+ libc_cv_z_memory_seal=yes
+else
+ libc_cv_z_memory_seal=no
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $libc_linker_feature" >&5
+printf "%s\n" "$libc_linker_feature" >&6; }
+# Enable memory-sealing iff it is available and glibc is not configured
+# with --disable-defautl-memory-sealing
+if test "$libc_cv_z_memory_seal" = no; then
+ default_memory_sealing=no
+fi
+config_vars="$config_vars
+have-z-memory-seal = $libc_cv_z_memory_seal"
+config_vars="$config_vars
+enable-memory-seal = $enable_memory_sealing"
+
+
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GLOB_DAT reloc" >&5
printf %s "checking for GLOB_DAT reloc... " >&6; }
if test ${libc_cv_has_glob_dat+y}
# Check if compilers support GCS in branch protection:
-
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if compiler supports -mbranch-protection=gcs" >&5
printf %s "checking if compiler supports -mbranch-protection=gcs... " >&6; }
if test ${libc_cv_cc_gcs+y}
*) AC_MSG_ERROR([Not a valid argument for --enable-fortify-source: "$enable_fortify_source"]);;
esac
+AC_ARG_ENABLE([memory-sealing],
+ AS_HELP_STRING([--enable-memory-sealing],
+ [Build glibc libraries, programs, and the testsuite with memory sealing @<:@default=no@:>@]),
+ [enable_memory_sealing=$enableval],
+ [enable_memory_sealing=no])
+
# We keep the original values in `$config_*' and never modify them, so we
# can write them unchanged into config.make. Everything else uses
# $machine, $vendor, and $os, and changes them whenever convenient.
AC_SUBST(libc_cv_fpie)
+LIBC_LINKER_FEATURE([-z memory-seal],
+ [-Wl,-z,memory-seal],
+ [libc_cv_z_memory_seal=yes],
+ [libc_cv_z_memory_seal=no])
+# Enable memory-sealing iff it is available and glibc is not configured
+# with --disable-defautl-memory-sealing
+if test "$libc_cv_z_memory_seal" = no; then
+ default_memory_sealing=no
+fi
+LIBC_CONFIG_VAR([have-z-memory-seal], [$libc_cv_z_memory_seal])
+LIBC_CONFIG_VAR([enable-memory-seal], [$enable_memory_sealing])
+
+
AC_CACHE_CHECK(for GLOB_DAT reloc,
libc_cv_has_glob_dat, [dnl
cat > conftest.c <<EOF
$(LINK.o) -nostdlib -nostartfiles -shared -o $@.new \
$(LDFLAGS-rtld) -Wl,-z,defs $(z-now-$(bind-now)) \
$(dt-relr-ldflag) \
+ $(memory-seal-ldflag) \
$(filter-out $(map-file),$^) $(load-map-file) \
-Wl,-soname=$(rtld-installed-name)
$(call after-link,$@.new)
$(objpfx)filtmod1.so: $(objpfx)filtmod1.os $(objpfx)filtmod2.so
$(LINK.o) -shared -o $@ -B$(csu-objpfx) $(LDFLAGS.so) \
$(dt-relr-ldflag) \
+ $(memory-seal-ldflag) \
-L$(subst :, -L,$(rpath-link)) \
-Wl,-rpath-link=$(rpath-link) \
$< -Wl,-F,$(objpfx)filtmod2.so
# intended, so it uses an explicit link rule.
$(objpfx)tst-auditmod17.so: $(objpfx)tst-auditmod17.os
$(CC) -nostdlib -nostartfiles -shared -o $@.new \
+ $(memory-seal-ldflag) \
$(filter-out $(map-file),$^)
$(call after-link,$@.new)
mv -f $@.new $@
# against libc.so.
$(objpfx)tst-audit24bmod1.so: $(objpfx)tst-audit24bmod1.os
$(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod1.os \
- -Wl,-z,now
+ -Wl,-z,now $(memory-seal-ldflag)
$(call after-link,$@.new)
mv -f $@.new $@
CFLAGS-.os += $(call elide-stack-protector,.os,tst-audit24bmod1)
$(objpfx)tst-audit24bmod2.so: $(objpfx)tst-audit24bmod2.os
- $(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod2.os
+ $(CC) -nostdlib -nostartfiles -shared -o $@.new $(objpfx)tst-audit24bmod2.os \
+ $(memory-seal-ldflag)
$(call after-link,$@.new)
mv -f $@.new $@
CFLAGS-.os += $(call elide-stack-protector,.os,tst-audit24bmod2)
# artificial, large note in tst-big-note-lib.o and invalidate the
# test.
$(objpfx)tst-big-note-lib.so: $(objpfx)tst-big-note-lib.o
- $(LINK.o) -shared -o $@ $(LDFLAGS.so) $(dt-relr-ldflag) $<
+ $(LINK.o) -shared -o $@ $(LDFLAGS.so) $(dt-relr-ldflag) $(memory-seal-ldflag) $<
$(objpfx)tst-unwind-ctor: $(objpfx)tst-unwind-ctor-lib.so
tst-ro-dynamic-mod.map
$(LINK.o) -nostdlib -nostartfiles -shared -o $@ \
$(dt-relr-ldflag) \
+ $(memory-seal-ldflag) \
-Wl,--script=tst-ro-dynamic-mod.map \
$(objpfx)tst-ro-dynamic-mod.os
$(objpfx)tst-relr-mod2.so: $(objpfx)tst-relr-mod2.os
$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
$(LDFLAGS-soname-fname) \
+ $(memory-seal-ldflag) \
-shared -o $@.new $(filter-out $(map-file),$^)
$(call after-link,$@.new)
mv -f $@.new $@
$(objpfx)tst-relr-mod3b.so: $(objpfx)tst-relr-mod3b.os
$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
$(LDFLAGS-soname-fname) \
+ $(memory-seal-ldflag) \
-shared -o $@.new $(filter-out $(map-file),$^)
$(call after-link,$@.new)
mv -f $@.new $@
$(objpfx)tst-relr-mod3b.so
$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
$(LDFLAGS-soname-fname) $(LDFLAGS-rpath-ORIGIN) \
+ $(memory-seal-ldflag) \
-shared -o $@.new $(filter-out $(map-file),$^)
$(call after-link,$@.new)
mv -f $@.new $@
$(objpfx)tst-relr-mod4b.so: $(objpfx)tst-relr-mod4b.os
$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
$(LDFLAGS-soname-fname) \
+ $(memory-seal-ldflag) \
-Wl,--version-script=tst-relr-mod4b.map \
-shared -o $@.new $(filter-out $(map-file),$^)
$(call after-link,$@.new)
$(objpfx)tst-relr-mod4a.so: $(objpfx)tst-relr-mod4a.os \
$(objpfx)tst-relr-mod4b.so
$(LINK.o) -nostdlib -nostartfiles -Wl,-z,pack-relative-relocs \
+ $(memory-seal-ldflag) \
$(LDFLAGS-soname-fname) $(LDFLAGS-rpath-ORIGIN) \
-shared -o $@.new $(filter-out $(map-file),$^)
$(call after-link,$@.new)
# We do not use $(link-test-modules-rpath-link) since the object has no
# DT_NEEDED.
$(objpfx)tst-nodeps1-mod.so: $(objpfx)tst-nodeps1-mod.os
- $(LINK.o) -nostartfiles -nostdlib -shared -o $@ $^
+ $(LINK.o) -nostartfiles -nostdlib -shared $(memory-seal-ldflag) -o $@ $^
tst-nodeps1.so-no-z-defs = yes
# Link libc.so before the test module with the IFUNC resolver reference.
LDFLAGS-tst-nodeps1 = $(common-objpfx)libc.so $(objpfx)tst-nodeps1-mod.so
-fno-exceptions -fno-unwind-tables -fno-asynchronous-unwind-tables
$(objpfx)tst-nolink-libc-1: $(objpfx)tst-nolink-libc.o $(objpfx)ld.so
$(LINK.o) -nostdlib -nostartfiles -o $@ $< \
+ $(memory-seal-ldflag) \
-Wl,--dynamic-linker=$(objpfx)ld.so,--no-as-needed $(objpfx)ld.so
$(objpfx)tst-nolink-libc-1.out: $(objpfx)tst-nolink-libc-1 $(objpfx)ld.so
$< > $@ 2>&1; $(evaluate-test)
Disable using @code{scv} instruction for syscalls. All syscalls will use
@code{sc} instead, even if the kernel supports @code{scv}. PowerPC only.
+@item --disable-default-memory-seal
+Don't build glibc libraries, programs, and the testsuite with
+memory sealing support (@code{GNU_PROPERTY_MEMORY_SEAL}). By default,
+memory sealing is enabled if toolchain suports the linker option.
+
@item --build=@var{build-system}
@itemx --host=@var{host-system}
These options are for cross-compiling. If you specify both options and
projects / thirdparty / glibc.git / commitdiff
