clang: Default to PIE when GCCPIE is set

This matches with OE-Core expectations and we do not need to inject PIE flags manually via SECURITY_CFLAGS which does not always work Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Khem Raj <raj.khem@gmail.com> 2017-07-29 08:58:38 -0700
committer: Khem Raj <raj.khem@gmail.com> 2017-07-29 10:31:38 -0700
commit: ebf65eba343ae4c5e9af073b62d386d1749c12e0 (patch)
tree: 3f3582146545f6dbee4ba45fa0dc08ea3dc03fe5
parent: 2eb7946cc6003aeaf9909cdd3329d9458b767805 (diff)
download: meta-clang-ebf65eba343ae4c5e9af073b62d386d1749c12e0.tar.gz
3 files changed, 98 insertions, 2 deletions
diff --git a/classes/clang.bbclass b/classes/clang.bbclass
index db0dd3d..f0cd57f 100644
--- a/classes/clang.bbclass
+++ b/classes/clang.bbclass
@@ -4,8 +4,6 @@ CXX_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang++ ${HOST_CC_ARCH}${TOOLCHAIN
 CPP_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} -E"
 CCLD_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
-SECURITY_PIE_CFLAGS_toolchain-clang= "-pie -fPIE"
 THUMB_TUNE_CCARGS_remove_toolchain-clang = "-mthumb-interwork"
 TUNE_CCARGS_remove_toolchain-clang = "-meb"
 TUNE_CCARGS_remove_toolchain-clang = "-mel"
diff --git a/recipes-devtools/clang/clang/0007-clang-Enable-SSP-and-PIE-by-default.patch b/recipes-devtools/clang/clang/0007-clang-Enable-SSP-and-PIE-by-default.patch
new file mode 100644
index 0000000..481dd24
--- /dev/null
+++ b/recipes-devtools/clang/clang/0007-clang-Enable-SSP-and-PIE-by-default.patch
@@ -0,0 +1,95 @@
+From 013035de788d1e2e00a4238fb2fdd39591c5c009 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 29 Jul 2017 08:29:19 -0700
+Subject: [PATCH 7/7] clang: Enable SSP and PIE by default
+This is a minimal set of changes needed to make clang use SSP and PIE by
+default on Arch Linux. Tests that were easy to adjust have been changed
+accordingly; only test/Driver/linux-ld.c has been marked as "expected
+failure" due to the number of changes it would require (mostly replacing
+crtbegin.o with crtbeginS.o).
+Doing so is needed in order to align clang with the new default GCC
+behavior in Arch which generates PIE executables by default and also
+defaults to -fstack-protector-strong. It is not meant to be a long term
+solution, but a simple temporary fix.
+Hopefully these changes will be obsoleted by the introduction upstream
+of a compile-time option (https://bugs.llvm.org/show_bug.cgi?id=13410)
+From: Evangelos Foutras <evangelos@foutrelis.com>
+https://git.archlinux.org/svntogit/packages.git/tree/trunk/0002-Enable-SSP-and-PIE-by-default.patch?h=packages/llvm
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/Driver/ToolChains/FreeBSD.cpp |  1 +
+ lib/Driver/ToolChains/Gnu.cpp     |  1 +
+ lib/Driver/ToolChains/Linux.cpp   | 14 +++++++++++++-
+ lib/Driver/ToolChains/Linux.h     |  1 +
+ 4 files changed, 16 insertions(+), 1 deletion(-)
+diff --git a/lib/Driver/ToolChains/FreeBSD.cpp b/lib/Driver/ToolChains/FreeBSD.cpp
+index c6626e922e..39d0d6fb0d 100644
+--- a/lib/Driver/ToolChains/FreeBSD.cpp
+++ b/lib/Driver/ToolChains/FreeBSD.cpp
+@@ -128,6 +128,7 @@ void freebsd::Linker::ConstructJob(Compilation &C, const JobAction &JA,
+   const llvm::Triple::ArchType Arch = ToolChain.getArch();
+   const bool IsPIE =
+       !Args.hasArg(options::OPT_shared) &&
+      !Args.hasArg(options::OPT_nopie) &&
+       (Args.hasArg(options::OPT_pie) || ToolChain.isPIEDefault());
+   ArgStringList CmdArgs;
+ 
+diff --git a/lib/Driver/ToolChains/Gnu.cpp b/lib/Driver/ToolChains/Gnu.cpp
+index 8eb7401b24..8d06196231 100644
+--- a/lib/Driver/ToolChains/Gnu.cpp
+++ b/lib/Driver/ToolChains/Gnu.cpp
+@@ -417,6 +417,7 @@ void tools::gnutools::Linker::ConstructJob(Compilation &C, const JobAction &JA,
+   const bool IsIAMCU = ToolChain.getTriple().isOSIAMCU();
+   const bool IsPIE =
+       !Args.hasArg(options::OPT_shared) && !Args.hasArg(options::OPT_static) &&
+      !Args.hasArg(options::OPT_nopie) &&
+       (Args.hasArg(options::OPT_pie) || ToolChain.isPIEDefault());
+   const bool HasCRTBeginEndFiles =
+       ToolChain.getTriple().hasEnvironment() ||
+diff --git a/lib/Driver/ToolChains/Linux.cpp b/lib/Driver/ToolChains/Linux.cpp
+index 6dd6d52633..773063249a 100644
+--- a/lib/Driver/ToolChains/Linux.cpp
+++ b/lib/Driver/ToolChains/Linux.cpp
+@@ -810,7 +810,19 @@ void Linux::AddIAMCUIncludeArgs(const ArgList &DriverArgs,
+   }
+ }
+ 
+-bool Linux::isPIEDefault() const { return getSanitizerArgs().requiresPIE(); }
+bool Linux::isPIEDefault() const {
+  const bool IsMips = tools::isMipsArch(getTriple().getArch());
+  const bool IsAndroid = getTriple().isAndroid();
+
+  if (IsMips || IsAndroid)
+    return getSanitizerArgs().requiresPIE();
+
+  return true;
+}
+
+unsigned Linux::GetDefaultStackProtectorLevel(bool KernelOrKext) const {
+  return 2;
+}
+ 
+ SanitizerMask Linux::getSupportedSanitizers() const {
+   const bool IsX86 = getTriple().getArch() == llvm::Triple::x86;
+diff --git a/lib/Driver/ToolChains/Linux.h b/lib/Driver/ToolChains/Linux.h
+index 9778c1832c..ddd46a1d58 100644
+--- a/lib/Driver/ToolChains/Linux.h
+++ b/lib/Driver/ToolChains/Linux.h
+@@ -36,6 +36,7 @@ public:
+   void AddIAMCUIncludeArgs(const llvm::opt::ArgList &DriverArgs,
+                            llvm::opt::ArgStringList &CC1Args) const override;
+   bool isPIEDefault() const override;
+  unsigned GetDefaultStackProtectorLevel(bool KernelOrKext) const override;
+   SanitizerMask getSupportedSanitizers() const override;
+   void addProfileRTLibs(const llvm::opt::ArgList &Args,
+                         llvm::opt::ArgStringList &CmdArgs) const override;
+-- 
+2.13.3
diff --git a/recipes-devtools/clang/common.inc b/recipes-devtools/clang/common.inc
index 62af42b..2a6600e 100644
--- a/recipes-devtools/clang/common.inc
+++ b/recipes-devtools/clang/common.inc
@@ -7,6 +7,8 @@ LLVMPATCHES = "\
    file://0001-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch \
    file://0002-llvm-allow-env-override-of-exe-path.patch \
 "
+# Fallback to no-PIE if not set
+GCCPIE ??= ""
 # Clang patches
 CLANGPATCHES = "\
@@ -17,6 +19,7 @@ CLANGPATCHES = "\
    file://0005-clang-Look-inside-the-target-sysroot-for-compiler-ru.patch;patchdir=tools/clang \
    file://0006-clang-Define-releative-gcc-installation-dir.patch;patchdir=tools/clang \
 "
+CLANGPATCHES += "${@'file://0007-clang-Enable-SSP-and-PIE-by-default.patch;patchdir=tools/clang' if '${GCCPIE}' else ''}"
 # libcxxabi patches
 LIBCXXABIPATCHES ="\
author	Khem Raj <raj.khem@gmail.com>	2017-07-29 08:58:38 -0700
committer	Khem Raj <raj.khem@gmail.com>	2017-07-29 10:31:38 -0700
commit	ebf65eba343ae4c5e9af073b62d386d1749c12e0 (patch)
tree	3f3582146545f6dbee4ba45fa0dc08ea3dc03fe5
parent	2eb7946cc6003aeaf9909cdd3329d9458b767805 (diff)
download	meta-clang-ebf65eba343ae4c5e9af073b62d386d1749c12e0.tar.gz

diff --git a/classes/clang.bbclass b/classes/clang.bbclass index db0dd3d..f0cd57f 100644 --- a/classes/clang.bbclass +++ b/classes/clang.bbclass
@@ -4,8 +4,6 @@ CXX_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang++ ${HOST_CC_ARCH}${TOOLCHAIN
4	CPP_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} -E"	4	CPP_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} -E"
5	CCLD_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"	5	CCLD_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
6		6
7	SECURITY_PIE_CFLAGS_toolchain-clang= "-pie -fPIE"
8
9	THUMB_TUNE_CCARGS_remove_toolchain-clang = "-mthumb-interwork"	7	THUMB_TUNE_CCARGS_remove_toolchain-clang = "-mthumb-interwork"
10	TUNE_CCARGS_remove_toolchain-clang = "-meb"	8	TUNE_CCARGS_remove_toolchain-clang = "-meb"
11	TUNE_CCARGS_remove_toolchain-clang = "-mel"	9	TUNE_CCARGS_remove_toolchain-clang = "-mel"


diff --git a/recipes-devtools/clang/clang/0007-clang-Enable-SSP-and-PIE-by-default.patch b/recipes-devtools/clang/clang/0007-clang-Enable-SSP-and-PIE-by-default.patch new file mode 100644 index 0000000..481dd24 --- /dev/null +++ b/recipes-devtools/clang/clang/0007-clang-Enable-SSP-and-PIE-by-default.patch
@@ -0,0 +1,95 @@
		1	From 013035de788d1e2e00a4238fb2fdd39591c5c009 Mon Sep 17 00:00:00 2001
		2	From: Khem Raj <raj.khem@gmail.com>
		3	Date: Sat, 29 Jul 2017 08:29:19 -0700
		4	Subject: [PATCH 7/7] clang: Enable SSP and PIE by default
		5
		6	This is a minimal set of changes needed to make clang use SSP and PIE by
		7	default on Arch Linux. Tests that were easy to adjust have been changed
		8	accordingly; only test/Driver/linux-ld.c has been marked as "expected
		9	failure" due to the number of changes it would require (mostly replacing
		10	crtbegin.o with crtbeginS.o).
		11
		12	Doing so is needed in order to align clang with the new default GCC
		13	behavior in Arch which generates PIE executables by default and also
		14	defaults to -fstack-protector-strong. It is not meant to be a long term
		15	solution, but a simple temporary fix.
		16
		17	Hopefully these changes will be obsoleted by the introduction upstream
		18	of a compile-time option (https://bugs.llvm.org/show_bug.cgi?id=13410)
		19
		20	From: Evangelos Foutras <evangelos@foutrelis.com>
		21
		22	https://git.archlinux.org/svntogit/packages.git/tree/trunk/0002-Enable-SSP-and-PIE-by-default.patch?h=packages/llvm
		23
		24	Signed-off-by: Khem Raj <raj.khem@gmail.com>
		25	---
		26	lib/Driver/ToolChains/FreeBSD.cpp \| 1 +
		27	lib/Driver/ToolChains/Gnu.cpp \| 1 +
		28	lib/Driver/ToolChains/Linux.cpp \| 14 +++++++++++++-
		29	lib/Driver/ToolChains/Linux.h \| 1 +
		30	4 files changed, 16 insertions(+), 1 deletion(-)
		31
		32	diff --git a/lib/Driver/ToolChains/FreeBSD.cpp b/lib/Driver/ToolChains/FreeBSD.cpp
		33	index c6626e922e..39d0d6fb0d 100644
		34	--- a/lib/Driver/ToolChains/FreeBSD.cpp
		35	+++ b/lib/Driver/ToolChains/FreeBSD.cpp
		36	@@ -128,6 +128,7 @@ void freebsd::Linker::ConstructJob(Compilation &C, const JobAction &JA,
		37	const llvm::Triple::ArchType Arch = ToolChain.getArch();
		38	const bool IsPIE =
		39	!Args.hasArg(options::OPT_shared) &&
		40	+ !Args.hasArg(options::OPT_nopie) &&
		41	(Args.hasArg(options::OPT_pie) \|\| ToolChain.isPIEDefault());
		42	ArgStringList CmdArgs;
		43
		44	diff --git a/lib/Driver/ToolChains/Gnu.cpp b/lib/Driver/ToolChains/Gnu.cpp
		45	index 8eb7401b24..8d06196231 100644
		46	--- a/lib/Driver/ToolChains/Gnu.cpp
		47	+++ b/lib/Driver/ToolChains/Gnu.cpp
		48	@@ -417,6 +417,7 @@ void tools::gnutools::Linker::ConstructJob(Compilation &C, const JobAction &JA,
		49	const bool IsIAMCU = ToolChain.getTriple().isOSIAMCU();
		50	const bool IsPIE =
		51	!Args.hasArg(options::OPT_shared) && !Args.hasArg(options::OPT_static) &&
		52	+ !Args.hasArg(options::OPT_nopie) &&
		53	(Args.hasArg(options::OPT_pie) \|\| ToolChain.isPIEDefault());
		54	const bool HasCRTBeginEndFiles =
		55	ToolChain.getTriple().hasEnvironment() \|\|
		56	diff --git a/lib/Driver/ToolChains/Linux.cpp b/lib/Driver/ToolChains/Linux.cpp
		57	index 6dd6d52633..773063249a 100644
		58	--- a/lib/Driver/ToolChains/Linux.cpp
		59	+++ b/lib/Driver/ToolChains/Linux.cpp
		60	@@ -810,7 +810,19 @@ void Linux::AddIAMCUIncludeArgs(const ArgList &DriverArgs,
		61	}
		62	}
		63
		64	-bool Linux::isPIEDefault() const { return getSanitizerArgs().requiresPIE(); }
		65	+bool Linux::isPIEDefault() const {
		66	+ const bool IsMips = tools::isMipsArch(getTriple().getArch());
		67	+ const bool IsAndroid = getTriple().isAndroid();
		68	+
		69	+ if (IsMips \|\| IsAndroid)
		70	+ return getSanitizerArgs().requiresPIE();
		71	+
		72	+ return true;
		73	+}
		74	+
		75	+unsigned Linux::GetDefaultStackProtectorLevel(bool KernelOrKext) const {
		76	+ return 2;
		77	+}
		78
		79	SanitizerMask Linux::getSupportedSanitizers() const {
		80	const bool IsX86 = getTriple().getArch() == llvm::Triple::x86;
		81	diff --git a/lib/Driver/ToolChains/Linux.h b/lib/Driver/ToolChains/Linux.h
		82	index 9778c1832c..ddd46a1d58 100644
		83	--- a/lib/Driver/ToolChains/Linux.h
		84	+++ b/lib/Driver/ToolChains/Linux.h
		85	@@ -36,6 +36,7 @@ public:
		86	void AddIAMCUIncludeArgs(const llvm::opt::ArgList &DriverArgs,
		87	llvm::opt::ArgStringList &CC1Args) const override;
		88	bool isPIEDefault() const override;
		89	+ unsigned GetDefaultStackProtectorLevel(bool KernelOrKext) const override;
		90	SanitizerMask getSupportedSanitizers() const override;
		91	void addProfileRTLibs(const llvm::opt::ArgList &Args,
		92	llvm::opt::ArgStringList &CmdArgs) const override;
		93	--
		94	2.13.3
		95


diff --git a/recipes-devtools/clang/common.inc b/recipes-devtools/clang/common.inc index 62af42b..2a6600e 100644 --- a/recipes-devtools/clang/common.inc +++ b/recipes-devtools/clang/common.inc
@@ -7,6 +7,8 @@ LLVMPATCHES = "\
7	file://0001-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch \	7	file://0001-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch \
8	file://0002-llvm-allow-env-override-of-exe-path.patch \	8	file://0002-llvm-allow-env-override-of-exe-path.patch \
9	"	9	"
		10	# Fallback to no-PIE if not set
		11	GCCPIE ??= ""
10		12
11	# Clang patches	13	# Clang patches
12	CLANGPATCHES = "\	14	CLANGPATCHES = "\
@@ -17,6 +19,7 @@ CLANGPATCHES = "\
17	file://0005-clang-Look-inside-the-target-sysroot-for-compiler-ru.patch;patchdir=tools/clang \	19	file://0005-clang-Look-inside-the-target-sysroot-for-compiler-ru.patch;patchdir=tools/clang \
18	file://0006-clang-Define-releative-gcc-installation-dir.patch;patchdir=tools/clang \	20	file://0006-clang-Define-releative-gcc-installation-dir.patch;patchdir=tools/clang \
19	"	21	"
		22	CLANGPATCHES += "${@'file://0007-clang-Enable-SSP-and-PIE-by-default.patch;patchdir=tools/clang' if '${GCCPIE}' else ''}"
20		23
21	# libcxxabi patches	24	# libcxxabi patches
22	LIBCXXABIPATCHES ="\	25	LIBCXXABIPATCHES ="\