2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0001-Enforce-no-pie-if-the-compiler-supports-it.patch b/meta/recipes-bsp/grub/files/0001-Enforce-no-pie-if-the-compiler-supports-it.patch
new file mode 100644
index 0000000000..ccdbee215d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-Enforce-no-pie-if-the-compiler-supports-it.patch
@@ -0,0 +1,45 @@
+From 6186bcf1bcaaa0f16e79339e07c64c841d4d957d Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Fri, 2 Dec 2016 20:52:40 +0200
+Subject: [PATCH] Enforce -no-pie, if the compiler supports it.
+Add a -no-pie as recent (2 Dec 2016) Debian testing compiler
+seems to default to enabling PIE when linking. See
+https://wiki.ubuntu.com/SecurityTeam/PIE
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ acinclude.m4 | 2 +-
+ configure.ac | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/acinclude.m4 b/acinclude.m4
+index 19200b0..a713923 100644
+--- a/acinclude.m4
+++ b/acinclude.m4
+@@ -416,7 +416,7 @@ int main() {
+ 
+ [# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
+ # `ac_compile' like this correct, after all?
+-if eval "$ac_compile -S -o conftest.s" 2> /dev/null; then]
+if eval "$ac_compile -S -o conftest.s" 2> /dev/null && eval "$CC -dumpspecs 2>/dev/null | grep -e no-pie" ; then]
+   AC_MSG_RESULT([yes])
+   [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+   rm -f conftest.s
+diff --git a/configure.ac b/configure.ac
+index df20991..506c6b4 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -603,7 +603,7 @@ grub_CHECK_PIE
+ [# Need that, because some distributions ship compilers that include
+ # `-fPIE' in the default specs.
+ if [ x"$pie_possible" = xyes ]; then
+-  TARGET_CFLAGS="$TARGET_CFLAGS -fno-PIE"
+  TARGET_CFLAGS="$TARGET_CFLAGS -fno-PIE -no-pie"
+ fi]
+ 
+ # Position independent executable.
+-- 
+2.10.2
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index b10f633aae..f64198d9f0 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -32,6 +32,7 @@ SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \
           file://0001-Remove-direct-_llseek-code-and-require-long-filesyst.patch \
           file://fix-texinfo.patch \
           file://0001-grub-core-gettext-gettext.c-main_context-secondary_c.patch \
+           file://0001-Enforce-no-pie-if-the-compiler-supports-it.patch \
            "
 DEPENDS = "flex-native bison-native autogen-native"

diff --git a/meta/recipes-bsp/grub/files/0001-Enforce-no-pie-if-the-compiler-supports-it.patch b/meta/recipes-bsp/grub/files/0001-Enforce-no-pie-if-the-compiler-supports-it.patch new file mode 100644 index 0000000000..ccdbee215d --- /dev/null +++ b/meta/recipes-bsp/grub/files/0001-Enforce-no-pie-if-the-compiler-supports-it.patch
@@ -0,0 +1,45 @@
		1	From 6186bcf1bcaaa0f16e79339e07c64c841d4d957d Mon Sep 17 00:00:00 2001
		2	From: Alexander Kanavin <alex.kanavin@gmail.com>
		3	Date: Fri, 2 Dec 2016 20:52:40 +0200
		4	Subject: [PATCH] Enforce -no-pie, if the compiler supports it.
		5
		6	Add a -no-pie as recent (2 Dec 2016) Debian testing compiler
		7	seems to default to enabling PIE when linking. See
		8	https://wiki.ubuntu.com/SecurityTeam/PIE
		9
		10	Upstream-Status: Pending
		11	Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
		12	---
		13	acinclude.m4 \| 2 +-
		14	configure.ac \| 2 +-
		15	2 files changed, 2 insertions(+), 2 deletions(-)
		16
		17	diff --git a/acinclude.m4 b/acinclude.m4
		18	index 19200b0..a713923 100644
		19	--- a/acinclude.m4
		20	+++ b/acinclude.m4
		21	@@ -416,7 +416,7 @@ int main() {
		22
		23	[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling
		24	# `ac_compile' like this correct, after all?
		25	-if eval "$ac_compile -S -o conftest.s" 2> /dev/null; then]
		26	+if eval "$ac_compile -S -o conftest.s" 2> /dev/null && eval "$CC -dumpspecs 2>/dev/null \| grep -e no-pie" ; then]
		27	AC_MSG_RESULT([yes])
		28	[# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
		29	rm -f conftest.s
		30	diff --git a/configure.ac b/configure.ac
		31	index df20991..506c6b4 100644
		32	--- a/configure.ac
		33	+++ b/configure.ac
		34	@@ -603,7 +603,7 @@ grub_CHECK_PIE
		35	[# Need that, because some distributions ship compilers that include
		36	# `-fPIE' in the default specs.
		37	if [ x"$pie_possible" = xyes ]; then
		38	- TARGET_CFLAGS="$TARGET_CFLAGS -fno-PIE"
		39	+ TARGET_CFLAGS="$TARGET_CFLAGS -fno-PIE -no-pie"
		40	fi]
		41
		42	# Position independent executable.
		43	--
		44	2.10.2
		45


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index b10f633aae..f64198d9f0 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -32,6 +32,7 @@ SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \
32	file://0001-Remove-direct-_llseek-code-and-require-long-filesyst.patch \	32	file://0001-Remove-direct-_llseek-code-and-require-long-filesyst.patch \
33	file://fix-texinfo.patch \	33	file://fix-texinfo.patch \
34	file://0001-grub-core-gettext-gettext.c-main_context-secondary_c.patch \	34	file://0001-grub-core-gettext-gettext.c-main_context-secondary_c.patch \
		35	file://0001-Enforce-no-pie-if-the-compiler-supports-it.patch \
35	"	36	"
36		37
37	DEPENDS = "flex-native bison-native autogen-native"	38	DEPENDS = "flex-native bison-native autogen-native"