From 813cf981ab2f8e9bd5b64afed1da19ad9ea0f795 Mon Sep 17 00:00:00 2001 From: "Kevin F. Quinn" Date: Tue, 6 Feb 2007 19:13:46 +0000 Subject: Clean up readme; improve toolchain-funcs specs parsing svn path=/; revision=170 --- .../pieworld/eclass/toolchain-funcs.eclass | 75 ++++++++++++-------- .../toolchain/branches/pieworld/pieworld.README | 80 ++++++++++++---------- 2 files changed, 89 insertions(+), 66 deletions(-) diff --git a/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass b/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass index 2055b35..de346c6 100644 --- a/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass +++ b/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass @@ -187,8 +187,12 @@ gcc-specs-exists() { # Note; later specs normally overwrite earlier ones; however if a later # spec starts with '+' then it appends. # gcc -dumpspecs is parsed first, followed by files listed by "gcc -v" -# as "Reading ", in order. -gcc-specs-directive() { +# as "Reading ", in order. Strictly speaking, if there's a +# $(gcc_install_dir)/specs, the built-in specs aren't read, however by +# the same token anything from 'gcc -dumpspecs' is overridden by +# the contents of $(gcc_install_dir)/specs so the result is the +# same either way. +gcc-specs-directive_raw() { local cc=$(tc-getCC) local specfiles=$(LC_ALL=C ${cc} -v 2>&1 | awk '$1=="Reading" {print $NF}') ${cc} -dumpspecs 2> /dev/null | cat - ${specfiles} | awk -v directive=$1 \ @@ -201,40 +205,53 @@ END { print spec }' return 0 } +# Return the requested gcc specs directive, with all included +# specs expanded. +# Note, it does not check for inclusion loops, which cause it +# to never finish - but such loops are invalid for gcc and we're +# assuming gcc is operational. +gcc-specs-directive() { + local directive subdname subdirective + directive="$(gcc-specs-directive_raw $1)" + while [[ ${directive} == *%\(*\)* ]]; do + subdname=${d/*%\(} + subdname=${subdname/\)*} + subdirective="$(gcc-specs-directive_raw ${subdname})" + directive="${directive//\%(${subname})/${subdirective}}" + done + echo "${directive}" + return 0 +} + # Returns true if the toolchain sets relro gcc-specs-relro() { local directive - directive=$(gcc-specs-directive link_relro) - [[ -z ${directive} ]] && directive=$(gcc-specs-directive link_command) + directive=$(gcc-specs-directive link_command) return $([[ ${directive/\{!norelro:} != ${directive} ]]) } # Returns true if the toolchain sets now gcc-specs-now() { local directive - directive=$(gcc-specs-directive link_now) - [[ -z ${directive} ]] && directive=$(gcc-specs-directive link_command) + directive=$(gcc-specs-directive link_command) return $([[ ${directive/\{!nonow:} != ${directive} ]]) } # Returns true if gcc builds PIEs gcc-specs-pie() { local directive - directive=$(gcc-specs-directive cc1_pie) - [[ -z ${directive} ]] && directive=$(gcc-specs-directive cc1) + directive=$(gcc-specs-directive cc1) return $([[ ${directive/\{!nopie:} != ${directive} ]]) } # Returns true if gcc builds with the stack protector gcc-specs-ssp() { local directive - directive=$(gcc-specs-directive cc1_ssp) - [[ -z ${directive} ]] && directive=$(gcc-specs-directive cc1) + directive=$(gcc-specs-directive cc1) return $([[ ${directive/\{!fno-stack-protector:} != ${directive} ]]) } # Returns true if gcc upgrades fstack-protector to fstack-protector-all gcc-specs-ssp-to-all() { local directive gcc-specs-ssp || return 1 - directive=$(gcc-specs-directive cc1_ssp_all) - [[ -z ${directive} ]] && directive=$(gcc-specs-directive cc1) + directive=$(gcc-specs-directive cc1) return $([[ ${directive/\{!fno-stack-protector-all:} != ${directive} ]]) } @@ -289,9 +306,6 @@ _tc_gen_usr_ldscript() { gen_usr_ldscript() { _tc_gen_usr_ldscript "$@" ; } -# NOTE: This function should probably be in a different eclass - -# to be resolved before being committed to the main tree. -# # Much assembly code is written conditional on preprocessor macro # PIC, which is a libtool convention and not something the toolchain # itself sets. GCC has set __PIC__ for the longest time when buildling @@ -311,18 +325,19 @@ gen_usr_ldscript() { _tc_gen_usr_ldscript "$@" ; } # fixup_DPIC [-style edit|prepend] # # Default is to try all files recursively from ${S} -# With -edit, replaces: -# #ifdef PIC -> #if defined PIC || defined __PIC__ -# #ifndef PIC -> #if !defined PIC && !defined __PIC__ -# #if ... defined PIC ... -> #if ... (defined PIC || defined __PIC__) ... -# #if ... !defined PIC ... -> #if ... (!defined PIC && !defined __PIC__) ... # -# With -prepend, it prepends the following: +# With -style prepend, it prepends the following: # #if (defined __PIC__ && !defined PIC) # # define PIC # #endif # to the top of any source file containing /#[[:space:]]*if.*PIC/ # +# With -style edit, replaces: +# #ifdef PIC -> #if defined PIC || defined __PIC__ +# #ifndef PIC -> #if !defined PIC && !defined __PIC__ +# #if ... defined PIC ... -> #if ... (defined PIC || defined __PIC__) ... +# #if ... !defined PIC ... -> #if ... (!defined PIC && !defined __PIC__) ... +# # -prepend is the default. fixup_DPIC() { local style="prepend" @@ -340,15 +355,6 @@ fixup_DPIC() { [[ -z ${findmatch} ]] && findop="" case ${style} in - "edit") # this path untested - find "${sourceroot}" ${findop} "${findmatch}" | \ - xargs grep -l '^[[:space:]]*#[[:space:]]*if.*\bPIC\b' | \ - xargs sed -s -i -n \ - -e 's/\(#[[:space:]]\+\)ifdef[[:space:]]\+PIC\b/\1if (defined PIC || defined __PIC__)/' \ - -e 's/\(#[[:space:]]\+\)ifndef[[:space:]]\+PIC\b/\1if (!defined PIC && !defined __PIC__)/' \ - -e 's/\(#[[:space:]]\+if[[:space:]]\+\)defined[[:space:]]\+PIC\b\(.*$\)/\1(defined PIC || defined __PIC__)/' \ - -e 's/\(#[[:space:]]\+if[[:space:]]\+\)![[:space:]]\+defined[[:space:]]\+PIC\b\(.*$\)/\1(!defined PIC && !defined __PIC__)/' - ;; "prepend") einfo "Prepending PIC fixup" find "${sourceroot}" ${findop} "${findmatch}" | \ @@ -358,6 +364,15 @@ fixup_DPIC() { #endif\ ' ;; + "edit") # this path untested + find "${sourceroot}" ${findop} "${findmatch}" | \ + xargs grep -l '^[[:space:]]*#[[:space:]]*if.*\bPIC\b' | \ + xargs sed -s -i -n \ + -e 's/\(#[[:space:]]+\)ifdef[[:space:]]+PIC\b/\1if (defined PIC || defined __PIC__)/' \ + -e 's/\(#[[:space:]]+\)ifndef[[:space:]]+PIC\b/\1if (!defined PIC && !defined __PIC__)/' \ + -e 's/\(#[[:space:]]+if[[:space:]]+.*\)defined[[:space:]]+PIC\b\(.*$\)/\1(defined PIC || defined __PIC__)/' \ + -e 's/\(#[[:space:]]+if[[:space:]]+.*\)![[:space:]]*defined[[:space:]]+PIC\b/\1(!defined PIC && !defined __PIC__)/' + ;; *) die "Unknown DPIC fixup style ${style}" ;; diff --git a/hardened/toolchain/branches/pieworld/pieworld.README b/hardened/toolchain/branches/pieworld/pieworld.README index ada2e54..5ab02b1 100644 --- a/hardened/toolchain/branches/pieworld/pieworld.README +++ b/hardened/toolchain/branches/pieworld/pieworld.README @@ -133,44 +133,52 @@ Note also - ppc64 and sparc64 can't have linuxthreads as it doesn't compile (some changes that are in for nptl have not been back-ported). -Kernel -> x86 x86h ppc ppch amd64 amd64h sparc sparch ppc64 ppc64h Reason -NPTL Test v (? segfault) -libio/tst-wmemstream1 X (? segfault) -libio/tst-wmemstream2 X (? segfault) -libio/bug-wmemstream1 X (? segfault) -math/test-fenv X (?) -dlfcn/default X X X X (?) -posix/annexc X X X X (expected) -misc/tst-pselect X (?) -nptl/tst-execstack X (PaX) -nptl/tst-cancel1 X (expected) -nptl/rt/tst-cpuclock2 X (?) -nptl/tst-eintr1 X (?) -nptl/tst-cancel20 X (?) -nptl/tst-cancelx20 X (?) -elf/tst-tls1 X X X X (local-exec TLS) -elf/tst-tls2 X X X X (local-exec TLS) -elf/tst-tls1-static X X X X (local-exec TLS) -elf/tst-tls2-static X X X X (local-exec TLS) -elf/resolvfail X X X X (BIND_NOW) -elf/constload1 X X X X (BIND_NOW) -elf/order X X X X (BIND_NOW) -elf/lateglobal X X X X (BIND_NOW) -elf/dblload X X X X (BIND_NOW) -elf/dblunload X X X X (BIND_NOW) -elf/reldep6 X X X X (BIND_NOW) -elf/circleload1 X X X X (BIND_NOW) elf/tst-tls3 X X (?) -elf/tst-tls10 X X X (local-exec TLS) -elf/tst-tls14 X (local-exec TLS) -elf/tst-execstack X (PaX) -elf/tst-execstack-needed X (PaX) -elf//tst-execstack-prog X (PaX) -elf/tst-global1 X X X X (BIND_NOW) -elf/tst-audit2 X X X (local-exec TLS) - +H: hardened on hardened kernel, h: hardened on vanilla kernel, V: vanilla, +Arch (HhV)-> x86 ppc amd64 sparc ppc64 +NPTL Test v +iconvdata/iconv-test ... -.. ..X .-. ... (? segfault) +libio/tst-wmemstream1 ... -.. .X- .-. ... (? segfault) +libio/tst-wmemstream2 ... -.. .X- .-. ... (? segfault) +libio/bug-wmemstream1 ... -.. .X- .-. ... (? segfault) +malloc/tst-mtrace ... -.. .-X .-. ... +grp/tst_fgetgrent ... -.. .-X .-. ... +math/test-fenv ... -.. .-- .X. ... (?) +dlfcn/default ... X.. .X- .X. .X. (?) +posix/globtest ... -.. .-X .-. ... +posix/annexc ... X.. .XX .X. .X. (expected) +io/ftwtest ... -.. .-X .-. ... +misc/tst-pselect ... -.. .-- .-. ... (?) +nptl/tst-execstack ... X.. .-- .-. ... (PaX) +nptl/tst-cancel1 ... -.. .XX .-. ... (expected) +nptl/rt/tst-cpuclock2 ... -.. .X- .-. ... (?) +nptl/tst-eintr1 ... -.. .-- .X. ... (?) +nptl/tst-cancel20 ... -.. .-- .X. ... (?) +nptl/tst-cancelx20 ... -.. .-- .X. ... (?) +elf/tst-tls1 ... X.. .X- .X. .X. (local-exec TLS) +elf/tst-tls2 ... X.. .X- .X. .X. (local-exec TLS) +elf/tst-tls1-static ... X.. .X- .X. .X. (local-exec TLS) +elf/tst-tls2-static ... X.. .X- .X. .X. (local-exec TLS) +elf/resolvfail ... X.. .X- .X. .X. (BIND_NOW) +elf/constload1 ... X.. .X- .X. .X. (BIND_NOW) +elf/order ... X.. .X- .X. .X. (BIND_NOW) +elf/lateglobal ... X.. .X- .X. .X. (BIND_NOW) +elf/dblload ... X.. .X- .X. .X. (BIND_NOW) +elf/dblunload ... X.. .X- .X. .X. (BIND_NOW) +elf/reldep6 ... X.. .X- .X. .X. (BIND_NOW) +elf/circleload1 ... X.. .X- .X. .X. (BIND_NOW) +elf/tst-tls3 ... X.. .-- .X. ... (?) +elf/tst-tls10 ... X.. .X- .-. .X. (local-exec TLS) +elf/tst-tls14 ... -.. .X- .-. ... (local-exec TLS) +elf/tst-execstack ... X.. .-- .-. ... (PaX) +elf/tst-execstack-needed ... X.. .-- .-. ... (PaX) +elf/tst-execstack-prog ... X.. .-- .-. ... (PaX) +elf/tst-global1 ... X.. .X- .X. .X. (BIND_NOW) +elf/tst-audit2 ... X.. .X- .-. .X. (local-exec TLS) + +X => test failure PaX: PaX kernel causes execstack behaviour to fail (a good thing, where PaX is concerned). BIND_NOW: These tests require that some of their links be -Wl,-z,lazy (perhaps we could add this explicitly) -local-exec TLS: The local-exec TLS model is not compatible with PIC (and PIE) +local-exec TLS: The local-exec TLS model is not compatible with PIC (and therefore PIE) posix/annexc is ignored upstream (http://sourceware.org/ml/libc-hacker/1998-11/msg00207.html) -- cgit v1.2.3-65-gdbad