[Buildroot] [PATCH] Config.in: disable Fortify Source for microblaze
Giulio Benetti
giulio.benetti at benettiengineering.com
Sat Aug 21 13:42:34 UTC 2021
> Il giorno 21 ago 2021, alle ore 14:47, Romain Naour <romain.naour at gmail.com> ha scritto:
>
> Hello Giulio,
>
>> Le 21/08/2021 à 01:09, Giulio Benetti a écrit :
>>> On 8/21/21 12:59 AM, Giulio Benetti wrote:
>>> Hi Romain, All,
>>>
>>> On 8/21/21 12:53 AM, Romain Naour wrote:
>>>> As reported by Toolchain-builder project [1], the system doesn't
>>>> boot when Fortify Source is enabled for glibc based toolchain
>>>> (the init process hang).
>>>>
>>>> Also, hardening features may not be wanted or possible for such
>>>> slow soft-core cpus [2].
>>>>
>>>> [1] https://gitlab.com/bootlin/toolchains-builder/-/jobs/1467624500
>>>> [2] http://lists.busybox.net/pipermail/buildroot/2021-June/312416.html
>>>>
>>>> Signed-off-by: Romain Naour <romain.naour at gmail.com>
>>>> Cc: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
>>>> Cc: Giulio Benetti <giulio.benetti at benettiengineering.com>
>>>> ---
>>>> With BR2_RELRO_PARTIAL enabled, the system boot.
>>>> ---
>>>> Config.in | 7 +++++++
>>>> 1 file changed, 7 insertions(+)
>>>>
>>>> diff --git a/Config.in b/Config.in
>>>> index 2ef5d407e4..84f7fa6e8d 100644
>>>> --- a/Config.in
>>>> +++ b/Config.in
>>>> @@ -853,9 +853,16 @@ endchoice
>>>> comment "RELocation Read Only (RELRO) needs shared libraries"
>>>> depends on !BR2_SHARED_LIBS
>>>> +config BR2_FORTIFY_SOURCE_ARCH_SUPPORTS
>>>> + bool
>>>> + default y
>>>> + # Microblaze glibc toolchains don't work with Fortify Source enabled >
>>>> + depends on !BR2_microblaze
>>>
>>> here you say it doesn't work with glibc toolchains, so you could add
>>> '&& !BR2_TOOLCHAIN_USES_GLIBC'. I think it's worth if it works with
>>> uclibc and musl.
>>
>> Of course between parenthesis like:
>> ```
>> depends on (!BR2_microblaze && !BR2_TOOLCHAIN_USES_GLIBC)
>> ```
>> otherwise every toolchain which uses glibc doesn't use Fortify anymore.
>>
>>> What do you think about it?
>
> Fortify Source is disabled for the same reason as for PIC/PIE even for uClibc-ng
> or musl:
>
> https://git.buildroot.net/buildroot/commit/?id=d120f844604da2295bb7bd8fc6c1f4efbe8b5792
>
> I want to avoid the maintenance burden on such platform.
Ah ok, I’ve understood wrongly by the comment mentioning glibc only.
No problem then.
Best regards
Giulio Benetti
>
> Best regards,
> Romain
>
>>>
>>> Best regards
>>>
>>
>
More information about the buildroot
mailing list