Re: [PATCH] arm64: link with -z norelro for LLD or aarch64-elf
From: Ard Biesheuvel
Date: Thu Dec 17 2020 - 14:30:46 EST
On Thu, 17 Dec 2020 at 01:41, Nick Desaulniers <ndesaulniers@xxxxxxxxxx> wrote:
>
> With newer GNU binutils, linking with BFD produces warnings for vmlinux:
> aarch64-linux-gnu-ld: warning: -z norelro ignored
>
> BFD can produce this warning when the target emulation mode does not
> support RELRO relocation types, and -z relro or -z norelro is passed.
>
RELRO is not a relocation type, it is a type of program header which
we might simply ignore, if it weren't for the fact that it can only be
emitted if the layout of the sections adheres to certain rules (and
ours doesn't), and we get an error otherwise.
It amounts to implicit __ro_after_init annotations for statically
initialized const pointers, but given that we don't compile with
-fpie, those const pointers reside in .rodata already, so RELRO adds
no value for us.
> Alan Modra clarifies:
> The default linker emulation for an aarch64-linux ld.bfd is
> -maarch64linux, the default for an aarch64-elf linker is
> -maarch64elf. They are not equivalent. If you choose -maarch64elf
> you get an emulation that doesn't support -z relro.
>
> The ARCH=arm64 kernel prefers -maarch64elf, but may fall back to
> -maarch64linux based on the toolchain configuration.
>
> LLD will always create RELRO relocation types regardless of target
> emulation.
>
RELRO program header
> To avoid the above warning when linking with BFD, pass -z norelro only
> when linking with LLD or with -maarch64linux.
>
> Cc: Alan Modra <amodra@xxxxxxxxx>
> Cc: Ard Biesheuvel <ardb@xxxxxxxxxx>
> Cc: Fāng-ruì Sòng <maskray@xxxxxxxxxx>
> Fixes: 3b92fa7485eb ("arm64: link with -z norelro regardless of CONFIG_RELOCATABLE")
> Reported-by: kernelci.org bot <bot@xxxxxxxxxxxx>
> Reported-by: Quentin Perret <qperret@xxxxxxxxxx>
> Signed-off-by: Nick Desaulniers <ndesaulniers@xxxxxxxxxx>
With mentions of 'RELRO relocation types' fixed:
Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
> ---
> arch/arm64/Makefile | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index 6be9b3750250..90309208bb28 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -10,7 +10,7 @@
> #
> # Copyright (C) 1995-2001 by Russell King
>
> -LDFLAGS_vmlinux :=--no-undefined -X -z norelro
> +LDFLAGS_vmlinux :=--no-undefined -X
>
> ifeq ($(CONFIG_RELOCATABLE), y)
> # Pass --no-apply-dynamic-relocs to restore pre-binutils-2.27 behaviour
> @@ -115,16 +115,20 @@ KBUILD_CPPFLAGS += -mbig-endian
> CHECKFLAGS += -D__AARCH64EB__
> # Prefer the baremetal ELF build target, but not all toolchains include
> # it so fall back to the standard linux version if needed.
> -KBUILD_LDFLAGS += -EB $(call ld-option, -maarch64elfb, -maarch64linuxb)
> +KBUILD_LDFLAGS += -EB $(call ld-option, -maarch64elfb, -maarch64linuxb -z norelro)
> UTS_MACHINE := aarch64_be
> else
> KBUILD_CPPFLAGS += -mlittle-endian
> CHECKFLAGS += -D__AARCH64EL__
> # Same as above, prefer ELF but fall back to linux target if needed.
> -KBUILD_LDFLAGS += -EL $(call ld-option, -maarch64elf, -maarch64linux)
> +KBUILD_LDFLAGS += -EL $(call ld-option, -maarch64elf, -maarch64linux -z norelro)
> UTS_MACHINE := aarch64
> endif
>
> +ifeq ($(CONFIG_LD_IS_LLD), y)
> +KBUILD_LDFLAGS += -z norelro
> +endif
> +
> CHECKFLAGS += -D__aarch64__
>
> ifeq ($(CONFIG_DYNAMIC_FTRACE_WITH_REGS),y)
> --
> 2.29.2.684.gfbc64c5ab5-goog
>