[Buildroot] [External] Re: [RFC for-next] package/gcc: enable secureplt for powerpc64

Weber, Matthew L Collins Matthew.Weber at collins.com
Tue May 18 13:20:38 UTC 2021


All,


> -----Original Message-----
> From: Yann E. MORIN <yann.morin.1998 at free.fr>
> Sent: Tuesday, May 18, 2021 7:06 AM
> To: Romain Naour <romain.naour at gmail.com>
> Cc: buildroot at buildroot.org; Weber, Matthew L Collins
> <Matthew.Weber at collins.com>
> Subject: [External] Re: [Buildroot] [RFC for-next] package/gcc: enable
> secureplt for powerpc64
> 
> Romain, All,
> 
> On 2021-05-17 22:13 +0200, Romain Naour spake thusly:
> > GCC support enabling secureplt for powerpc64.
> >
> > From [1]
> > "PowerPC has two PLT models: BSS-PLT and Secure-PLT. BSS-PLT uses
> > runtime code generation to generate the PLT stubs. Secure-PLT was
> > introduced with GCC 4.1 and Binutils 2.17 (base has GCC 4.2.1 and
> > Binutils 2.17), and is a more secure PLT format, using a read-only
[snip]
> > linkage table, with the dynamic linker populating a non-executable
> > index table."

Interestingly, when doing SElinux policy, we didn't observe similar behavior with memory execute requests on PowerPC64 vs PowerPC.  Without this option, we observed regular memory execute (access request) audits on PowerPC, and we couldn't cleanly write policy without really opening things up.

> >
> > This option is always enabled by glibc testing script called
> > build-many-glibcs.py [1]. This script exist since glibc 2.25.
> >
> > Runtime tested with qemu_ppc64_e5500_defconfig.
> 
> Good enough for me.

Agree, the runtime test in QEMU should cover any lack of hardware testing.  I've successfully moved kernels between emulation and devkits for this arch.

Reviewed-by: Matt Weber <matthew.weber at collins.com>



More information about the buildroot mailing list