Message ID | 20230710094148.308395-1-heiko.thiery@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [v2] boot/arm-trusted-firmware: fix build issue with binutils 2.39+ | expand |
Hi Heiko, On 10/07/23 11:41, Heiko Thiery wrote: > The new version of binutils introduces a new warning when linking. The > new warninng is enabled by default. To fix the issue this warning is > disabled by adding the patches to the arm-trusted-firmware package > v{2.2..2.8}. This is a backport of an upstream commit [1] > > Since there are too many defconfigs that use the arm-trusted-firmware > package, it is not practical to create a global-patch-dir for all of them. > Therefore the patches are only in the package directory. > > [1] https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c > > Fixes: > https://gitlab.com/buildroot.org/buildroot/-/jobs/4603996186 > https://gitlab.com/buildroot.org/buildroot/-/jobs/4603996189 https://gitlab.com/buildroot.org/buildroot/-/jobs/4603996366 > > Cc: Yann E. MORIN <yann.morin.1998@free.fr> > Cc: Dario Binacchi <dario.binacchi@amarulasolutions.com> > Cc: Romain Naour <romain.naour@smile.fr> > Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> Thank you for the patch! Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Tested-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Best regards
Heiko, All, On 2023-07-10 11:41 +0200, Heiko Thiery spake thusly: > The new version of binutils introduces a new warning when linking. The > new warninng is enabled by default. To fix the issue this warning is > disabled by adding the patches to the arm-trusted-firmware package > v{2.2..2.8}. This is a backport of an upstream commit [1] > > Since there are too many defconfigs that use the arm-trusted-firmware > package, it is not practical to create a global-patch-dir for all of them. > Therefore the patches are only in the package directory. > > [1] https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c > > Fixes: > https://gitlab.com/buildroot.org/buildroot/-/jobs/4603996186 > https://gitlab.com/buildroot.org/buildroot/-/jobs/4603996189 > > Cc: Yann E. MORIN <yann.morin.1998@free.fr> > Cc: Dario Binacchi <dario.binacchi@amarulasolutions.com> > Cc: Romain Naour <romain.naour@smile.fr> > Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> > > --- > v2: change the commit message to state why we add the patch to the > package directory > --- > ...-add-support-for-new-binutils-versio.patch | 58 +++++++++++++++++ > ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ > ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ > ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ > ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ > ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ > ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ $ make check-package boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation) boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation) boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation) boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation) boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation) boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation) boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation) I fixed that, and applied to master, thanks. Regards, Yann E. MORIN. > 7 files changed, 430 insertions(+) > create mode 100644 boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch > create mode 100644 boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch > create mode 100644 boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch > create mode 100644 boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch > create mode 100644 boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch > create mode 100644 boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch > create mode 100644 boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch > > diff --git a/boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch b/boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch > new file mode 100644 > index 0000000000..2375de0eef > --- /dev/null > +++ b/boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch > @@ -0,0 +1,58 @@ > +From 5e1beb793c06352e87c46eca1144ff1fe8555103 Mon Sep 17 00:00:00 2001 > +From: Heiko Thiery <heiko.thiery@gmail.com> > +Date: Mon, 10 Jul 2023 10:43:03 +0200 > +Subject: [PATCH] [PATCH] feat(build): add support for new binutils versions > + > +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces > +of a new warning when linking the bl*.elf in the form: > + > + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack > + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker > + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions > + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions > + > +These new warnings are enbaled by default to secure elf binaries: > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 > + > +Fix it in a similar way to what the Linux kernel does, see: > +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ > + > +Following the reasoning there, we set "-z noexecstack" for all linkers > +(although LLVM's LLD defaults to it) and optional add > +--no-warn-rwx-segments since this a ld.bfd related. > + > +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> > +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> > +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 > + > +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> > +--- > + Makefile | 7 ++++++- > + 1 file changed, 6 insertions(+), 1 deletion(-) > + > +diff --git a/Makefile b/Makefile > +index 721246d51..5893cf422 100644 > +--- a/Makefile > ++++ b/Makefile > +@@ -297,11 +297,16 @@ endif > + > + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) > + > ++TF_LDFLAGS += -z noexecstack > ++ > + ifneq ($(findstring armlink,$(notdir $(LD))),) > + TF_LDFLAGS += --diag_error=warning --lto_level=O1 > + TF_LDFLAGS += --remove --info=unused,unusedsymbols > + else > +-TF_LDFLAGS += --fatal-warnings -O1 > ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we > ++# are not loaded by a elf loader. > ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) > ++TF_LDFLAGS += -O1 > + TF_LDFLAGS += --gc-sections > + endif > + TF_LDFLAGS += $(TF_LDFLAGS_$(ARCH)) > +-- > +2.30.2 > + > diff --git a/boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch > new file mode 100644 > index 0000000000..9b5a9dba97 > --- /dev/null > +++ b/boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch > @@ -0,0 +1,62 @@ > +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 > +From: Marco Felsch <m.felsch@pengutronix.de> > +Date: Wed, 9 Nov 2022 12:59:09 +0100 > +Subject: [PATCH] feat(build): add support for new binutils versions > + > +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces > +of a new warning when linking the bl*.elf in the form: > + > + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack > + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker > + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions > + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions > + > +These new warnings are enbaled by default to secure elf binaries: > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 > + > +Fix it in a similar way to what the Linux kernel does, see: > +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ > + > +Following the reasoning there, we set "-z noexecstack" for all linkers > +(although LLVM's LLD defaults to it) and optional add > +--no-warn-rwx-segments since this a ld.bfd related. > + > +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> > +[Retrieved and rebased from > +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] > +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> > +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> > +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 > +--- > + Makefile | 7 ++++++- > + 1 file changed, 6 insertions(+), 1 deletion(-) > + > +diff --git a/Makefile b/Makefile > +index 1ddb7b844..470956b19 100644 > +--- a/Makefile > ++++ b/Makefile > +@@ -416,6 +416,8 @@ endif > + > + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) > + > ++TF_LDFLAGS += -z noexecstack > ++ > + # LD = armlink > + ifneq ($(findstring armlink,$(notdir $(LD))),) > + TF_LDFLAGS += --diag_error=warning --lto_level=O1 > +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) > + > + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other > + else > +-TF_LDFLAGS += --fatal-warnings -O1 > ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we > ++# are not loaded by a elf loader. > ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) > ++TF_LDFLAGS += -O1 > + TF_LDFLAGS += --gc-sections > + # ld.lld doesn't recognize the errata flags, > + # therefore don't add those in that case > +-- > +2.30.2 > + > diff --git a/boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch > new file mode 100644 > index 0000000000..9b5a9dba97 > --- /dev/null > +++ b/boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch > @@ -0,0 +1,62 @@ > +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 > +From: Marco Felsch <m.felsch@pengutronix.de> > +Date: Wed, 9 Nov 2022 12:59:09 +0100 > +Subject: [PATCH] feat(build): add support for new binutils versions > + > +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces > +of a new warning when linking the bl*.elf in the form: > + > + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack > + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker > + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions > + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions > + > +These new warnings are enbaled by default to secure elf binaries: > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 > + > +Fix it in a similar way to what the Linux kernel does, see: > +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ > + > +Following the reasoning there, we set "-z noexecstack" for all linkers > +(although LLVM's LLD defaults to it) and optional add > +--no-warn-rwx-segments since this a ld.bfd related. > + > +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> > +[Retrieved and rebased from > +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] > +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> > +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> > +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 > +--- > + Makefile | 7 ++++++- > + 1 file changed, 6 insertions(+), 1 deletion(-) > + > +diff --git a/Makefile b/Makefile > +index 1ddb7b844..470956b19 100644 > +--- a/Makefile > ++++ b/Makefile > +@@ -416,6 +416,8 @@ endif > + > + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) > + > ++TF_LDFLAGS += -z noexecstack > ++ > + # LD = armlink > + ifneq ($(findstring armlink,$(notdir $(LD))),) > + TF_LDFLAGS += --diag_error=warning --lto_level=O1 > +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) > + > + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other > + else > +-TF_LDFLAGS += --fatal-warnings -O1 > ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we > ++# are not loaded by a elf loader. > ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) > ++TF_LDFLAGS += -O1 > + TF_LDFLAGS += --gc-sections > + # ld.lld doesn't recognize the errata flags, > + # therefore don't add those in that case > +-- > +2.30.2 > + > diff --git a/boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch > new file mode 100644 > index 0000000000..9b5a9dba97 > --- /dev/null > +++ b/boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch > @@ -0,0 +1,62 @@ > +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 > +From: Marco Felsch <m.felsch@pengutronix.de> > +Date: Wed, 9 Nov 2022 12:59:09 +0100 > +Subject: [PATCH] feat(build): add support for new binutils versions > + > +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces > +of a new warning when linking the bl*.elf in the form: > + > + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack > + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker > + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions > + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions > + > +These new warnings are enbaled by default to secure elf binaries: > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 > + > +Fix it in a similar way to what the Linux kernel does, see: > +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ > + > +Following the reasoning there, we set "-z noexecstack" for all linkers > +(although LLVM's LLD defaults to it) and optional add > +--no-warn-rwx-segments since this a ld.bfd related. > + > +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> > +[Retrieved and rebased from > +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] > +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> > +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> > +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 > +--- > + Makefile | 7 ++++++- > + 1 file changed, 6 insertions(+), 1 deletion(-) > + > +diff --git a/Makefile b/Makefile > +index 1ddb7b844..470956b19 100644 > +--- a/Makefile > ++++ b/Makefile > +@@ -416,6 +416,8 @@ endif > + > + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) > + > ++TF_LDFLAGS += -z noexecstack > ++ > + # LD = armlink > + ifneq ($(findstring armlink,$(notdir $(LD))),) > + TF_LDFLAGS += --diag_error=warning --lto_level=O1 > +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) > + > + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other > + else > +-TF_LDFLAGS += --fatal-warnings -O1 > ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we > ++# are not loaded by a elf loader. > ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) > ++TF_LDFLAGS += -O1 > + TF_LDFLAGS += --gc-sections > + # ld.lld doesn't recognize the errata flags, > + # therefore don't add those in that case > +-- > +2.30.2 > + > diff --git a/boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch > new file mode 100644 > index 0000000000..9b5a9dba97 > --- /dev/null > +++ b/boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch > @@ -0,0 +1,62 @@ > +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 > +From: Marco Felsch <m.felsch@pengutronix.de> > +Date: Wed, 9 Nov 2022 12:59:09 +0100 > +Subject: [PATCH] feat(build): add support for new binutils versions > + > +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces > +of a new warning when linking the bl*.elf in the form: > + > + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack > + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker > + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions > + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions > + > +These new warnings are enbaled by default to secure elf binaries: > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 > + > +Fix it in a similar way to what the Linux kernel does, see: > +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ > + > +Following the reasoning there, we set "-z noexecstack" for all linkers > +(although LLVM's LLD defaults to it) and optional add > +--no-warn-rwx-segments since this a ld.bfd related. > + > +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> > +[Retrieved and rebased from > +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] > +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> > +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> > +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 > +--- > + Makefile | 7 ++++++- > + 1 file changed, 6 insertions(+), 1 deletion(-) > + > +diff --git a/Makefile b/Makefile > +index 1ddb7b844..470956b19 100644 > +--- a/Makefile > ++++ b/Makefile > +@@ -416,6 +416,8 @@ endif > + > + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) > + > ++TF_LDFLAGS += -z noexecstack > ++ > + # LD = armlink > + ifneq ($(findstring armlink,$(notdir $(LD))),) > + TF_LDFLAGS += --diag_error=warning --lto_level=O1 > +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) > + > + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other > + else > +-TF_LDFLAGS += --fatal-warnings -O1 > ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we > ++# are not loaded by a elf loader. > ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) > ++TF_LDFLAGS += -O1 > + TF_LDFLAGS += --gc-sections > + # ld.lld doesn't recognize the errata flags, > + # therefore don't add those in that case > +-- > +2.30.2 > + > diff --git a/boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch > new file mode 100644 > index 0000000000..9b5a9dba97 > --- /dev/null > +++ b/boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch > @@ -0,0 +1,62 @@ > +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 > +From: Marco Felsch <m.felsch@pengutronix.de> > +Date: Wed, 9 Nov 2022 12:59:09 +0100 > +Subject: [PATCH] feat(build): add support for new binutils versions > + > +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces > +of a new warning when linking the bl*.elf in the form: > + > + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack > + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker > + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions > + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions > + > +These new warnings are enbaled by default to secure elf binaries: > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 > + > +Fix it in a similar way to what the Linux kernel does, see: > +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ > + > +Following the reasoning there, we set "-z noexecstack" for all linkers > +(although LLVM's LLD defaults to it) and optional add > +--no-warn-rwx-segments since this a ld.bfd related. > + > +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> > +[Retrieved and rebased from > +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] > +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> > +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> > +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 > +--- > + Makefile | 7 ++++++- > + 1 file changed, 6 insertions(+), 1 deletion(-) > + > +diff --git a/Makefile b/Makefile > +index 1ddb7b844..470956b19 100644 > +--- a/Makefile > ++++ b/Makefile > +@@ -416,6 +416,8 @@ endif > + > + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) > + > ++TF_LDFLAGS += -z noexecstack > ++ > + # LD = armlink > + ifneq ($(findstring armlink,$(notdir $(LD))),) > + TF_LDFLAGS += --diag_error=warning --lto_level=O1 > +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) > + > + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other > + else > +-TF_LDFLAGS += --fatal-warnings -O1 > ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we > ++# are not loaded by a elf loader. > ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) > ++TF_LDFLAGS += -O1 > + TF_LDFLAGS += --gc-sections > + # ld.lld doesn't recognize the errata flags, > + # therefore don't add those in that case > +-- > +2.30.2 > + > diff --git a/boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch > new file mode 100644 > index 0000000000..9b5a9dba97 > --- /dev/null > +++ b/boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch > @@ -0,0 +1,62 @@ > +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 > +From: Marco Felsch <m.felsch@pengutronix.de> > +Date: Wed, 9 Nov 2022 12:59:09 +0100 > +Subject: [PATCH] feat(build): add support for new binutils versions > + > +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces > +of a new warning when linking the bl*.elf in the form: > + > + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack > + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker > + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions > + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions > + > +These new warnings are enbaled by default to secure elf binaries: > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 > + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 > + > +Fix it in a similar way to what the Linux kernel does, see: > +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ > + > +Following the reasoning there, we set "-z noexecstack" for all linkers > +(although LLVM's LLD defaults to it) and optional add > +--no-warn-rwx-segments since this a ld.bfd related. > + > +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> > +[Retrieved and rebased from > +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] > +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> > +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> > +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 > +--- > + Makefile | 7 ++++++- > + 1 file changed, 6 insertions(+), 1 deletion(-) > + > +diff --git a/Makefile b/Makefile > +index 1ddb7b844..470956b19 100644 > +--- a/Makefile > ++++ b/Makefile > +@@ -416,6 +416,8 @@ endif > + > + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) > + > ++TF_LDFLAGS += -z noexecstack > ++ > + # LD = armlink > + ifneq ($(findstring armlink,$(notdir $(LD))),) > + TF_LDFLAGS += --diag_error=warning --lto_level=O1 > +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) > + > + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other > + else > +-TF_LDFLAGS += --fatal-warnings -O1 > ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we > ++# are not loaded by a elf loader. > ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) > ++TF_LDFLAGS += -O1 > + TF_LDFLAGS += --gc-sections > + # ld.lld doesn't recognize the errata flags, > + # therefore don't add those in that case > +-- > +2.30.2 > + > -- > 2.30.2 >
diff --git a/boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch b/boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch new file mode 100644 index 0000000000..2375de0eef --- /dev/null +++ b/boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch @@ -0,0 +1,58 @@ +From 5e1beb793c06352e87c46eca1144ff1fe8555103 Mon Sep 17 00:00:00 2001 +From: Heiko Thiery <heiko.thiery@gmail.com> +Date: Mon, 10 Jul 2023 10:43:03 +0200 +Subject: [PATCH] [PATCH] feat(build): add support for new binutils versions + +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces +of a new warning when linking the bl*.elf in the form: + + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions + +These new warnings are enbaled by default to secure elf binaries: + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 + +Fix it in a similar way to what the Linux kernel does, see: +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ + +Following the reasoning there, we set "-z noexecstack" for all linkers +(although LLVM's LLD defaults to it) and optional add +--no-warn-rwx-segments since this a ld.bfd related. + +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 + +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> +--- + Makefile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 721246d51..5893cf422 100644 +--- a/Makefile ++++ b/Makefile +@@ -297,11 +297,16 @@ endif + + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) + ++TF_LDFLAGS += -z noexecstack ++ + ifneq ($(findstring armlink,$(notdir $(LD))),) + TF_LDFLAGS += --diag_error=warning --lto_level=O1 + TF_LDFLAGS += --remove --info=unused,unusedsymbols + else +-TF_LDFLAGS += --fatal-warnings -O1 ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we ++# are not loaded by a elf loader. ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) ++TF_LDFLAGS += -O1 + TF_LDFLAGS += --gc-sections + endif + TF_LDFLAGS += $(TF_LDFLAGS_$(ARCH)) +-- +2.30.2 + diff --git a/boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch new file mode 100644 index 0000000000..9b5a9dba97 --- /dev/null +++ b/boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch @@ -0,0 +1,62 @@ +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 +From: Marco Felsch <m.felsch@pengutronix.de> +Date: Wed, 9 Nov 2022 12:59:09 +0100 +Subject: [PATCH] feat(build): add support for new binutils versions + +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces +of a new warning when linking the bl*.elf in the form: + + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions + +These new warnings are enbaled by default to secure elf binaries: + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 + +Fix it in a similar way to what the Linux kernel does, see: +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ + +Following the reasoning there, we set "-z noexecstack" for all linkers +(although LLVM's LLD defaults to it) and optional add +--no-warn-rwx-segments since this a ld.bfd related. + +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> +[Retrieved and rebased from +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 +--- + Makefile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 1ddb7b844..470956b19 100644 +--- a/Makefile ++++ b/Makefile +@@ -416,6 +416,8 @@ endif + + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) + ++TF_LDFLAGS += -z noexecstack ++ + # LD = armlink + ifneq ($(findstring armlink,$(notdir $(LD))),) + TF_LDFLAGS += --diag_error=warning --lto_level=O1 +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) + + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other + else +-TF_LDFLAGS += --fatal-warnings -O1 ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we ++# are not loaded by a elf loader. ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) ++TF_LDFLAGS += -O1 + TF_LDFLAGS += --gc-sections + # ld.lld doesn't recognize the errata flags, + # therefore don't add those in that case +-- +2.30.2 + diff --git a/boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch new file mode 100644 index 0000000000..9b5a9dba97 --- /dev/null +++ b/boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch @@ -0,0 +1,62 @@ +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 +From: Marco Felsch <m.felsch@pengutronix.de> +Date: Wed, 9 Nov 2022 12:59:09 +0100 +Subject: [PATCH] feat(build): add support for new binutils versions + +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces +of a new warning when linking the bl*.elf in the form: + + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions + +These new warnings are enbaled by default to secure elf binaries: + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 + +Fix it in a similar way to what the Linux kernel does, see: +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ + +Following the reasoning there, we set "-z noexecstack" for all linkers +(although LLVM's LLD defaults to it) and optional add +--no-warn-rwx-segments since this a ld.bfd related. + +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> +[Retrieved and rebased from +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 +--- + Makefile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 1ddb7b844..470956b19 100644 +--- a/Makefile ++++ b/Makefile +@@ -416,6 +416,8 @@ endif + + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) + ++TF_LDFLAGS += -z noexecstack ++ + # LD = armlink + ifneq ($(findstring armlink,$(notdir $(LD))),) + TF_LDFLAGS += --diag_error=warning --lto_level=O1 +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) + + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other + else +-TF_LDFLAGS += --fatal-warnings -O1 ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we ++# are not loaded by a elf loader. ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) ++TF_LDFLAGS += -O1 + TF_LDFLAGS += --gc-sections + # ld.lld doesn't recognize the errata flags, + # therefore don't add those in that case +-- +2.30.2 + diff --git a/boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch new file mode 100644 index 0000000000..9b5a9dba97 --- /dev/null +++ b/boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch @@ -0,0 +1,62 @@ +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 +From: Marco Felsch <m.felsch@pengutronix.de> +Date: Wed, 9 Nov 2022 12:59:09 +0100 +Subject: [PATCH] feat(build): add support for new binutils versions + +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces +of a new warning when linking the bl*.elf in the form: + + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions + +These new warnings are enbaled by default to secure elf binaries: + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 + +Fix it in a similar way to what the Linux kernel does, see: +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ + +Following the reasoning there, we set "-z noexecstack" for all linkers +(although LLVM's LLD defaults to it) and optional add +--no-warn-rwx-segments since this a ld.bfd related. + +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> +[Retrieved and rebased from +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 +--- + Makefile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 1ddb7b844..470956b19 100644 +--- a/Makefile ++++ b/Makefile +@@ -416,6 +416,8 @@ endif + + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) + ++TF_LDFLAGS += -z noexecstack ++ + # LD = armlink + ifneq ($(findstring armlink,$(notdir $(LD))),) + TF_LDFLAGS += --diag_error=warning --lto_level=O1 +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) + + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other + else +-TF_LDFLAGS += --fatal-warnings -O1 ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we ++# are not loaded by a elf loader. ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) ++TF_LDFLAGS += -O1 + TF_LDFLAGS += --gc-sections + # ld.lld doesn't recognize the errata flags, + # therefore don't add those in that case +-- +2.30.2 + diff --git a/boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch new file mode 100644 index 0000000000..9b5a9dba97 --- /dev/null +++ b/boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch @@ -0,0 +1,62 @@ +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 +From: Marco Felsch <m.felsch@pengutronix.de> +Date: Wed, 9 Nov 2022 12:59:09 +0100 +Subject: [PATCH] feat(build): add support for new binutils versions + +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces +of a new warning when linking the bl*.elf in the form: + + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions + +These new warnings are enbaled by default to secure elf binaries: + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 + +Fix it in a similar way to what the Linux kernel does, see: +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ + +Following the reasoning there, we set "-z noexecstack" for all linkers +(although LLVM's LLD defaults to it) and optional add +--no-warn-rwx-segments since this a ld.bfd related. + +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> +[Retrieved and rebased from +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 +--- + Makefile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 1ddb7b844..470956b19 100644 +--- a/Makefile ++++ b/Makefile +@@ -416,6 +416,8 @@ endif + + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) + ++TF_LDFLAGS += -z noexecstack ++ + # LD = armlink + ifneq ($(findstring armlink,$(notdir $(LD))),) + TF_LDFLAGS += --diag_error=warning --lto_level=O1 +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) + + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other + else +-TF_LDFLAGS += --fatal-warnings -O1 ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we ++# are not loaded by a elf loader. ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) ++TF_LDFLAGS += -O1 + TF_LDFLAGS += --gc-sections + # ld.lld doesn't recognize the errata flags, + # therefore don't add those in that case +-- +2.30.2 + diff --git a/boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch new file mode 100644 index 0000000000..9b5a9dba97 --- /dev/null +++ b/boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch @@ -0,0 +1,62 @@ +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 +From: Marco Felsch <m.felsch@pengutronix.de> +Date: Wed, 9 Nov 2022 12:59:09 +0100 +Subject: [PATCH] feat(build): add support for new binutils versions + +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces +of a new warning when linking the bl*.elf in the form: + + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions + +These new warnings are enbaled by default to secure elf binaries: + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 + +Fix it in a similar way to what the Linux kernel does, see: +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ + +Following the reasoning there, we set "-z noexecstack" for all linkers +(although LLVM's LLD defaults to it) and optional add +--no-warn-rwx-segments since this a ld.bfd related. + +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> +[Retrieved and rebased from +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 +--- + Makefile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 1ddb7b844..470956b19 100644 +--- a/Makefile ++++ b/Makefile +@@ -416,6 +416,8 @@ endif + + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) + ++TF_LDFLAGS += -z noexecstack ++ + # LD = armlink + ifneq ($(findstring armlink,$(notdir $(LD))),) + TF_LDFLAGS += --diag_error=warning --lto_level=O1 +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) + + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other + else +-TF_LDFLAGS += --fatal-warnings -O1 ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we ++# are not loaded by a elf loader. ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) ++TF_LDFLAGS += -O1 + TF_LDFLAGS += --gc-sections + # ld.lld doesn't recognize the errata flags, + # therefore don't add those in that case +-- +2.30.2 + diff --git a/boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch b/boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch new file mode 100644 index 0000000000..9b5a9dba97 --- /dev/null +++ b/boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch @@ -0,0 +1,62 @@ +From 0f75b03c008eacb9818af3a56dc088e72a623d17 Mon Sep 17 00:00:00 2001 +From: Marco Felsch <m.felsch@pengutronix.de> +Date: Wed, 9 Nov 2022 12:59:09 +0100 +Subject: [PATCH] feat(build): add support for new binutils versions + +Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces +of a new warning when linking the bl*.elf in the form: + + ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack + ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker + ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions + ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions + +These new warnings are enbaled by default to secure elf binaries: + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 + - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 + +Fix it in a similar way to what the Linux kernel does, see: +https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ + +Following the reasoning there, we set "-z noexecstack" for all linkers +(although LLVM's LLD defaults to it) and optional add +--no-warn-rwx-segments since this a ld.bfd related. + +Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> +[Retrieved and rebased from +https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c] +Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> +Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> +Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617 +--- + Makefile | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 1ddb7b844..470956b19 100644 +--- a/Makefile ++++ b/Makefile +@@ -416,6 +416,8 @@ endif + + GCC_V_OUTPUT := $(shell $(CC) -v 2>&1) + ++TF_LDFLAGS += -z noexecstack ++ + # LD = armlink + ifneq ($(findstring armlink,$(notdir $(LD))),) + TF_LDFLAGS += --diag_error=warning --lto_level=O1 +@@ -442,7 +444,10 @@ TF_LDFLAGS += $(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH))) + + # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other + else +-TF_LDFLAGS += --fatal-warnings -O1 ++# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we ++# are not loaded by a elf loader. ++TF_LDFLAGS += $(call ld_option, --no-warn-rwx-segments) ++TF_LDFLAGS += -O1 + TF_LDFLAGS += --gc-sections + # ld.lld doesn't recognize the errata flags, + # therefore don't add those in that case +-- +2.30.2 +
The new version of binutils introduces a new warning when linking. The new warninng is enabled by default. To fix the issue this warning is disabled by adding the patches to the arm-trusted-firmware package v{2.2..2.8}. This is a backport of an upstream commit [1] Since there are too many defconfigs that use the arm-trusted-firmware package, it is not practical to create a global-patch-dir for all of them. Therefore the patches are only in the package directory. [1] https://github.com/ARM-software/arm-trusted-firmware/commit/1f49db5f25cdd4e43825c9bcc0575070b80f628c Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/4603996186 https://gitlab.com/buildroot.org/buildroot/-/jobs/4603996189 Cc: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Dario Binacchi <dario.binacchi@amarulasolutions.com> Cc: Romain Naour <romain.naour@smile.fr> Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> --- v2: change the commit message to state why we add the patch to the package directory --- ...-add-support-for-new-binutils-versio.patch | 58 +++++++++++++++++ ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ ...dd-support-for-new-binutils-versions.patch | 62 +++++++++++++++++++ 7 files changed, 430 insertions(+) create mode 100644 boot/arm-trusted-firmware/v2.2/0001-PATCH-feat-build-add-support-for-new-binutils-versio.patch create mode 100644 boot/arm-trusted-firmware/v2.3/0001-feat-build-add-support-for-new-binutils-versions.patch create mode 100644 boot/arm-trusted-firmware/v2.4/0001-feat-build-add-support-for-new-binutils-versions.patch create mode 100644 boot/arm-trusted-firmware/v2.5/0001-feat-build-add-support-for-new-binutils-versions.patch create mode 100644 boot/arm-trusted-firmware/v2.6/0001-feat-build-add-support-for-new-binutils-versions.patch create mode 100644 boot/arm-trusted-firmware/v2.7/0001-feat-build-add-support-for-new-binutils-versions.patch create mode 100644 boot/arm-trusted-firmware/v2.8/0001-feat-build-add-support-for-new-binutils-versions.patch