feat(build): add support for new binutils versions

Users of GNU ld (BPF) from binutils 2.39+ will observe multiple instaces of a new warning when linking the bl*.elf in the form: ld.bfd: warning: stm32mp1_helper.o: missing .note.GNU-stack section implies executable stack ld.bfd: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld.bfd: warning: bl2.elf has a LOAD segment with RWX permissions ld.bfd: warning: bl32.elf has a LOAD segment with RWX permissions These new warnings are enbaled by default to secure elf binaries: - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=0d38576a34ec64a1b4500c9277a8e9d0f07e6774 Fix it in a similar way to what the Linux kernel does, see: https://lore.kernel.org/all/20220810222442.2296651-1-ndesaulniers@google.com/ Following the reasoning there, we set "-z noexecstack" for all linkers (although LLVM's LLD defaults to it) and optional add --no-warn-rwx-segments since this a ld.bfd related. Signed-off-by: Marco Felsch <m.felsch@pengutronix.de> Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> Change-Id: I9430f5fa5036ca88da46cd3b945754d62616b617
2025-04-17 10:04:26 +00:00 · 2022-11-09 12:59:09 +01:00 · 2022-11-09 12:59:09 +01:00 · 1f49db5f25
commit 1f49db5f25
parent a5f09cf705
1 changed files with 5 additions and 0 deletions
--- a/5
+++ b/5
@ -445,6 +445,8 @@ endif

 GCC_V_OUTPUT		:=	$(shell $(CC) -v 2>&1)

+TF_LDFLAGS		+=	-z noexecstack
+
 # LD = armlink
 ifneq ($(findstring armlink,$(notdir $(LD))),)
 TF_LDFLAGS		+=	--diag_error=warning --lto_level=O1
@ -475,6 +477,9 @@ TF_LDFLAGS		+=	$(subst --,-Xlinker --,$(TF_LDFLAGS_$(ARCH)))

 # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other
 else
+# With ld.bfd version 2.39 and newer new warnings are added. Skip those since we
+# are not loaded by a elf loader.
+TF_LDFLAGS		+=	$(call ld_option, --no-warn-rwx-segments)
 TF_LDFLAGS		+=	-O1
 TF_LDFLAGS		+=	--gc-sections