From 6ebc871f77becd379a75ba009ba553426d87d3a1 Mon Sep 17 00:00:00 2001 From: Sam James Date: Sun, 22 Sep 2024 06:31:36 +0100 Subject: [PATCH] Compiler-Options-Hardening-Guide-for-C-and-C++.md: describe linker configuration options Add a section similar to "What should you do when compiling compilers?" but for linkers. LLVM doesn't accept new configure (CMake) options for default behaviour like this and instead asks distributors to use Clang configuration files, so this section is (currently) only for GNU Binutils. Per https://github.com/ossf/wg-best-practices-os-developers/issues/588, I've not included separate-code/rosegment, as we should handle that separately once there is consensus. Closes: https://github.com/ossf/wg-best-practices-os-developers/issues/623 Signed-off-by: Sam James --- ...r-Options-Hardening-Guide-for-C-and-C++.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md index a24a86f2..771b74b4 100644 --- a/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md +++ b/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md @@ -1375,6 +1375,27 @@ If you are compiling a C/C++ compiler, where practical make the generated compil | `--enable-host-bind-now` | GCC 14.0.0 | Build the compiler executables with [`-Wl,-z,now`](#-Wl,-z,now) | | `CLANG_DEFAULT_PIE_ON_LINUX` | Clang 14.0.0 | Turn on [`-fPIE`](#-fPIE_-pie) and [`-pie`](#-fPIE_-pie) by default for binaries produced by the compiler | +## What should you do when compiling linkers? + +If you are compiling a linker, where practical make the generated linker's default options the *secure* options. The below table summarizes relevant options that can be specifed when building GNU Binutils that affect the defaults of the linker: + +| Linker Flag | Supported since | Description | +|:--- |:---:|:---- | +| `--disable-default-execstack` | Binutils 2.39 | Require the `GNU_STACK` ELF note for executable stacks, rather than enabling them by default. | +| `--enable-warn-execstack` | Binutils 2.39 | Warn if an executable stack is requested with `GNU_STACK`. | +| `--enable-error-execstack` | Binutils 2.42 | Error out if an executable stack is requested, even with `GNU_STACK`. | +| `--enable-warn-rwx-segments` | Binutils 2.39 | Warn if a segment has unsafe permissions. | +| `--enable-error-rwx-segments` | Binutils 2.42 | Error out if a segment has unsafe permissions. | +| `--enable-relro` | Binutils 2.27 | Default to passing `-Wl,-z,relro`. | +| `--enable-textrel-check=` | Binutils 2.35 | Controls whether TEXTRELs are fatal errors (`=error`), warnings (`=warn`), or ignored (`=no`). | +| `--enable-secureplt` | Binutils 2.16 | Make the PLT read-only. Applies only to the Alpha and PowerPC architectures. | + +Some background on the introduction of these options to GNU Binutils is available from Nick Clifton, its Chief Maintainer[^Clifton22]. + +Note that LLVM recommends using Clang configuration files to pass the relevant options to the linker via the compiler driver, so no such options exist here. + +[^Clifton22]: Clifton, Nick, [The linker’s warnings about executable stacks and segments](https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments), Red Hat Blog, 2022-09-14. + ## Contributors The OpenSSF Developer BEST Practices Working group thanks Ericsson for their generous initial donation of content to start collaboration on this guide.