View previous topic :: View next topic |
Author |
Message |
xo ip n00b
Joined: 06 Nov 2024 Posts: 3
|
Posted: Wed Nov 06, 2024 3:17 pm Post subject: [SOLVED] elfutils error thread support required (hardened) |
|
|
hello gentoo community,
i'm using stage3-amd64-musl-llvm-20241027T164832Z.tar.xz for installation and update it today, add manual the following to make.conf (enable hardening flags):
Code: | WARNING_FLAGS="-Werror=odr -Werror=strict-aliasing"
HARDENING_CFLAGS="-fPIC -fPIE -fstack-clash-protection -fstack-protector-strong -fcf-protection=full -D_FORTIFY_SOURCE=2"
HARDENING_LDFLAGS="-Wl,-z,relro,-z,now -pie"
COMMON_FLAGS="-march=native -O2 -pipe -flto=thin ${WARNING_FLAGS}"
CFLAGS="${COMMON_FLAGS} ${HARDENING_CFLAGS}"
CXXFLAGS="${COMMON_FLAGS} ${HARDENING_CFLAGS}"
LDFLAGS="${LDFLAGS} -Wl,-O2 -Wl,--as-needed ${HARDENING_LDFLAGS}" |
Then i recompile the whole system with: Code: | emerge -e --ask --update --newuse --with-bdeps=y --quiet --deep @world |
One program failed: dev-libs/elfutils with the following error:
Code: | configure: error: __thread support required |
I then try nopie and nossp to /etc/portage/package.env from here: https://wiki.gentoo.org/wiki/Hardened_Gentoo for just elfutils.
But it's still failed but when i remove all the ${WARNING_FLAGS} ${HARDENING_CFLAGS} ${HARDENING_LDFLAGS} from make.conf like just use:
Code: | CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
LDFLAGS="${LDFLAGS} -Wl,-O2 -Wl,--as-needed" | it works.
So what i have to add to another /etc/portage/env/unknown to make it just work for dev-libs/elfutils ?
Last edited by xo ip on Wed Nov 06, 2024 5:43 pm; edited 2 times in total |
|
Back to top |
|
|
xo ip n00b
Joined: 06 Nov 2024 Posts: 3
|
Posted: Wed Nov 06, 2024 3:54 pm Post subject: |
|
|
-no-pie don't work via /etc/portage/env but removing -fPIE from HARDENING_CFLAGS works. weird.
The wiki entry is wrong ! it should be -fno-PIE and not -no-pie https://wiki.gentoo.org/wiki/Hardened_Gentoo |
|
Back to top |
|
|
sam_ Developer
Joined: 14 Aug 2020 Posts: 1947
|
Posted: Wed Nov 06, 2024 6:28 pm Post subject: |
|
|
Your answer doesn't seem to explain what happened here, because the default is PIE anyway - as are the other hardening flags (so no need for you to be setting it), and the only error you pointed out was something you tried to work around it? |
|
Back to top |
|
|
xo ip n00b
Joined: 06 Nov 2024 Posts: 3
|
Posted: Wed Nov 06, 2024 11:04 pm Post subject: |
|
|
hello sam_,
thank you for taking time and answering i hope i can explain it a bit more:
Make.conf Code: | CC="clang"
CPP="clang-cpp" # necessary for xorg-server and possibly other packages
CXX="clang++"
AR="llvm-ar"
NM="llvm-nm"
RANLIB="llvm-ranlib"
WARNING_FLAGS="-Werror=odr -Werror=strict-aliasing"
HARDENING_CFLAGS="-fPIC -fPIE -fstack-clash-protection -fstack-protector-strong -fcf-protection=full -D_FORTIFY_SOURCE=2"
HARDENING_LDFLAGS="-Wl,-z,relro,-z,now -pie"
COMMON_FLAGS="-march=native -O2 -pipe -flto=thin ${WARNING_FLAGS}"
CFLAGS="${COMMON_FLAGS} ${HARDENING_CFLAGS}"
CXXFLAGS="${COMMON_FLAGS} ${HARDENING_CFLAGS}"
LDFLAGS="${LDFLAGS} -Wl,-O2 -Wl,--as-needed ${HARDENING_LDFLAGS}"
FEATURE="cgroup ipc-sandbox network-sandbox noman nodoc noinfo" |
I can only compile dev-libs/elfutils when i add nopie (/etc/portage/env/nopie) to /etc/portage/package.env elfutils.
/etc/portage/env/nopie
Code: | CFLAGS="${CFLAGS} -fno-PIE"
CXXFLAGS="${CXXFLAGS} -fno-PIE"
LDFLAGS="${LDFLAGS} -fno-PIE" |
If compile without nopie i get the following error:
Code: | >>> Emerging (1 of 1) dev-libs/elfutils-0.191-r2::gentoo
* elfutils-0.191.tar.bz2 BLAKE2B SHA512 size ;-) ... [ ok ]
>>> Unpacking source...
>>> Unpacking elfutils-0.191.tar.bz2 to /var/tmp/portage/dev-libs/elfutils-0.191-r2/work
>>> Source unpacked in /var/tmp/portage/dev-libs/elfutils-0.191-r2/work
>>> Preparing source in /var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191 ...
* Applying elfutils-0.189-musl-aarch64-regs.patch ... [ ok ]
* Applying elfutils-0.191-musl-macros.patch ... [ ok ]
* Applying elfutils-0.191-avoid-overriding-libcxx-system-header.patch ... [ ok ]
* Running eautoreconf in '/var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191' ...
* Running 'autopoint --force' ... [ ok ]
* Running 'aclocal -I m4 --system-acdir=/var/tmp/portage/dev-libs/elfutils-0.191-r2/temp/aclocal' ... [ ok ]
* Running 'autoconf --force' ... [ ok ]
* Running 'autoheader --force' ... [ ok ]
* Running 'automake --add-missing --copy --force-missing' ... [ ok ]
* Running elibtoolize in: elfutils-0.191/
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191 ...
* abi_x86_64.amd64: running multilib-minimal_abi_src_configure
* econf: updating elfutils-0.191/config/config.guess with /usr/share/gnuconfig/config.guess
* econf: updating elfutils-0.191/config/config.sub with /usr/share/gnuconfig/config.sub
* econf: updating elfutils-0.191/config.guess with /usr/share/gnuconfig/config.guess
* econf: updating elfutils-0.191/config.sub with /usr/share/gnuconfig/config.sub
/var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191/configure --prefix=/usr --build=x86_64-pc-linux-musl --host=x86_64-pc-linux-musl --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --datarootdir=/usr/share --disable-dependency-tracking --disable-silent-rules --docdir=/usr/share/doc/elfutils-0.191-r2 --htmldir=/usr/share/doc/elfutils-0.191-r2/html --libdir=/usr/lib --enable-nls --disable-debuginfod --disable-libdebuginfod --disable-valgrind-annotations --disable-thread-safety --disable-valgrind --program-prefix=eu- --with-zlib --with-bzlib --without-lzma --with-zstd
checking for a BSD-compatible install... /usr/lib/portage/python3.12/ebuild-helpers/xattr/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether to enable maintainer-specific portions of Makefiles... no
checking whether make supports nested variables... (cached) yes
checking build system type... x86_64-pc-linux-musl
checking host system type... x86_64-pc-linux-musl
checking for x86_64-pc-linux-musl-gcc... clang
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether clang accepts -g... yes
checking for clang option to enable C11 features... none needed
checking whether clang understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of clang... none
checking whether the compiler supports GNU C++... yes
checking whether clang++ accepts -g... yes
checking for clang++ option to enable C++11 features... none needed
checking dependency style of clang++... none
checking for x86_64-pc-linux-musl-ranlib... llvm-ranlib
checking for bison... bison -y
checking for flex... flex
checking for lex output file root... lex.yy
checking for lex library... none needed
checking whether yytext is a pointer... yes
checking for x86_64-pc-linux-musl-ar... llvm-ar
checking the archiver (llvm-ar) interface... ar
checking for x86_64-pc-linux-musl-readelf... llvm-readelf
checking for x86_64-pc-linux-musl-nm... llvm-nm
checking whether gcc supports __attribute__((visibility()))... yes
checking whether gcc supports __attribute__((gcc_struct))... no
checking whether gcc supports -fPIC... yes
checking whether gcc supports -fPIE... yes
checking whether gcc supports -Wl,-z,defs... yes
checking whether the compiler generates build-ids... no
configure: WARNING: compiler doesn't generate build-id by default
checking whether gcc supports -Wl,-z,relro... yes
checking for __thread support... no
configure: error: __thread support required
!!! Please attach the following file when seeking support:
!!! /var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191-abi_x86_64.amd64/config.log
* ERROR: dev-libs/elfutils-0.191-r2::gentoo failed (configure phase):
* econf failed
*
* Call stack:
* ebuild.sh, line 136: Called src_configure
* environment, line 2507: Called multilib-minimal_src_configure
* environment, line 1853: Called multilib_foreach_abi 'multilib-minimal_abi_src_configure'
* environment, line 2103: Called multibuild_foreach_variant '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
* environment, line 1808: Called _multibuild_run '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
* environment, line 1806: Called _multilib_multibuild_wrapper 'multilib-minimal_abi_src_configure'
* environment, line 575: Called multilib-minimal_abi_src_configure
* environment, line 1847: Called multilib_src_configure
* environment, line 2328: Called econf '--enable-nls' '--disable-debuginfod' '--disable-libdebuginfod' '--disable-valgrind-annotations' '--disable-thread-safety' '--disable-valgrind' '--program-prefix=eu-' '--with-zlib' '--with-bzlib' '--without-lzma' '--with-zstd'
* phase-helpers.sh, line 647: Called __helpers_die 'econf failed'
* isolated-functions.sh, line 112: Called die
* The specific snippet of code:
* die "$@"
*
* If you need support, post the output of `emerge --info '=dev-libs/elfutils-0.191-r2::gentoo'`,
* the complete build log and the output of `emerge -pqv '=dev-libs/elfutils-0.191-r2::gentoo'`.
* The complete build log is located at '/var/tmp/portage/dev-libs/elfutils-0.191-r2/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/dev-libs/elfutils-0.191-r2/temp/environment'.
* Working directory: '/var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191-abi_x86_64.amd64'
* S: '/var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191'
>>> Failed to emerge dev-libs/elfutils-0.191-r2, Log file:
>>> '/var/tmp/portage/dev-libs/elfutils-0.191-r2/temp/build.log'
* Messages for package dev-libs/elfutils-0.191-r2:
* ERROR: dev-libs/elfutils-0.191-r2::gentoo failed (configure phase):
* econf failed
*
* Call stack:
* ebuild.sh, line 136: Called src_configure
* environment, line 2507: Called multilib-minimal_src_configure
* environment, line 1853: Called multilib_foreach_abi 'multilib-minimal_abi_src_configure'
* environment, line 2103: Called multibuild_foreach_variant '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
* environment, line 1808: Called _multibuild_run '_multilib_multibuild_wrapper' 'multilib-minimal_abi_src_configure'
* environment, line 1806: Called _multilib_multibuild_wrapper 'multilib-minimal_abi_src_configure'
* environment, line 575: Called multilib-minimal_abi_src_configure
* environment, line 1847: Called multilib_src_configure
* environment, line 2328: Called econf '--enable-nls' '--disable-debuginfod' '--disable-libdebuginfod' '--disable-valgrind-annotations' '--disable-thread-safety' '--disable-valgrind' '--program-prefix=eu-' '--with-zlib' '--with-bzlib' '--without-lzma' '--with-zstd'
* phase-helpers.sh, line 647: Called __helpers_die 'econf failed'
* isolated-functions.sh, line 112: Called die
* The specific snippet of code:
* die "$@"
*
* If you need support, post the output of `emerge --info '=dev-libs/elfutils-0.191-r2::gentoo'`,
* the complete build log and the output of `emerge -pqv '=dev-libs/elfutils-0.191-r2::gentoo'`.
* The complete build log is located at '/var/tmp/portage/dev-libs/elfutils-0.191-r2/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/dev-libs/elfutils-0.191-r2/temp/environment'.
* Working directory: '/var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191-abi_x86_64.amd64'
* S: '/var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191' |
That i don't have to add hardening flag manual is new to me because if i don't add these flags in compiler log there a missing.
Example tmux here is a compiler output line without the hardend flags vars in make.conf.
Code: | clang -std=gnu99 -march=native -O2 -pipe -flto=thin -Werror=odr -Werror=strict-aliasing -Wl,-O1 -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,--as-needed -Wl,-O2 -Wl,--as-needed -o tmux alerts.o arguments.o attributes.o cfg.o client.o cmd-attach-session.o cmd-bind-key.o cmd-break-pane.o cmd-capture-pane.o cmd-choose-tree.o cmd-command-prompt.o cmd-confirm-before.o cmd-copy-mode.o cmd-detach-client.o cmd-display-menu.o cmd-display-message.o cmd-display-panes.o cmd-find-window.o cmd-find.o cmd-if-shell.o cmd-join-pane.o cmd-kill-pane.o cmd-kill-server.o cmd-kill-session.o cmd-kill-window.o cmd-list-buffers.o cmd-list-clients.o cmd-list-keys.o cmd-list-panes.o cmd-list-sessions.o cmd-list-windows.o cmd-load-buffer.o cmd-lock-server.o cmd-move-window.o cmd-new-session.o cmd-new-window.o cmd-parse.o cmd-paste-buffer.o cmd-pipe-pane.o cmd-queue.o cmd-refresh-client.o cmd-rename-session.o cmd-rename-window.o cmd-resize-pane.o cmd-resize-window.o cmd-respawn-pane.o cmd-respawn-window.o cmd-rotate-window.o cmd-run-shell.o cmd-save-buffer.o cmd-select-layout.o cmd-select-pane.o cmd-select-window.o cmd-send-keys.o cmd-server-access.o cmd-set-buffer.o cmd-set-environment.o cmd-set-option.o cmd-show-environment.o cmd-show-messages.o cmd-show-options.o cmd-show-prompt-history.o cmd-source-file.o cmd-split-window.o cmd-swap-pane.o cmd-swap-window.o cmd-switch-client.o cmd-unbind-key.o cmd-wait-for.o cmd.o colour.o control-notify.o control.o environ.o file.o format.o format-draw.o grid-reader.o grid-view.o grid.o hyperlinks.o input-keys.o input.o job.o key-bindings.o key-string.o layout-custom.o layout-set.o layout.o log.o menu.o mode-tree.o names.o notify.o options-table.o options.o paste.o popup.o proc.o regsub.o resize.o screen-redraw.o screen-write.o screen.o server-acl.o server-client.o server-fn.o server.o session.o spawn.o status.o style.o tmux.o tty-acs.o tty-features.o tty-keys.o tty-term.o tty.o utf8-combined.o utf8.o window-buffer.o window-client.o window-clock.o window-copy.o window-customize.o window-tree.o window.o xmalloc.o osdep-linux.o compat/closefrom.o compat/freezero.o compat/getdtablecount.o compat/getpeereid.o compat/getprogname.o compat/htonll.o compat/ntohll.o compat/setproctitle.o compat/strtonum.o compat/recallocarray.o compat/getopt.o compat/base64.o compat/imsg.o compat/imsg-buffer.o compat/vis.o compat/unvis.o compat/fdforkpty.o -lxnet -ltinfo -levent_core -lm |
And this it the output with hardened flags:
Code: | clang -std=gnu99 -march=native -O2 -pipe -flto=thin -Werror=odr -Werror=strict-aliasing -fPIC -fPIE -fstack-clash-protection -fstack-protector-strong -fcf-protection=full -D_FORTIFY_SOURCE=2 -Wl,-O1 -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,--as-needed -Wl,-O2 -Wl,--as-needed -Wl,-z,relro,-z,now -pie -o tmux alerts.o arguments.o attributes.o cfg.o client.o cmd-attach-session.o cmd-bind-key.o cmd-break-pane.o cmd-capture-pane.o cmd-choose-tree.o cmd-command-prompt.o cmd-confirm-before.o cmd-copy-mode.o cmd-detach-client.o cmd-display-menu.o cmd-display-message.o cmd-display-panes.o cmd-find-window.o cmd-find.o cmd-if-shell.o cmd-join-pane.o cmd-kill-pane.o cmd-kill-server.o cmd-kill-session.o cmd-kill-window.o cmd-list-buffers.o cmd-list-clients.o cmd-list-keys.o cmd-list-panes.o cmd-list-sessions.o cmd-list-windows.o cmd-load-buffer.o cmd-lock-server.o cmd-move-window.o cmd-new-session.o cmd-new-window.o cmd-parse.o cmd-paste-buffer.o cmd-pipe-pane.o cmd-queue.o cmd-refresh-client.o cmd-rename-session.o cmd-rename-window.o cmd-resize-pane.o cmd-resize-window.o cmd-respawn-pane.o cmd-respawn-window.o cmd-rotate-window.o cmd-run-shell.o cmd-save-buffer.o cmd-select-layout.o cmd-select-pane.o cmd-select-window.o cmd-send-keys.o cmd-server-access.o cmd-set-buffer.o cmd-set-environment.o cmd-set-option.o cmd-show-environment.o cmd-show-messages.o cmd-show-options.o cmd-show-prompt-history.o cmd-source-file.o cmd-split-window.o cmd-swap-pane.o cmd-swap-window.o cmd-switch-client.o cmd-unbind-key.o cmd-wait-for.o cmd.o colour.o control-notify.o control.o environ.o file.o format.o format-draw.o grid-reader.o grid-view.o grid.o hyperlinks.o input-keys.o input.o job.o key-bindings.o key-string.o layout-custom.o layout-set.o layout.o log.o menu.o mode-tree.o names.o notify.o options-table.o options.o paste.o popup.o proc.o regsub.o resize.o screen-redraw.o screen-write.o screen.o server-acl.o server-client.o server-fn.o server.o session.o spawn.o status.o style.o tmux.o tty-acs.o tty-features.o tty-keys.o tty-term.o tty.o utf8-combined.o utf8.o window-buffer.o window-client.o window-clock.o window-copy.o window-customize.o window-tree.o window.o xmalloc.o osdep-linux.o compat/closefrom.o compat/freezero.o compat/getdtablecount.o compat/getpeereid.o compat/getprogname.o compat/htonll.o compat/ntohll.o compat/setproctitle.o compat/strtonum.o compat/recallocarray.o compat/getopt.o compat/base64.o compat/imsg.o compat/imsg-buffer.o compat/vis.o compat/unvis.o compat/fdforkpty.o -lxnet -ltinfo -levent_core -lm |
|
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1681 Location: South America
|
Posted: Wed Nov 06, 2024 11:35 pm Post subject: |
|
|
xo ip wrote: | Code: | >>> Configuring source in /var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191 ...
...
checking for __thread support... no
configure: error: __thread support required
!!! Please attach the following file when seeking support:
!!! /var/tmp/portage/dev-libs/elfutils-0.191-r2/work/elfutils-0.191-abi_x86_64.amd64/config.log |
|
Check in that file what happened with the configure script's test of __thread support. _________________
NeddySeagoon wrote: | I'm not a witch, I'm a retired electronics engineer |
Ionen wrote: | As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|