From e041fb0c9bf01c8096862a3a62dd3f24591d478e Mon Sep 17 00:00:00 2001 From: Leo Sandoval Date: Wed, 30 Jul 2025 17:09:53 -0600 Subject: [PATCH] Enable strong stack protector and annobin section Besides enabling the strong stack protector flag, it also removes the sed empty replacements for annobin, so now most binaries include the annobin section, required by the CI annocheck tool. Resolves: #RHEL-89464 Signed-off-by: Leo Sandoval --- ..._chk_fail-function-for-non-EFI-archs.patch | 65 +++++++++++++++++++ grub.macros | 9 ++- grub.patches | 1 + grub2.spec | 6 +- 4 files changed, 75 insertions(+), 6 deletions(-) create mode 100644 0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch diff --git a/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch b/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch new file mode 100644 index 0000000..7ec134e --- /dev/null +++ b/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch @@ -0,0 +1,65 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Fri, 1 Aug 2025 11:56:53 -0600 +Subject: [PATCH] Add __stack_chk_fail function for non-EFI archs + +This function allows to include '-fstack-protector-strong' compiler +flag for non-EFI archs. Also fixes a configure.ac condition where only +disables stack protection when stack protector is not possible. + +Signed-off-by: Leo Sandoval +--- + configure.ac | 4 +--- + grub-core/kern/main.c | 8 ++++++++ + include/grub/misc.h | 4 ++++ + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index a6a6957fbd..a803d21a3e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1466,9 +1466,7 @@ AC_ARG_ENABLE([stack-protector], + [], + [enable_stack_protector=no]) + if test "x$enable_stack_protector" = xno; then +- if test "x$ssp_possible" = xyes; then +- # Need that, because some distributions ship compilers that include +- # `-fstack-protector' in the default specs. ++ if test "x$ssp_possible" != xyes; then + TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector" + fi + elif test "x$platform" != xefi; then +diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c +index 2e6b79ee3d..aeafbbff9c 100644 +--- a/grub-core/kern/main.c ++++ b/grub-core/kern/main.c +@@ -39,6 +39,14 @@ + static bool cli_disabled = false; + static bool cli_need_auth = false; + ++#ifndef GRUB_MACHINE_EFI ++void __attribute__ ((noreturn)) ++__stack_chk_fail (void) ++{ ++ grub_abort(); ++} ++#endif ++ + grub_addr_t + grub_modules_get_end (void) + { +diff --git a/include/grub/misc.h b/include/grub/misc.h +index 0429339ef3..751eb992ca 100644 +--- a/include/grub/misc.h ++++ b/include/grub/misc.h +@@ -446,6 +446,10 @@ extern bool EXPORT_FUNC(grub_is_cli_disabled) (void); + extern bool EXPORT_FUNC(grub_is_cli_need_auth) (void); + extern void EXPORT_FUNC(grub_cli_set_auth_needed) (void); + ++#ifndef GRUB_MACHINE_EFI ++extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void); ++#endif ++ + /* Must match softdiv group in gentpl.py. */ + #if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \ + (defined(__riscv) && (__riscv_xlen == 32))) diff --git a/grub.macros b/grub.macros index 685b897..70ccd4b 100644 --- a/grub.macros +++ b/grub.macros @@ -25,9 +25,7 @@ %global cflags_sed \\\ sed \\\ -e 's/-O. //g' \\\ - -e 's/-fplugin=annobin//g' \\\ - -e 's,-specs=[[:alnum:]/_-]*annobin[[:alnum:]_-]*,,g' \\\ - -e 's/-fstack-protector[[:alpha:]-]\\+//g' \\\ + -e 's/-fno-stack-protector//g' \\\ -e 's/-[^ ]*D_FORTIFY_SOURCE=[[:digit:]][^ ]*\\+//g' \\\ -e 's/--param=ssp-buffer-size=4//g' \\\ -e 's/-mregparm=3/-mregparm=4/g' \\\ @@ -37,7 +35,7 @@ -e 's/^/ -fno-strict-aliasing /' \\\ %{nil} -%global host_cflags_ %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} | %{cflags_sed})} -fstack-protector-strong +%global host_cflags_ %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} -fstack-protector-strong | %{cflags_sed})} %ifarch x86_64 %global host_cflags %{host_cflags_} -fcf-protection %else @@ -51,7 +49,7 @@ )} %global efi_host_cflags %{expand:%%(echo %{host_cflags})} -%global target_cflags %{expand:%%(echo %{build_cflags} | %{cflags_sed})} +%global target_cflags %{expand:%%(echo %{build_cflags} -fstack-protector-strong | %{cflags_sed})} %global legacy_target_cflags \\\ %{expand:%%(echo %{target_cflags} | \\\ %{cflags_sed} \\\ @@ -373,6 +371,7 @@ rm -r build-aux m4 \ --target=%{1} \\\ --with-grubdir=grub2 \\\ --program-transform-name=s,grub,grub2, \\\ + --enable-stack-protector=strong \\\ --disable-werror || ( cat config.log ; exit 1 ) \ git add . \ git commit -m "After efi configure" \ diff --git a/grub.patches b/grub.patches index 1c3c893..19618d8 100644 --- a/grub.patches +++ b/grub.patches @@ -367,3 +367,4 @@ Patch0367: 0367-Use-medany-instead-of-large-model-for-RISCV.patch Patch0368: 0368-10_linux.in-escape-kernel-option-characters-properly.patch Patch0369: 0369-blscfg-check-if-variable-is-escaped-before-consideri.patch Patch0370: 0370-Set-correctly-the-memory-attributes-for-the-kernel-P.patch +Patch0371: 0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch diff --git a/grub2.spec b/grub2.spec index 74a947e..8f86325 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.12 -Release: 25%{?dist} +Release: 26%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPL-3.0-or-later URL: http://www.gnu.org/software/grub/ @@ -574,6 +574,10 @@ fi %endif %changelog +* Thu Jul 31 2025 Leo Sandoval 2.12-26 +- Enable strong stack protector on EFI configurations +- Resolves: #RHEL-89464 + * Thu Jul 31 2025 Leo Sandoval 2.12-25 - 20-grub.install: Skip BLS removal when entry type is type2 - Resolves: #RHEL-104167