Enable strong stack protector and annobin section

Besides enabling the strong stack protector flag, it also removes the sed empty replacements for annobin, so now most binaries include the annobin section, required by the CI annocheck tool. Resolves: #RHEL-89464 Signed-off-by: Leo Sandoval <lsandova@redhat.com>
2025-07-30 17:09:53 -06:00 · 2025-07-30 17:09:53 -06:00 · e041fb0c9b
commit e041fb0c9b
parent b96380fa98
4 changed files with 75 additions and 6 deletions
--- a/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
+++ b/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Leo Sandoval <lsandova@redhat.com>
+Date: Fri, 1 Aug 2025 11:56:53 -0600
+Subject: [PATCH] Add __stack_chk_fail function for non-EFI archs
+
+This function allows to include '-fstack-protector-strong' compiler
+flag for non-EFI archs. Also fixes a configure.ac condition where only
+disables stack protection when stack protector is not possible.
+
+Signed-off-by: Leo Sandoval <lsandova@redhat.com>
+---
+ configure.ac          | 4 +---
+ grub-core/kern/main.c | 8 ++++++++
+ include/grub/misc.h   | 4 ++++
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index a6a6957fbd..a803d21a3e 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1466,9 +1466,7 @@ AC_ARG_ENABLE([stack-protector],
+ 	      [],
+ 	      [enable_stack_protector=no])
+ if test "x$enable_stack_protector" = xno; then
+-  if test "x$ssp_possible" = xyes; then
+-    # Need that, because some distributions ship compilers that include
+-    # `-fstack-protector' in the default specs.
+  if test "x$ssp_possible" != xyes; then
+     TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
+   fi
+ elif test "x$platform" != xefi; then
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index 2e6b79ee3d..aeafbbff9c 100644
+--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
+@@ -39,6 +39,14 @@
+ static bool cli_disabled = false;
+ static bool cli_need_auth = false;
+ 
+#ifndef GRUB_MACHINE_EFI
+void __attribute__ ((noreturn))
+__stack_chk_fail (void)
+{
+  grub_abort();
+}
+#endif
+
+ grub_addr_t
+ grub_modules_get_end (void)
+ {
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index 0429339ef3..751eb992ca 100644
+--- a/include/grub/misc.h
+++ b/include/grub/misc.h
+@@ -446,6 +446,10 @@ extern bool EXPORT_FUNC(grub_is_cli_disabled) (void);
+ extern bool EXPORT_FUNC(grub_is_cli_need_auth) (void);
+ extern void EXPORT_FUNC(grub_cli_set_auth_needed) (void);
+ 
+#ifndef GRUB_MACHINE_EFI
+extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void);
+#endif
+
+ /* Must match softdiv group in gentpl.py.  */
+ #if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \
+     (defined(__riscv) && (__riscv_xlen == 32)))
--- a/grub.macros
+++ b/grub.macros
@ -25,9 +25,7 @@
 %global cflags_sed						\\\
 	sed							\\\
 		-e 's/-O. //g'					\\\
-		-e 's/-fplugin=annobin//g'			\\\
-		-e 's,-specs=[[:alnum:]/_-]*annobin[[:alnum:]_-]*,,g' \\\
-		-e 's/-fstack-protector[[:alpha:]-]\\+//g'	\\\
+		-e 's/-fno-stack-protector//g'			\\\
 		-e 's/-[^ ]*D_FORTIFY_SOURCE=[[:digit:]][^ ]*\\+//g'	\\\
 		-e 's/--param=ssp-buffer-size=4//g'		\\\
 		-e 's/-mregparm=3/-mregparm=4/g'		\\\
@ -37,7 +35,7 @@
 		-e 's/^/ -fno-strict-aliasing /'		\\\
 		%{nil}

-%global host_cflags_ %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} | %{cflags_sed})} -fstack-protector-strong
+%global host_cflags_ %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} -fstack-protector-strong | %{cflags_sed})}
 %ifarch x86_64
 %global host_cflags %{host_cflags_} -fcf-protection
 %else
@ -51,7 +49,7 @@
 	)}
 %global efi_host_cflags %{expand:%%(echo %{host_cflags})}

-%global target_cflags %{expand:%%(echo %{build_cflags} | %{cflags_sed})}
+%global target_cflags %{expand:%%(echo %{build_cflags} -fstack-protector-strong | %{cflags_sed})}
 %global legacy_target_cflags					\\\
 	%{expand:%%(echo %{target_cflags} | 			\\\
 	%{cflags_sed}						\\\
@ -373,6 +371,7 @@ rm -r build-aux m4						\
 	--target=%{1}						\\\
 	--with-grubdir=grub2					\\\
 	--program-transform-name=s,grub,grub2,		\\\
+	--enable-stack-protector=strong			\\\
 	--disable-werror || ( cat config.log ; exit 1 )		\
 git add .							\
 git commit -m "After efi configure"				\
--- a/grub.patches
+++ b/grub.patches
@ -367,3 +367,4 @@ Patch0367: 0367-Use-medany-instead-of-large-model-for-RISCV.patch
 Patch0368: 0368-10_linux.in-escape-kernel-option-characters-properly.patch
 Patch0369: 0369-blscfg-check-if-variable-is-escaped-before-consideri.patch
 Patch0370: 0370-Set-correctly-the-memory-attributes-for-the-kernel-P.patch
+Patch0371: 0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
--- a/grub2.spec
+++ b/grub2.spec
@ -17,7 +17,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.12
-Release:	25%{?dist}
+Release:	26%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPL-3.0-or-later
 URL:		http://www.gnu.org/software/grub/
@ -574,6 +574,10 @@ fi
 %endif

 %changelog
+* Thu Jul 31 2025 Leo Sandoval <lsandova@redhat.com> 2.12-26
+- Enable strong stack protector on EFI configurations
+- Resolves: #RHEL-89464
+
 * Thu Jul 31 2025 Leo Sandoval <lsandova@redhat.com> 2.12-25
 - 20-grub.install: Skip BLS removal when entry type is type2
 - Resolves: #RHEL-104167