Skip to content

Commit

Permalink
openbsd: Add static linking support
Browse files Browse the repository at this point in the history
I've had better luck creating statically-linked binaries that work than
dynamically-linked ones, so this is needed quite practically.
  • Loading branch information
Ericson2314 committed Jul 9, 2024
1 parent b178ec7 commit 676df1c
Show file tree
Hide file tree
Showing 7 changed files with 50 additions and 18 deletions.
6 changes: 5 additions & 1 deletion doc/stdenv/stdenv.chapter.md
Original file line number Diff line number Diff line change
Expand Up @@ -1521,7 +1521,11 @@ The following flags are disabled by default and should be enabled with `hardenin

#### `pie` {#pie}

This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for `musl` based package builds.
This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for

- `musl`-based package builds, except on Aarch64 and Aarch32, where there are issues.

- Statically-linked for OpenBSD builds, where it appears to be required to get a working binary.

Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the `pic` flag, so they gain ASLR automatically, but binary .text regions need to be build with `pie` to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.

Expand Down
24 changes: 14 additions & 10 deletions pkgs/build-support/bintools-wrapper/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -45,16 +45,20 @@
"relro"
"stackprotector"
"strictoverflow"
] ++ lib.optional (with stdenvNoCC;
# Musl-based platforms will keep "pie", other platforms will not.
# If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
# in the nixpkgs manual to inform users about the defaults.
targetPlatform.libc == "musl"
# Except when:
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
# - static armv7l, where compilation fails.
&& !(targetPlatform.isAarch && targetPlatform.isStatic)
) "pie"
] ++ lib.optional (with stdenvNoCC; lib.any (x: x) [
# OpenBSD static linking requires PIE
(with targetPlatform; isOpenBSD && isStatic)
(lib.all (x: x) [
# Musl-based platforms will keep "pie", other platforms will not.
# If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
# in the nixpkgs manual to inform users about the defaults.
(targetPlatform.libc == "musl")
# Except when:
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
# - static armv7l, where compilation fails.
(!(targetPlatform.isAarch && targetPlatform.isStatic))
])
]) "pie"

# Darwin code signing support utilities
, postLinkSignHook ? null, signingUtils ? null
Expand Down
10 changes: 10 additions & 0 deletions pkgs/os-specific/bsd/openbsd/pkgs/csu.nix
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{
lib,
mkDerivation,
fetchpatch,
bsdSetupHook,
openbsdSetupHook,
makeMinimal,
Expand All @@ -11,6 +12,15 @@
mkDerivation {
noLibc = true;
path = "lib/csu";
patches = [
# Support for a new NOBLIBSTATIC make variable
(fetchpatch {
name = "nolibstatic-support.patch";
url = "https://marc.info/?l=openbsd-tech&m=171972639411562&q=raw";
hash = "sha256-ZMegMq/A/SeFp8fofIyF0AA0IUo/11ZgKxg/UNT4z3E=";
includes = [ "libexec/ld.so/*" ];
})
];
nativeBuildInputs = [
bsdSetupHook
openbsdSetupHook
Expand Down
12 changes: 7 additions & 5 deletions pkgs/os-specific/bsd/openbsd/pkgs/libcMinimal/package.nix
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,19 @@
lib,
crossLibcStdenv,
mkDerivation,
fetchpatch,
bsdSetupHook,
openbsdSetupHook,
makeMinimal,
install,
flex,
byacc,
gencat,
lorder,
tsort,
rpcgen,
csu,
include,
ctags,
tsort,
llvmPackages,
fetchpatch,
}:

mkDerivation {
Expand All @@ -35,9 +34,11 @@ mkDerivation {
patches = [
./netbsd-make-to-lower.patch
./disable-librebuild.patch
# Do not produce ctags, can do that separately.
(fetchpatch {
name = "skip-tags.patch";
url = "https://marc.info/?l=openbsd-tech&m=171575286706032&q=raw";
sha256 = "sha256-2fqabJZLUvXUIWe5WZ4NrTOwgQCXqH49Wo0hAPu5lu0=";
hash = "sha256-2fqabJZLUvXUIWe5WZ4NrTOwgQCXqH49Wo0hAPu5lu0=";
})
];

Expand All @@ -47,6 +48,7 @@ mkDerivation {
makeMinimal
install
tsort
lorder
gencat
];

Expand Down
11 changes: 10 additions & 1 deletion pkgs/os-specific/bsd/openbsd/pkgs/make-rules/package.nix
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,20 @@ mkDerivation {
dontBuild = true;

patches = [
# Use `$AR` not hardcoded `ar`
(fetchpatch {
name = "use-ar-variable.patch";
url = "https://marc.info/?l=openbsd-tech&m=171575284906018&q=raw";
sha256 = "sha256-bigxJGbaf9mCmFXxLVzQpnUUaEMMDfF3eZkTXVzd6B8=";
hash = "sha256-bigxJGbaf9mCmFXxLVzQpnUUaEMMDfF3eZkTXVzd6B8=";
})
./netbsd-make-sinclude.patch
# Support for a new NOBLIBSTATIC make variable
(fetchpatch {
name = "nolibstatic-support.patch";
url = "https://marc.info/?l=openbsd-tech&m=171972639411562&q=raw";
hash = "sha256-p4izV6ZXkfgJud+ZZU1Wqr5qFuHUzE6qVXM7QnXvV3k=";
includes = [ "share/mk/*" ];
})
];

postPatch = ''
Expand Down
1 change: 1 addition & 0 deletions pkgs/os-specific/bsd/openbsd/pkgs/mkDerivation.nix
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ lib.makeOverridable (
installPhase = "includesPhase";
dontBuild = true;
}
// lib.optionalAttrs stdenv'.hostPlatform.isStatic { NOLIBSHARED = true; }
// attrs
)
)
4 changes: 3 additions & 1 deletion pkgs/stdenv/generic/make-derivation.nix
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,9 @@ let
defaultHardeningFlags =
(if stdenv.hasCC then stdenv.cc else {}).defaultHardeningFlags or
# fallback safe-ish set of flags
(remove "pie" knownHardeningFlags);
(if with stdenv.hostPlatform; isOpenBSD && isStatic
then knownHardeningFlags # Need pie, in fact
else remove "pie" knownHardeningFlags);
enabledHardeningOptions =
if builtins.elem "all" hardeningDisable'
then []
Expand Down

0 comments on commit 676df1c

Please sign in to comment.