Security hardening: Expose Build flags for Position Independed Execution (PIE)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22596)
2025-01-30 14:01:55 +08:00 · 2024-04-01 11:49:44 -04:00 · 2024-04-01 11:49:44 -04:00 · 1c4f968469
commit 1c4f968469
parent 97c6489b39
5 changed files with 34 additions and 0 deletions
--- a/.github/workflows/run-checker-merge.yml
+++ b/.github/workflows/run-checker-merge.yml
@ -35,6 +35,7 @@ jobs:
          no-ts,
          enable-weak-ssl-ciphers,
          enable-zlib,
+          enable-pie,
        ]
    runs-on: ubuntu-latest
    steps:
--- a/CHANGES.md
+++ b/CHANGES.md
@ -59,6 +59,13 @@ OpenSSL 3.4

   *Damian Hobson-Garcia*

+ * Added support to build Position Independent Executables (PIE). Configuration
+   option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
+   support Address Space Layout Randomization (ASLR) in the openssl executable,
+   removes reliance on external toolchain configurations.
+
+   *Craig Lorentzen*
+
 OpenSSL 3.3
 -----------

--- a/Configurations/00-base-templates.conf
+++ b/Configurations/00-base-templates.conf
@ -76,6 +76,22 @@ my %targets=(
        AR              => "ar",
        ARFLAGS         => "qc",
        CC              => "cc",
+        bin_cflags      =>
+            sub {
+                my @flags = ();
+                if (!defined($disabled{pie})) {
+                    push(@flags, "-fPIE");
+                }
+                return join(" ", @flags);
+            },
+        bin_lflags      =>
+            sub {
+                my @flags = ();
+                if (!defined($disabled{pie})) {
+                    push(@flags, "-pie");
+                }
+                return join(" ", @flags);
+            },
        lflags          =>
            sub {
                my @libs = ();
--- a/6
+++ b/6
@ -492,6 +492,7 @@ my @disablables = (
    "ocsp",
    "padlockeng",
    "pic",
+    "pie",
    "pinshared",
    "poly1305",
    "posix-io",
@ -584,6 +585,7 @@ our %disabled = ( # "what"         => "comment"
                  "external-tests"      => "default",
                  "fuzz-afl"            => "default",
                  "fuzz-libfuzzer"      => "default",
+                  "pie"                 => "default",
                  "ktls"                => "default",
                  "md2"                 => "default",
                  "msan"                => "default",
@ -943,6 +945,10 @@ while (@argvcopy)
                        {
                        delete $disabled{"brotli"};
                        }
+                elsif ($1 eq "pie")
+                        {
+                        delete $disabled{"pie"};
+                        }
                elsif ($1 eq "zstd-dynamic")
                        {
                        delete $disabled{"zstd"};
--- a/INSTALL.md
+++ b/INSTALL.md
@ -870,6 +870,10 @@ As synonym for `no-padlockeng`.  Deprecated and should not be used.

 Don't build with support for Position Independent Code.

+### enable-pie
+
+Build with support for Position Independent Execution.
+
 ### no-pinshared

 Don't pin the shared libraries.