Change aarch64-unknown-none to generate static-PIE binaries by default
#149622
Conversation
|
These commits modify compiler targets. |
rustbot
added
S-waiting-on-review
|
r? @chenyukang rustbot has assigned @chenyukang. Use |
|
(Holding off on tagging this with relnotes in case target maintainers don't want to make this change.) |
|
Should the same change be made to aarch64-unknown-none-softfloat too? |
This comment has been minimized.
This comment has been minimized.
|
If this is to be done, it should be done to I assume the goal is compiling libcore PIE by default? (Otherwise for user programs I guess I'm not sure who this might affect: let me add it to the agenda for the REWG Meeting next Tuesday if that's OK and we'll take it from there once I've discussed it with folks. I think it shouldn't hurt users who are currently using static executables, apart from maybe minor code size impact (one way or the other)? |
|
@rustbot blocked (on target maintainers having a discussion) |
rustbot
added
S-blocked
|
On the REWG agenda for next week. |
|
I have concerns here about who is going to setup/adjust the Global Offset Table that PIE will introduce. Let me go and ping the RustedFirmware-A maintainers, who use this target, and the Ferrocene people, who qualify (and test) this target for safety-critical use-cases. |
You can still tell the linker to produce a static executable I think, in which case the GOT would be statically initialized. And linker relaxation may even get rid of part of the GOT accesses entirely. If you don't change anything and let it produce a static-PIE executable, I believe the GOT is statically initialized to the value it would need to have if you load the executable at the same place as indicated in the ELF file (aka the relocation slide is 0). If you actually take advantage of the ability to relocate the executable at runtime, then you will need to write a loader that applies the GOT relocations. This could be the bootloader or inline assembly linked into the executable itself that is used as entrypoint. Or if you are very careful and don't mind the UB, you can write the relocation code in rust too. https://github.com/sunfishcode/origin/blob/main/src/relocate.rs |
|
So, it looks like this change would add a new So worst case, programs get larger. But to be honest, AArch64 machines often have quite a lot of memory. |
|
A few questions to help me understand the impact on RF-A and projects like it. Assuming we control code generation for the entire program, and that we do not explicitly enable PIC for any part of it:
@thejpster Ehh... they tend to have quite a lot of DRAM, but SRAM is a different story. |
|
It looks like Rust for Linux already passes cc @ojeda |
|
Does passing that option require build-std? |
+1, we do, unconditionally. |
|
@CJKay AFAIK:
For the PLT in particular however, the linker should be able to replace all PLT calls with direct calls for symbols that are neither exported nor imported as would probably be the case for your average kernel. Replacing PLT calls with direct calls doesn't require rewriting instructions, only changing the target address of PLT call relocations. Replacing GOT accesses however does require rewriting instructions. In a bunch of cases linker relaxations should be possible, but I don't know if it covers all GOT accesses. And it is probably going to depend on the exact linker version and compiler version. If you discard the GOT or PLT section while there are references to it I think you get a linker error, but it may also be just a warning (which rustc discards). |
|
Thanks, @bjorn3. I'm curious about (3) and (4):
How is it that we can ignore the GOT in this case? Wouldn't that leave it with relative addresses? Doesn't its very presence indicate that there are symbol references which need relocating? |
If you load the ELF file with an ASLR slide of 0 like you would have needed to do currently due to the static relocation model, then you don't need to apply relocations as the linker already put the correct values everywhere. Only when you use a non-zero ASLR slide do you need to actually apply relocations. But before this PR you wouldn't be able to use a non-zero ASLR slide anyway. |
Currently, `aarch64-unknown-none` generates static position *dependent* binaries which must be loaded at a fixed address in memory. The [openVMM](https://github.com/microsoft/openvmm) project uses the `*-unknown-none` targets for an embedded-like environment but needs the binary to be loadable to any memory address. Currently, the `x86_64-unknown-none` target is configured to allow this by default but the `aarch64-unknown-none` target is not. This commit changes the defaults for the `aarch64-unknown-none` target to enable static-PIE binaries which aligns the target more closely with the corresponding `x86_64-unknown-none` target. If users prefer the prior behavior, they can request that via `-Crelocation-model=static`.
wesleywiser
force-pushed
the
aarch64-unknown-none_static-pie
branch
from
a4cd181 to
e5212e6
Compare
|
@BartMassey and @jonathanpallant, I appreciate you pinging the various maintainers! I agree that Thanks @bjorn3 for answering those questions! I've updated this PR to make the same change to |
Understood, thanks. I have a couple of concerns with this:
I don't think there's a satisfactory answer to this right now; either everybody is limited to static relocation, or everybody pays the penalty of a GOT. The firmware ecosystem can maybe stomach the overhead until |
I wasn't aware of that.
If you use |
It isn't particularly uncommon to discard the GOT altogether. That may be a case of "holding it wrong", but it's worth knowing that there are projects out there that will break after this change - they will need a heads-up. |
|
It appears the GOT will be inserted after whatever section comes last in your linker script. That final section might be a block of CCRAM you were using for your stack. You would be surprised to discover there's now 16 bytes of GOT at the end of it. If you did indeed discover it. The worrying thing is that it might all compile, but your stuff just moves. Or you use the GOT as your stack. |
|
If anyone wants an example to play with, try https://github.com/ferrous-systems/rust-training/tree/main/example-code/qemu-aarch64v8a. Just delete the rust-toolchain.toml file and it'll build with regular Rust. Add |
In BFD (and presumably LLD as well) the rules for orphan allocation are a bit complicated. IMO the most predictable way to deal with orphans is to just forbid them completely (with |
|
Ooooh, so if we add that linker option to the target config, will that mean that failing to place the .got input section into an output section would be a hard error? Hard errors are much better than weird run-time issues and I could live with this target change if users got a hard error. Also I want to note the results of the Embeddded Devices Working Group meeting last night which were:
|
|
I tried |
|
Has anyone checked if -Crelocation-model=pie + -Zdefault-visibility=protected or -Zdefault-visibility=hidden still produces a GOT? Protected visibility as default should be fine on all targets that don't support dynamic linking. We only don't use it by default due to an ld.bfd bug that has been fixed recently around exporting statics with protected visibility from dylibs. -Zdefault-visibility should only apply to non-no_mangle items. There is also a target spec option for hidden visibility that I believe applies to all symbols. |
|
I still get a GOT even with |
13 participants
Currently,
aarch64-unknown-nonegenerates static position dependent binaries which must be loaded at a fixed address in memory. The openVMM project uses the*-unknown-nonetargets for an embedded-like environment but needs the binary to be loadable to any memory address. Currently, thex86_64-unknown-nonetarget is configured to allow this by default but theaarch64-unknown-nonetarget is not.This commit changes the defaults for the
aarch64-unknown-nonetarget to enable static-PIE binaries which aligns the target more closely with the correspondingx86_64-unknown-nonetarget. If users prefer the prior behavior, they can request that via-Crelocation-model=static.cc @BartMassey as lead maintainer for this target in REWG