From 0562e3a79f53d14fc07320507e1b2c1e559d4e05 Mon Sep 17 00:00:00 2001 From: Ricardo Pardini Date: Thu, 1 Jan 2026 22:14:35 +0100 Subject: [PATCH] atf: once again `no-warn-rwx-segment` woes - turns out everybody was wrong, including me - some (older?) ATF sources won't work, ever; thus - introduce ATF_SKIP_LDFLAGS=yes to skip it completely - introduce ATF_SKIP_LDFLAGS_WL=yes to only skip the `-Wl,` prefix - this is for ATF's that pass flag directly to linker, not gcc - artifact-uboot: hash atf-building code into artifact version --- lib/functions/artifacts/artifact-uboot.sh | 5 +-- lib/functions/compilation/atf.sh | 38 ++++++++++++++++++----- 2 files changed, 34 insertions(+), 9 deletions(-) diff --git a/lib/functions/artifacts/artifact-uboot.sh b/lib/functions/artifacts/artifact-uboot.sh index e6aea60003..121fe64f25 100644 --- a/lib/functions/artifacts/artifact-uboot.sh +++ b/lib/functions/artifacts/artifact-uboot.sh @@ -80,9 +80,10 @@ function artifact_uboot_prepare_version() { declare hash_hooks="undetermined" hash_hooks="$(echo "${extension_hooks_hashed[@]}" | sha256sum | cut -d' ' -f1)" - # Hash the old-timey hooks + # Hash the old-timey hooks and regular core functions (atf code, used by u-boot build process) declare hash_functions="undetermined" - calculate_hash_for_function_bodies "uboot_custom_postprocess" "write_uboot_platform" "write_uboot_platform_mtd" "setup_write_uboot_platform" + calculate_hash_for_function_bodies "uboot_custom_postprocess" "write_uboot_platform" "write_uboot_platform_mtd" \ + "setup_write_uboot_platform" "compile_atf" declare hash_uboot_functions="${hash_functions}" # Hash those two together diff --git a/lib/functions/compilation/atf.sh b/lib/functions/compilation/atf.sh index 0057a09ede..850d783d65 100644 --- a/lib/functions/compilation/atf.sh +++ b/lib/functions/compilation/atf.sh @@ -66,14 +66,38 @@ compile_atf() { # - "--no-warn-rwx-segment" is *required* for binutils 2.39 - see https://developer.trustedfirmware.org/T996 # - but *not supported* by 2.38, brilliant... - declare binutils_version binutils_flags_atf="" - binutils_version=$(env PATH="${toolchain}:${toolchain2}:${PATH}" aarch64-linux-gnu-ld.bfd --version | head -1 | cut -d ")" -f 2 | xargs echo -n) - display_alert "Binutils version for ATF" "${binutils_version}" "info" - - if linux-version compare "${binutils_version}" gt "2.39" && linux-version compare "${binutils_version}" lt "2.42"; then - display_alert "Binutils version for ATF" ">= 2.39 and < 2.42, adding -Wl,--no-warn-rwx-segment" "info" - binutils_flags_atf="--no-warn-rwx-segment" + # 2026: turns out that *gcc* is the one that takes the flag, and it might or not accept it. + # distros patch binutils and gcc independently, since it's a security-related flag, + # might have been backported to one and not the other. what a freaking life. + # test both -- and only add it if _both_ support it + function gcc_accepts_flag() { + { echo 'int main(){}' | "${ATF_COMPILER}gcc" -Wl,"$1" -x c - -o /dev/null > /dev/null 2>&1; } && return 0 + return 1 + } + function ld_supports_flag() { + { "$("${ATF_COMPILER}gcc" -print-prog-name=ld)" --help 2> /dev/null | grep -q -- "$1"; } && return 0 + return 1 + } + if gcc_accepts_flag --no-warn-rwx-segment; then + display_alert "GCC supports '--no-warn-rwx-segment'" "gcc:yes - ld:tba" "debug" + if ld_supports_flag no-warn-rwx-segment; then + display_alert "GCC/LD supports '--no-warn-rwx-segment'" "gcc:yes - ld:yes" "debug" + if [[ "${ATF_SKIP_LDFLAGS:-"no"}" == "yes" ]]; then # IF ATF_SKIP_LDFLAGS==yes, then skip it completely + display_alert "Skip adding LD flag '--no-warn-rwx-segment' to TF-A build" "ATF_SKIP_LDFLAGS=${ATF_SKIP_LDFLAGS}" "info" + elif [[ "${ATF_SKIP_LDFLAGS_WL:-"no"}" == "yes" ]]; then # IF ATF_SKIP_LDFLAGS_WL==yes, then don't add the -Wl, prefix + display_alert "Skip adding '-Wl,' prefix to LD flag '--no-warn-rwx-segment' for TF-A build" "ATF_SKIP_LDFLAGS_WL=${ATF_SKIP_LDFLAGS_WL}" "info" + binutils_flags_atf="--no-warn-rwx-segment" + else + display_alert "Adding full LD flag '-Wl,--no-warn-rwx-segment' to TF-A build" "normal" "info" + binutils_flags_atf="-Wl,--no-warn-rwx-segment" + fi + else + display_alert "LD does not support '--no-warn-rwx-segment'" "gcc: yes - ld:no" "debug" + fi + else + display_alert "GCC does not support '--no-warn-rwx-segment'" "gcc: no - ld: not tested" "debug" fi + unset -f gcc_accepts_flag ld_supports_flag # - ENABLE_BACKTRACE="0" has been added to workaround a regression in ATF. Check: https://github.com/armbian/build/issues/1157