Page MenuHomePhabricator

Compiling bl31.elf with binutils 2.39 warns/fails with “ LOAD segment with RWX permissions”
Open, Needs TriagePublic

Description

To build atf-2.7 with binutils-2.39 - —no-warn-rwx-segment must be set when --fatal-warnings is used during builds.

relevant commit:

https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107
The ELF linker will now generate a warning message if the stack is made
executable. Similarly it will warn if the output binary contains a
segment with all three of the read, write and execute permission
bits set. These warnings are intended to help developers identify
programs which might be vulnerable to attack via these executable
memory regions. The warnings are enabled by default but can be
disabled via a command line option.

compile error:
LD atf-2.7/build/sun50i_a64/release/bl31/bl31.elf
aarch64-none-elf-ld.bfd: warning: atf-2.7/build/sun50i_a64/release/bl31/bl31.elf has a LOAD segment with RWX permissions

Event Timeline

Hi Heitaum, Thanks for reporting this.

CJKay added a subscriber: CJKay.Thu, Sep 8, 3:53 PM

Hi Heitbaum, could you tell me which toolchain you're using to build TF-A? The latest Arm GNU AArch64 toolchain is 11.3.Rel1, which packages binutils-2.38 and therefore compiles successfully, so I'm currently unable to reproduce this error.

Hey Chris, I may have raised the bug wrong we are tracking internally as its binutils-2.39, sorry!

@joannafarley-arm

Adding that the linking warns about both rwx-sections and execstack for bl2 too.
So both are needed or the linking needs to be fixed.
I think the no-warn flags are only available to newer tools, so defaulting to them will probably break things.

I can confirm this occurs with binutils 2.39. We (coreboot) are trying to update binutils from our toolchain and we are about to adjust our build system. --no-warn-rwx-segment fixes the issue. https://review.coreboot.org/c/coreboot/+/66920

Would be great if this could be fixed in your repository, since most likely many people will get this error sooner or later.