From 8545b2e594c8d8a82dfe248e186e980f99a8f272 Mon Sep 17 00:00:00 2001 From: midnightveil Date: Mon, 3 Feb 2025 00:50:31 +1100 Subject: [PATCH 1/2] stdenv: disable hardening for embedded (kernel=none) targets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A very partial fix for [#18995]. This should make the relatively common case of embedded targets Just Work™, since these systems rarely are setup in the standard way. I've often seen __stack__chk failures when building for embedded systems, enabling this should make these architectures usable without needing to do crimes in nix shells / build environments. [#18995]: https://github.com/NixOS/nixpkgs/issues/18995 --- pkgs/stdenv/generic/make-derivation.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix index 2e0322970289b..f1081ce4bbcc2 100644 --- a/pkgs/stdenv/generic/make-derivation.nix +++ b/pkgs/stdenv/generic/make-derivation.nix @@ -451,7 +451,7 @@ else let inherit enableParallelBuilding; enableParallelChecking = attrs.enableParallelChecking or true; enableParallelInstalling = attrs.enableParallelInstalling or true; - } // optionalAttrs (hardeningDisable != [] || hardeningEnable != [] || stdenv.hostPlatform.isMusl) { + } // optionalAttrs (hardeningDisable != [] || hardeningEnable != [] || stdenv.hostPlatform.isMusl || stdenv.hostPlatform.isNone) { NIX_HARDENING_ENABLE = builtins.concatStringsSep " " enabledHardeningOptions; } // optionalAttrs (stdenv.hostPlatform.isx86_64 && stdenv.hostPlatform ? gcc.arch) { requiredSystemFeatures = attrs.requiredSystemFeatures or [] ++ [ "gccarch-${stdenv.hostPlatform.gcc.arch}" ]; From 68c3282290c4dfed662d2fdaa112a2b2bab40744 Mon Sep 17 00:00:00 2001 From: midnightveil Date: Tue, 25 Mar 2025 19:15:51 +1100 Subject: [PATCH 2/2] bintools-wrapper: disable hardening for embedded (kernel=none) targets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A very partial fix for [#18995]. This should make the relatively common case of embedded targets Just Work™, since these systems rarely are setup in the standard way, and don't like having stack protectors. This should make these architectures usable as a cross-compiler without needing crimes in build environments or nix shells. [#18995]: https://github.com/NixOS/nixpkgs/issues/18995 --- pkgs/build-support/bintools-wrapper/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/bintools-wrapper/default.nix b/pkgs/build-support/bintools-wrapper/default.nix index fdf3fcfb284d0..2366d62644e2e 100644 --- a/pkgs/build-support/bintools-wrapper/default.nix +++ b/pkgs/build-support/bintools-wrapper/default.nix @@ -36,7 +36,9 @@ # Note: the hardening flags are part of the bintools-wrapper, rather than # the cc-wrapper, because a few of them are handled by the linker. -, defaultHardeningFlags ? [ +# Note: do not have default hardening flags for embedded (kernel=none) +# targets, since these tend to fail to build or break assumptions +, defaultHardeningFlags ? lib.optionals (!stdenvNoCC.targetPlatform.isNone) ([ "bindnow" "format" "fortify" @@ -60,7 +62,7 @@ # - static armv7l, where compilation fails. (!(targetPlatform.isAarch && targetPlatform.isStatic)) ]) - ]) "pie" + ]) "pie") }: assert propagateDoc -> bintools ? man;