gcc: DEP and ASLR not enabled by default

[salowenh]

The libgsf is flagged by tools such as BinSkim due to apparently not enabled safe exception handlers, DEP and ASLR security options. Any thoughts on how to create a more secure compilation?

[revelator]

Finally fixed my compiler back to its original state (not easy), basically i had to build a gcc-4.9.2 cross compiler first to bootstrap gcc-9.3.0 with TDM's patches, this turned up some interresting things that basically means i cannot ever hope to use aslr as long as i use the TDM based patchset. TDM uses sortof a hack to get shared memory pointers to allow throwing exceptions across dll boundaries even if linked to the static runtimes. Sadly this mechanism changes libgcc's internals as the code wraps certain calls and is therefore no longer wholly compatible with main unmodified gcc (example some libgcc internals wraps with an _shmem prefix). While this behaviour only reflects on the static runtimes and does not seem to be exported to any library built against it, the reality is that the shared memory interface relies on set base addresses and goes bonkers if those change randomly as it does with aslr.

non aslr executables and libraries are still useable with normal mingw-w64-gcc though. Well it would have been nice if it where possible since that would also take care of me having to whitelist gcc with different AV solutions but it seems this is not to be.

[jeremyd2019]

I knew there was something odd about your env 😀 3rd party patches that I'm not seeing...

[revelator]

Well the idea was nice if it had worked, codeblocks still uses the TDM compilers to create executables that are as close to the windows environment as possible without having to rely on the gcc runtime for anything but internals. And my build environment was pretty much based around codeblocks with msys2 as a package manager for a TDM based build. Besides my mingw64 environment being different by using sjlj exceptions my msys2 also uses a slightly different and some might say outdated sgml docbook format based around openjade because it plays nicer with latex (more tested). In fact i can build any doc format for any package. Aslr would have been a nice addition but as you seen it wont work with my environment, dep is still solid though it probably wont keep pesky AV solutions quiet.

[revelator]

Hmm with the latest binutils i can build gcc if i disable gnat, if i dont disable it the gnat tool binaries will segfault. So seems it was not the shared memory patch causing this, but i suspect some of TDM's other patches might do something weird to gnat. Atm there are only 2 gnat specific patches one aims to fix unicode support for gnat the other aims to fix windows socket support for it. These two look a bit fishy and might have been intended for a mingw.org build so im going to try and remove them to see if things get anywhere.

[jeremyd2019]

The current state of affairs in the mingw-w64-binutils package is that all of the options (higher image base, dynamicbase, etc) are disabled by default, and are enabled in makepkg_mingw{32,64}.conf for packages.

[revelator]

Aye i noticed, it also works fine with my compiler if i disable the hardening flags but enabling it causes some packages to fail building like clang / gcc etc. The gnat patches from TDM made no difference still segfaults in gnattools even if i remove them if hardening is enabled. So next im going to remove the shared memory patch and see if this makes any difference, i suspect it might since this patch was backported from a very old 32 bit only gcc (3.4.5), and might not play to nice with 64 bit compiles though it works as long as i dont enable hardening.

[revelator]

Damn it was the shared memory patch that breaks aslr :/ after removing it gcc builds with aslr on with no problem. So if i want hardening i will have to live with not being able to throw exceptions across dll boundaries or fix the patch to correctly remap the adresses (hint TDM's patch uses atomic pointers instead of memory mapping for this) so im not even sure how to do this.

[revelator]

Hmm the default flags in makepkg-mingw* breaks building clang (unknown linker flag --default-image-base-high) which causes anything after clang itself to fail building with an error since ldd seems to not know this flag (maybe relegate this flag to PKGBUILD untill ldd supports it or atleast ignores it).

gcc seems to work fine after i removed the shared memory patch though it also seems to have gone a bit wonky on reliably building some packages (btw why was plugin support disabled ? it works here).

[mati865]

Hmm the default flags in makepkg-mingw* breaks building clang (unknown linker flag --default-image-base-high)

LLD doesn't understand that option, I'll open PR with upgrade to version 11 and fix for that flag later today/tomorrow.

[revelator]

Sounds good :)

[jeremyd2019]

@revelator I think there are different makepkg config files for clang.

@mati865 I never did send the patch adding that flag upstream to binutils. I had hoped it was just a temporary workaround while we got the bugs ironed out.

[mati865]

@jeremyd2019 I don't plan to upstream LLD patch either.

[revelator]

Hmm but if i use the makepkg config files for clang does it even build ? seing as there is no compiler present by default in the clang dirs.

I could symlink gcc to the clang dirs to get the compile going and remove the symlinks afterwards before installing clang if that is what is intended.

I understand it might just have been a temporary solution, and its quite easy to get around if unsetting LDFLAGS in the PKGBUILD script just before clang takes over compiling libc++ libc++abi libunwind etc. then set LDFLAGS to the same hardening options minus the problematic flag. What im not clear on is does lld push the base address high by default on 64 bit builds ?.

Here is what i do ->

  export CC="${srcdir}/build-${CARCH}/bin/clang"
  export CXX="${srcdir}/build-${CARCH}/bin/clang++"
  # ldd does not understand --default-image-base-high lets hope it atleast does the correct thing here.
  unset LDFLAGS
  if [ "${CARCH}" = "x86_64" ]; then
    export LDFLAGS="-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat"
  else
    export LDFLAGS="-pipe -Wl,--dynamicbase,--nxcompat,--no-seh,--large-address-aware"
  fi```

[jeremyd2019]

sounds reasonable. I believe that @mati865 said that was the default in lld. You could verify an executable/dll's base with rebase -i

[revelator]

Well if it is the default behaviour of ldd i guess im safe. Feel free to use my little hack for clang untill things get sorted out with binutils.

[revelator]

codelite plugins seem to not like it to much -> terminate called after throwing an instance of 'wxSQLite3Exception' disabling plugins allows it to load. If compiled without aslr it works just fine with or without plugins.

[revelator]

still having problems with gobject-introspection also, non zero return error. disabling aslr and dep allows it to work sadly anything relying on it can also not have this enabled :S. So in essence anything related to glib...

Fixed TDM's shared memory patch, turned out it was an error on my part as the function needs to have exceptions disabled, i got wise some time back and changed the way it normally disabled exceptions by using #pragma GCC optimize "no-exceptions" unfortunatly while this works i forgot to reset it for the rest of the libgcc build. sadly the pragmas in gcc are rather undocumented which is a shame as they can do more than most would expect.

[revelator]

--nxcompat works for gobject-introspection --dynamicbase does not ugh...

and while gcc now builds i found out that it is broken even with the fix to exceptions so i had to remove the shared memory patch for now. It seems to work somewhat reliable without it but i guess problems might crop up downhill.

added LDFLAGS+=" -Wl,--disable-dynamicbase" to gobject-introspection and a whole ballpark of other packages that rely on it so no aslr for these but atleast i get DEP support.

I have a feeling that it will newer work fully with statically linked runtimes like my version of gcc defaults to so i can either bite the apple and just revert the TDM changes or i will have to live with some packages that wont have ASLR.

[revelator]

Btw. ld from binutils-2.35.1 reports two instances of some features.

  -a N�GLEORD                 Styrelse af delte biblioteker for kompatibilitet med HP/UX
  -A ARK, --architecture ARK  S�t arkitektur
  -b M�L, --format M�L        Angiv m�l for f�lgende inddatafiler
  -c FIL, --mri-script FIL    L�s l�nkerskript i MRI-format
  -d, -dc, -dp                Tving f�lles symboler til at v�re definerede
  --dependency-file FIL       Write dependency file
  --force-group-allocation    Force group members out of groups
  -e ADRESSE, --entry ADRESSE S�t startadresse
  -E, --export-dynamic        Eksport�r alle dynamiske symboler
  --no-export-dynamic         Undo the effect of --export-dynamic
  --enable-non-contiguous-regions
                              Enable support of non-contiguous memory regions
  --enable-non-contiguous-regions-warnings
                              Enable warnings when --enable-non-contiguous-regions may cause unexpected behaviour
  -EB                         L�nk objekt som er big-endian
  -EL                         L�nk objekt som er little-endian
  -f DELBIBL, --auxiliary DELBIBL
                              Ydre filter for symboltabel over delte objekter
  -F DELBIBL, --filter DELBIBL
                              Filter for symboltabel over delte objekter
  -g                          Ignoreret
  -G ST�RRELSE, --gpsize ST�RRELSE
                              Lille datast�rrelse (hvis ingen st�rrelse, samme som --shared)
  -h FILNAVN, -soname FILNAVN S�t internt navn p� delt bibliotek
  -I PROGRAM, --dynamic-linker PROGRAM
                              S�t PROGRAM som den dynamiske l�nker der bruges
  --no-dynamic-linker         Produce an executable with no program interpreter header
  -l BIBLNAVN, --library BIBLNAVN
                              S�g efter biblioteket BIBLNAVN
  -L KATALOG, --library-path KATALOG
                              Tilf�j KATALOG til bibliotekss�gestien
  --sysroot=<DIRECTORY>       Override the default sysroot location
  -m EMULERING                S�t emulering
  -M, --print-map             Vis tabelfil p� standard ud
  -n, --nmagic                Just�r ikke data efter lige sider
  -N, --omagic                Just�r ikke data efter lige sider, g�r ikke teksten kun l�sbar
  --no-omagic                 Just�r data efter lige sider, g�r ikke teksten kun l�sbar
  -o FIL, --output FIL        S�t uddatafilnavnet
  -O                          Optim�r uddatafil
  --out-implib FIL            Generate import library
  -plugin PLUGIN              Load named plugin
  -plugin-opt ARG             Send arg to last-loaded plugin
  -flto                       Ignored for GCC LTO option compatibility
  -flto-partition=            Ignored for GCC LTO option compatibility
  -fuse-ld=                   Ignored for GCC linker option compatibility
  --map-whole-files           Ignored for gold option compatibility
  --no-map-whole-files        Ignored for gold option compatibility
  -Qy                         Ignoreret for kompatibilitet med SVR4
  -q, --emit-relocs           Generate relocations in final output
  -r, -i, --relocatable       Gener�r relok�rbart uddata
  -R FIL, --just-symbols FIL  L�nk kun symboler (hvis katalog, samme som --rpath)
  -s, --strip-all             Fjern alle symboler
  -S, --strip-debug           Fjern fejls�gningssymboler
  --strip-discarded           Strip symbols in discarded sections
  --no-strip-discarded        Do not strip symbols in discarded sections
  -t, --trace                 Udskriv fil�bninger
  -T FIL, --script FIL        L�s l�nkerskript
  --default-script FIL, -dT   L�s forvalgt l�nkerskript
  -u SYMBOL, --undefined SYMBOL
                              Begynd med udefineret reference til SYMBOL
  --require-defined SYMBOL    Require SYMBOL be defined in the final output
  --unique [=SEKTION]         Flet ikke [SEKTION | for�lderl�se] sektioner
  -Ur                         Byg globale konstruktors-/destruktorstabeller
  -v, --version               Vis versionsinformation
  -V                          Vis versions- og emuleringsinformation
  -x, --discard-all           Smid alle lokale symboler v�k
  -X, --discard-locals        Smid tempor�re lokale symboler v�k (standard)
  --discard-none              Smid ikke nogen lokale symboler v�k
  -y SYMBOL, --trace-symbol SYMBOL
                              Udskriv omtale af SYMBOL
  -Y S�GESTI                  Standards�gesti for Solaris-kompatibilitet
  -(, --start-group           Start en gruppe
  -), --end-group             Slut en gruppe
  --accept-unknown-input-arch Accept input files whose architecture cannot be determined
  --no-accept-unknown-input-arch
                              Reject input files whose architecture is unknown
  --as-needed                 Only set DT_NEEDED for following dynamic libs if used
  --no-as-needed              Always set DT_NEEDED for dynamic libraries mentioned on
                                the command line
  -assert N�GLEORD            Ignoreret for SunOS-kompatibilitet
  -Bdynamic, -dy, -call_shared
                              L�nk mod delte biblioteker
  -Bstatic, -dn, -non_shared, -static
                              L�nk ikke mod delte biblioteker
  -Bsymbolic                  Bind globale referencer lokalt
  -Bsymbolic-functions        Bind globale funktionsreferencer lokalt
  --check-sections            Kontroll�r sektionsadresser for overlapninger (standard)
  --no-check-sections         Kontroll�r ikke sektionsadresser for overlapninger
  --copy-dt-needed-entries    Copy DT_NEEDED links mentioned inside DSOs that follow
  --no-copy-dt-needed-entries Do not copy DT_NEEDED links mentioned inside DSOs that follow
  --cref                      Opret krydsreferencetabel
  --defsym SYMBOL=UDTRYK      Defin�r en symbol
  --demangle [=STIL]          Afkod symbolnavn [brug STIL]
  --disable-multiple-abs-defs Do not allow multiple definitions with symbols included
           in filename invoked by -R or --just-symbols
  --embedded-relocs           Gener�r indlejrede relokeringer
  --fatal-warnings            Behandl advarsler som fejl
  --no-fatal-warnings         Behandl ikke advarsler som fejl (forvalgt)
  -fini SYMBOL                Kald SYMBOL ved udl�sning
  --force-exe-suffix          Tving generering af fil med endelsen .exe
  --gc-sections               Fjern ubrugte sektioner (p� visse m�l)
  --no-gc-sections            Fjern ikke ubrugte sektioner (standard)
  --print-gc-sections         List removed unused sections on stderr
  --no-print-gc-sections      Do not list removed unused sections
  --gc-keep-exported          Keep exported symbols when removing unused sections
  --hash-size=<NUMBER>        Set default hash table size close to <NUMBER>
  --help                      Vis hj�lp om flag
  -init SYMBOL                Kald SYMBOL ved indl�sning
  -Map FILE/DIR               Write a linker map to FILE or DIR/<outputname>.map
  --no-define-common          Defin�r ikke f�lles lagring
  --no-demangle               Afkod ikke symbolnavne
  --no-keep-memory            Brug mindre hukommelse og mere disk-I/O
  --no-undefined              Do not allow unresolved references in object files
  --allow-shlib-undefined     Allow unresolved references in shared libraries
  --no-allow-shlib-undefined  Tillad ikke ul�ste referencer i delte biblioteker
  --allow-multiple-definition Tillad flere definitioner
  --no-undefined-version      Forbyd udefineret version
  --default-symver            Create default symbol version
  --default-imported-symver   Create default symbol version for imported symbols
  --no-warn-mismatch          Advar ikke om uparrede inddatafiler
  --no-warn-search-mismatch   Don't warn on finding an incompatible library
  --no-whole-archive          Deaktiv�r ---whole-archive
  --noinhibit-exec            Opret en uddatafil ogs� hvis fejl forekommer
  -nostdlib                   Brug kun bibliotekskataloger som angives
                                p� kommandolinjen
  --oformat M�L               Angiv m�l for uddatafil
  --print-output-format       Print default output format
  --print-sysroot             Print current sysroot
  -qmagic                     Ignoreret for kompatibilitet med Linux
  --reduce-memory-overheads   Reduce memory overheads, possibly taking much longer
  --relax                     Reduce code size by using target specific optimizations
  --no-relax                  Do not use relaxation techniques to reduce code size
  --retain-symbols-file FIL   Behold kun symboler angivne i FIL
  -rpath S�GESTI              S�t k�rselstidss�gesti for delte biblioteker
  -rpath-link S�GESTI         S�t l�nkningstidss�gesti for delte biblioteker
  -shared, -Bshareable        Opret et delt bibliotek
  -pie, --pic-executable      Create a position independent executable
  --sort-common [=ascending|descending]
                              Sort common symbols by alignment [in specified order]
  --sort-section name|alignment
                              Sort sections by name or maximum alignment
  --spare-dynamic-tags ANTAL  Hvor mange m�rker som skal reserveres i .dynamic-sektion
  --split-by-file [=ST�RRELSE]
                              Del uddatasektioner hver ST�RRELSE oktetter
  --split-by-reloc [=ANTAL]   Del uddatasektioner hver ANTAL relokeringer
  --stats                     Vis statistik over hukommelsesbrug
  --target-help               Vis m�lspecifikke flag
  --task-link SYMBOL          Udf�r l�nkning p� opgaveniveau
  --traditional-format        Brug samme format som indbygget l�nker
  --section-start SEKTION=ADRESSE
                              S�t adresse p� navngiven sektion
  -Tbss ADRESSE               S�t adresse p� .bss-sektion
  -Tdata ADRESSE              S�t adresse p� .data-sektion
  -Ttext ADRESSE              S�t adresse p� .text-sektion
  -Ttext-segment ADRESSE      S�t adresse p� .text-segment
  -Trodata-segment ADRESSE    Set address of rodata segment
  -Tldata-segment ADRESSE     Set address of ldata segment
  --unresolved-symbols=<method>
                              How to handle unresolved symbols.  <method> is:
                                ignore-all, report-all, ignore-in-object-files,
                                ignore-in-shared-libs
  --verbose [=NUMBER]         Vis meget information under l�nkning
  --version-script FIL        L�s skript med versionsinformation
  --version-exports-section SYMBOL
                              Tag liste med eksportsymboler fra .exports og
                                brug SYMBOL som version.
  --dynamic-list-data         Add data symbols to dynamic list
  --dynamic-list-cpp-new      Use C++ operator new/delete dynamic list
  --dynamic-list-cpp-typeinfo Use C++ typeinfo dynamic list
  --dynamic-list FIL          Read dynamic list
  --export-dynamic-symbol SYMBOL
                              Export the specified symbol
  --export-dynamic-symbol-list FIL
                              Read export dynamic symbol list
  --warn-common               Advar for duplerede f�lles symboler
  --warn-constructors         Advar hvis globale konstruktorer/destruktorer findes
  --warn-multiple-gp          Advar hvis flere GP-v�rdier bruges
  --warn-once                 Advar kun �n gang per udefineret symbol
  --warn-section-align        Advar hvis begyndelsen p� sektionen �ndres p� grund af justering
  --warn-textrel              Warn if outpout has DT_TEXTREL
  --warn-alternate-em         Warn if an object has alternate ELF machine code
  --warn-unresolved-symbols   Report unresolved symbols as warnings
  --error-unresolved-symbols  Report unresolved symbols as errors
  --whole-archive             Inklud�r alle objekter fra f�lgende arkiver
  --wrap SYMBOL               Brug indkapslingsfunktioner for SYMBOL
  --ignore-unresolved-symbol SYMBOL
                              Unresolved SYMBOL will not cause an error or warning
  --push-state                Push state of flags governing input file handling
  --pop-state                 Pop state of flags governing input file handling
  --print-memory-usage        Report target memory usage
  --orphan-handling =MODE     Control how orphan sections are handled.
  --print-map-discarded       Show discarded sections in map file output (default)
  --no-print-map-discarded    Do not show discarded sections in map file output
@FIL                       Read options from FILE
C:\Msys64\mingw64\bin\ld.exe: m�l som underst�ttes: pe-x86-64 pei-x86-64 pe-bigobj-x86-64 elf64-x86-64 elf64-l1om elf64-k1om pe-i386 pei-i386 elf32-i386 elf32-iamcu elf64-little elf64-big elf32-little elf32-big srec symbolsrec verilog tekhex binary ihex plugin
C:\Msys64\mingw64\bin\ld.exe: emuleringer som underst�ttes: i386pep i386pe
C:\Msys64\mingw64\bin\ld.exe: emuleringsspecifikke flag:
i386pep:
  --base_file <basefil>               Gener�r en basefil for
                                       relok�rbare DLL'er
  --dll                              S�t billedbase til standard for
                                       DLL'er
  --file-alignment <st�rrelse>         S�t filjustering
  --heap <st�rrelse>                   S�t initiel st�rrelse p� bunken
  --image-base <adresse>              S�t startadressen for den k�rbare
  --major-image-version <nummer>     S�t versionsnummer for den k�rbare
  --major-os-version <nummer>        S�t laveste kr�vet OS-version
  --major-subsystem-version <nummer> S�t laveste n�dvendige
                                       OS-undersystemsversion
  --minor-image-version <nummer>     S�t underrevisionsnummer for
                                       den k�rbare
  --minor-os-version <nummer>        S�t laveste kr�vet OS-revision
  --minor-subsystem-version <nummer> S�t laveste n�dvendige
                                       OS-undersystemsrevision
  --section-alignment <st�rrelse>      S�t sektionsjustering
  --stack <st�rrelse>                  S�t st�rrelse p� initiel stak
  --subsystem <navn>[:<version>]     S�t n�dvendigt OS-undersystem
                                       [og kr�vet version]
  --support-old-code                 Underst�ttelse samvirken med gammel kode
  --[no-]leading-underscore          Set explicit symbol underscore prefix mode
  --[no-]insert-timestamp            Use a real timestamp rather than zero (default)
                                     This makes binaries non-deterministic
  --add-stdcall-alias                Eksport�r symboler med og uden @nn
  --disable-stdcall-fixup            L�nk ikke _sym til _sym@nn
  --enable-stdcall-fixup             L�nk _sym til _sym@nn uden advarsler
  --exclude-symbols sym,sym,...      Udelad symboler fra automatisk
                                       eksport
  --exclude-all-symbols              Udelad alle symboler fra automatisk
                                       eksport
  --exclude-libs bibl,bibl,...       Udelad bibliotek fra automatisk
                                       export
  --exclude-modules-for-implib mod,mod,...
                                     Exclude objects, archive members from auto
                                     export, place into import library instead
  --export-all-symbols               Eksport�r automatisk alle symboler
                                       til DLL
  --kill-at                          Fjern @nn fra eksporterede symboler
  --output-def <fil>                 Gener�r en .DEF-fil for bygget DLL
  --warn-duplicate-exports           Warn about duplicate exports
  --compat-implib                    Create backward compatible import libs;
                                       create __imp_<SYMBOL> as well
  --enable-auto-image-base           V�lg automatisk billedbase for DLL'er
                                       med mindre brugeren ikke angiver �n <- here
  --disable-auto-image-base          Do not auto-choose image base (default)
  --dll-search-prefix=<streng>       Brug <streng><basenavn>.dll i stedet
                                       for lib<basenavn>.dll ved dynamisk
                                       l�nkning uden et importbibliotek
  --enable-auto-import               Do sophisticated linking of _sym to
                                       __imp_sym for DATA references
  --disable-auto-import              Import�r ikke DATA-objekter fra DLL'er
                                       automatisk
  --enable-runtime-pseudo-reloc      Work around auto-import limitations by
                                       adding pseudo-relocations resolved at
                                       runtime <- here
  --disable-runtime-pseudo-reloc     Do not add runtime pseudo-relocations for
                                       auto-imported DATA
  --enable-extra-pep-debug            Enable verbose debug output when building
                                       or linking to DLLs (esp. auto-import)
  --enable-long-section-names        Use long COFF section names even in
                                       executable image files
  --disable-long-section-names       Never use long COFF section names, even
                                       in object files
  --[disable-]high-entropy-va        Image is compatible with 64-bit address space
                                       layout randomization (ASLR)
  --[disable-]dynamicbase            Image base address may be relocated using
                                       address space layout randomization (ASLR)
  --enable-reloc-section             Create the base relocation table
  --disable-reloc-section            Do not create the base relocation table
  --[disable-]forceinteg             Code integrity checks are enforced
  --[disable-]nxcompat               Image is compatible with data execution
                                       prevention
  --[disable-]no-isolation           Image understands isolation but do not
                                       isolate the image
  --[disable-]no-seh                 Image does not use SEH; no SE handler may
                                       be called in this image
  --[disable-]no-bind                Do not bind this image
  --[disable-]wdmdriver              Driver uses the WDM model
  --[disable-]tsaware                Image is Terminal Server aware
  --build-id[=STYLE]                 Generate build ID
  --default-image-base-low           Default image bases under 4GB
  --default-image-base-high          Default image bases over  4GB
i386pe:
  --base_file <basefil>               Gener�r en basefil for
                                       relok�rbare DLL'er
  --dll                              S�t billedbase til standard for
                                       DLL'er
  --file-alignment <st�rrelse>         S�t filjustering
  --heap <st�rrelse>                   S�t initiel st�rrelse p� bunken
  --image-base <adresse>              S�t startadressen for den k�rbare
  --major-image-version <nummer>     S�t versionsnummer for den k�rbare
  --major-os-version <nummer>        S�t laveste kr�vet OS-version
  --major-subsystem-version <nummer> S�t laveste n�dvendige
                                       OS-undersystemsversion
  --minor-image-version <nummer>     S�t underrevisionsnummer for
                                       den k�rbare
  --minor-os-version <nummer>        S�t laveste kr�vet OS-revision
  --minor-subsystem-version <nummer> S�t laveste n�dvendige
                                       OS-undersystemsrevision
  --section-alignment <st�rrelse>      S�t sektionsjustering
  --stack <st�rrelse>                  S�t st�rrelse p� initiel stak
  --subsystem <navn>[:<version>]     S�t n�dvendigt OS-undersystem
                                       [og kr�vet version]
  --support-old-code                 Underst�ttelse samvirken med gammel kode
  --[no-]leading-underscore          Set explicit symbol underscore prefix mode
  --thumb-entry=<symbol>             S�t indgangspunktet til at
                                       v�re tommel <symbol>
  --[no-]insert-timestamp            Use a real timestamp rather than zero (default).
                                     This makes binaries non-deterministic
  --add-stdcall-alias                Eksport�r symboler med og uden @nn
  --disable-stdcall-fixup            L�nk ikke _sym til _sym@nn
  --enable-stdcall-fixup             L�nk _sym til _sym@nn uden advarsler
  --exclude-symbols sym,sym,...      Udelad symboler fra automatisk
                                       eksport
  --exclude-all-symbols              Udelad alle symboler fra automatisk
                                       eksport
  --exclude-libs bibl,bibl,...       Udelad bibliotek fra automatisk
                                       export
  --exclude-modules-for-implib mod,mod,...
                                     Exclude objects, archive members from auto
                                     export, place into import library instead.
  --export-all-symbols               Eksport�r automatisk alle symboler
                                       til DLL
  --kill-at                          Fjern @nn fra eksporterede symboler
  --output-def <fil>                 Gener�r en .DEF-fil for bygget DLL
  --warn-duplicate-exports           Warn about duplicate exports
  --compat-implib                    Opret bagudkompatible importbiblioteker;
                                       og opret ogs� __imp_<SYMBOL>.
  --enable-auto-image-base[=<address>] Automatically choose image base for DLLs
                                       (optionally starting with address) unless
                                       specifically set with --image-base <- and here
  --disable-auto-image-base          V�lg ikke billedbase automatisk
                                       (standard).
  --dll-search-prefix=<streng>       Brug <streng><basenavn>.dll i stedet
                                       for lib<basenavn>.dll ved dynamisk
                                       l�nkning uden et importbibliotek
  --enable-auto-import               Do sophisticated linking of _sym to
                                       __imp_sym for DATA references
  --disable-auto-import              Import�r ikke DATA-objekter fra DLL'er
                                       automatisk
  --enable-runtime-pseudo-reloc      Work around auto-import limitations by
                                       adding pseudo-relocations resolved at
                                       runtime. <- here to
  --disable-runtime-pseudo-reloc     Do not add runtime pseudo-relocations for
                                       auto-imported DATA.
  --enable-extra-pe-debug            Brug udf�rlig fejls�gningsuddata ved
                                       bygning af eller l�nkning til DLL'er
                                       (is�r automatisk import)
  --large-address-aware              Executable supports virtual addresses
                                       greater than 2 gigabytes
  --disable-large-address-aware      Executable does not support virtual
                                       addresses greater than 2 gigabytes
  --enable-long-section-names        Use long COFF section names even in
                                       executable image files
  --disable-long-section-names       Never use long COFF section names, even
                                       in object files
  --[disable-]dynamicbase            Image base address may be relocated using
                                       address space layout randomization (ASLR)
  --enable-reloc-section             Create the base relocation table
  --disable-reloc-section            Do not create the base relocation table
  --[disable-]forceinteg             Code integrity checks are enforced
  --[disable-]nxcompat               Image is compatible with data execution
                                       prevention
  --[disable-]no-isolation           Image understands isolation but do not
                                       isolate the image
  --[disable-]no-seh                 Image does not use SEH. No SE handler may
                                       be called in this image
  --[disable-]no-bind                Do not bind this image
  --[disable-]wdmdriver              Driver uses the WDM model
  --[disable-]tsaware                Image is Terminal Server aware
  --build-id[=STYLE]                 Generate build ID```

not sure if a bug but the list gets rather confusing with multiple options to runtime-pseudo-relocs and others all over the place.

[revelator]

...doh i forgot the 64 bit binutils supports both targets forget the above. on another note instead of using LDFLAGS_FOR_TARGET use BOOT_LDFLAGS to get it to pass the aslr flags to stage2 and 3. sadly while this gets pretty far it still croaks on --dynamicbase in stage2. I also noticed that gcc turns of position independant for some tools like genmddeps but it uses the -no-PIE flag instead of ld's --disable-dynamicbase. on linux -PIE and -fpie is needed for aslr but these flags seem to break on windows.

[lazka]

DEP and ASLR are enabled by default for some time now.