gcc: DEP and ASLR not enabled by default

[salowenh]

The libgsf is flagged by tools such as BinSkim due to apparently not enabled safe exception handlers, DEP and ASLR security options.
Any thoughts on how to create a more secure compilation?

[Biswa96]

mingw-w64 gcc environment has many reputation of being flagged by anti virus programs. Search "mingw-w64 virus alert" and you will get many related issues. The alerts are mainly false positive which may not be related to disabled DEP and ASLR.

[salowenh]

@Biswa96 Unfortunately in this case I believe this is not a false positive as I can't see these flags in any of the binaries.
Do you have any reason to think otherwise?

[lazka]

Last time I looked gcc didn't support DEP and ASLR by default, maybe that has changed in the meantime. I'd certainly welcome it.

[salowenh]

@lazka support was added in gcc 10.1.0, it's indeed disabled by default (i'm not sure why)

[mati865]

@salowenh because various LD versions had problem with it.

[revelator]

Also gobject-introspection has problems with it, try enabling it and then watch what happens heh.

[revelator]

btw you can also pretty much forget using PCH if you enable ASLR and DEP they are incompatible as is.
Im not sure how microsoft got around this problem.

[jeremyd2019]

https://sourceware.org/bugzilla/show_bug.cgi?id=19011

I have no idea about GCC, but they're just flags on the PE file, controlled by the linker (ld). I actually looked at this a bit. You can turn the options on by default in a gcc spec file, but there is no corresponding negative option to turn them back off on a case-by-case basis. peflags.exe in the rebase package comes in handy in that case 😉

[mati865]

@jeremyd2019 we can add flags in https://github.com/msys2/MSYS2-packages/blob/master/pacman/makepkg_mingw64.conf
Then all repo packages will have it enabled.

[lazka]

I've uncommented the LDFLAGS stuff and built ninja as a test:

Before:

Get-PESecurity -file C:\msys64\home\user\M\mingw-w64-ninja\pkg\mingw-w64-x86_64-ninja\mingw64\bin\ninja.exe

FileName         : C:\msys64\home\user\M\mingw-w64-ninja\pkg\mingw-w64-x86_64-ninja\mingw64\bin\ninja.exe
ARCH             : AMD64
DotNET           : False
ASLR             : False
DEP              : False
Authenticode     : False
StrongNaming     : N/A
SafeSEH          : N/A
ControlFlowGuard : False
HighentropyVA    : False

After:

Get-PESecurity -file C:\msys64\home\user\M\mingw-w64-ninja\pkg\mingw-w64-x86_64-ninja\mingw64\bin\ninja.exe

FileName         : C:\msys64\home\user\M\mingw-w64-ninja\pkg\mingw-w64-x86_64-ninja\mingw64\bin\ninja.exe
ARCH             : AMD64
DotNET           : False
ASLR             : True
DEP              : True
Authenticode     : False
StrongNaming     : N/A
SafeSEH          : N/A
ControlFlowGuard : False
HighentropyVA    : True

Looks like the last remaining upstream changes (https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=dc9bd8c92af67947db44b3cb428c050259b15cd0) are in binutils 2.34, which we have.

Should we try enabling this by default? What about 32 bit?

[jeremyd2019]

Everything but high entropy va should work on 32-bit as well. MS tools actually let you set highentropyva on 32-bit modules, but ld doesn't, and I don't think it means anything there.

[lazka]

gtk3 works, python (which uses pgo/lto) segfaults at link time.

[mati865]

We should upgrade to binutils 2.35 first.

[jeremyd2019]

btw you can also pretty much forget using PCH if you enable ASLR and DEP they are incompatible as is.
Im not sure how microsoft got around this problem.

I wonder if @revelator meant PGO rather than PCH in that comment. I was scratching my head how these would break precompiled headers, but now that you saw they broke profile-guided optimization it makes perfect sense why that could be a problem.

[jeremyd2019]

Another option to consider adding to those that were commented out in makepkg_mingw64.conf would be to set the image base above 2^32. This appears to be the default for -cygwin (or -msys in this patch). Unfortunately, the default base for exes and dlls is supposed to be different, and it isn't known when setting LDFLAGS which is being built.

[mati865]

@jeremyd2019 appropriate bases for executables and libraries have to be set in those lines: https://github.com/bminor/binutils-gdb/blob/d262797294039fc828e36f76c45e462966c5c72a/ld/emultempl/pep.em#L102

[lazka]

I wonder if @revelator meant PGO rather than PCH in that comment.

The last time this was tried also mentions PCH: 2602139#diff-c8386c579acf251c791f3c68b4d22e65

[jeremyd2019]

I was wondering why nobody had a patch for that binutils bug in all this time. 😕 Well, I finished mine and added to the bug in any event, maybe save the next guy some confusion.

[salowenh]

I was wondering why nobody had a patch for that binutils bug in all this time. 😕 Well, I finished mine and added to the bug in any event, maybe save the next guy some confusion.

Are you relating to the base address bug? can you please share how to apply it when compiling with mingw?

[jeremyd2019]

The base address was just one part of this. https://sourceware.org/bugzilla/show_bug.cgi?id=19011 has my two patches, one to provide options to turn off dll characteristics flags, and a second one to change the defaults. This second one does change the default on x86_64 to use base addresses greater than 2^32, using the same variation that was already in place for cygwin/msys. They could be applied in the PKGBUILD for binutils if desired.

It sounds though like this might open a can of worms.

[jeremyd2019]

The last time this was tried also mentions PCH

Ah, GCC puts pointers in their PCH output, so can't use it if gcc's base address changed. Sounds like this is a problem for everyone... https://bugzilla.redhat.com/show_bug.cgi?id=1721553#c34

[mati865]

If it still fails with 2.35 then there must be some other Binutils bug.
LLD always uses ASLR when targeting MSVC (and soon will enable it by default for MinGW: https://reviews.llvm.org/D86654) so it should work there without issues so it could be used for comparing broken binaries made with BFD.

[lazka]

for the python segfault, only --high-entropy-va makes it crash even without pgo/lto, with 2.35

[lazka]

So, as far as I understand, one way forward would be:

• uncomment what is there in makepkg_mingw64.conf
• maybe patch binutils move_default_addr_high
• for packages breaking, set LDFLAGS in their PKGBUILD and add a comment why
• ... see how things go with package updates in CI

edit: also add --disable-auto-image-base
edit2: patch NT_EXE_IMAGE_BASE and NT_DLL_IMAGE_BASE to match msvc when 64 bit

[mati865]

maybe patch binutils move_default_addr_high

This sets image base to special ones used by Cygwin. If we are going to change it then we should patch BFD to use the same address as MSVC and LLD. Then try if Python still crashes.

[lazka]

(I don't know how any of this works, so I don't understand the details.. as for python, to clarify, the linking process crashes, not python)

edit: ah, I see, that options is for cygwin, which uses other default addresses.

[jeremyd2019]

I didn't see a need to --disable-auto-image-base - I don't think it would hurt anything if ASLR is enabled, and could be helpful if something needs to disable ASLR (though I guess they could re-enable it if they needed to)

[jeremyd2019]

maybe patch binutils move_default_addr_high

This sets image base to special ones used by Cygwin. If we are going to change it then we should patch BFD to use the same address as MSVC and LLD.

I didn't notice this, thanks. I guess I should update my patch to do this too. 0x1 4000 0000 for EXEs and 0x1 8000 0000 for DLLs? That kind of makes move_default_addr_high a misnomer 😁

[mati865]

@jeremyd2019 this might be the same issue as in #6932 (comment)
Does GCC use dllimport/dllexport for its own code?

[jeremyd2019]

Could be. I have no idea what GCC does.

[revelator]

Finally fixed my compiler back to its original state (not easy), basically i had to build a gcc-4.9.2 cross compiler first to bootstrap gcc-9.3.0 with TDM's patches, this turned up some interresting things that basically means i cannot ever hope to use aslr as long as i use the TDM based patchset. TDM uses sortof a hack to get shared memory pointers to allow throwing exceptions across dll boundaries even if linked to the static runtimes. Sadly this mechanism changes libgcc's internals as the code wraps certain calls and is therefore no longer wholly compatible with main unmodified gcc (example some libgcc internals wraps with an _shmem prefix).
While this behaviour only reflects on the static runtimes and does not seem to be exported to any library built against it, the reality is that the shared memory interface relies on set base addresses and goes bonkers if those change randomly as it does with aslr.

non aslr executables and libraries are still useable with normal mingw-w64-gcc though.
Well it would have been nice if it where possible since that would also take care of me having to whitelist gcc with different AV solutions but it seems this is not to be.

[jeremyd2019]

I knew there was something odd about your env 😀 3rd party patches that I'm not seeing...

[revelator]

Well the idea was nice if it had worked, codeblocks still uses the TDM compilers to create executables that are as close to the windows environment as possible without having to rely on the gcc runtime for anything but internals. And my build environment was pretty much based around codeblocks with msys2 as a package manager for a TDM based build. Besides my mingw64 environment being different by using sjlj exceptions my msys2 also uses a slightly different and some might say outdated sgml docbook format based around openjade because it plays nicer with latex (more tested). In fact i can build any doc format for any package. Aslr would have been a nice addition but as you seen it wont work with my environment, dep is still solid though it probably wont keep pesky AV solutions quiet.

[revelator]

Hmm with the latest binutils i can build gcc if i disable gnat, if i dont disable it the gnat tool binaries will segfault.
So seems it was not the shared memory patch causing this, but i suspect some of TDM's other patches might do something
weird to gnat. Atm there are only 2 gnat specific patches one aims to fix unicode support for gnat the other aims to fix windows socket support for it. These two look a bit fishy and might have been intended for a mingw.org build so im going to try and remove them to see if things get anywhere.

[jeremyd2019]

The current state of affairs in the mingw-w64-binutils package is that all of the options (higher image base, dynamicbase, etc) are disabled by default, and are enabled in makepkg_mingw{32,64}.conf for packages.

[revelator]

Aye i noticed, it also works fine with my compiler if i disable the hardening flags but enabling it causes some packages to fail building like clang / gcc etc.
The gnat patches from TDM made no difference still segfaults in gnattools even if i remove them if hardening is enabled.
So next im going to remove the shared memory patch and see if this makes any difference, i suspect it might since this patch was backported from a very old 32 bit only gcc (3.4.5), and might not play to nice with 64 bit compiles though it works as long as i dont enable hardening.

[revelator]

Damn it was the shared memory patch that breaks aslr :/ after removing it gcc builds with aslr on with no problem.
So if i want hardening i will have to live with not being able to throw exceptions across dll boundaries or fix the patch to correctly remap the adresses (hint TDM's patch uses atomic pointers instead of memory mapping for this) so im not even sure how to do this.

[revelator]

Hmm the default flags in makepkg-mingw* breaks building clang (unknown linker flag --default-image-base-high) which causes anything after clang itself to fail building with an error since ldd seems to not know this flag (maybe relegate this flag to PKGBUILD untill ldd supports it or atleast ignores it).

gcc seems to work fine after i removed the shared memory patch though it also seems to have gone a bit wonky on reliably building some packages (btw why was plugin support disabled ? it works here).

[mati865]

Hmm the default flags in makepkg-mingw* breaks building clang (unknown linker flag --default-image-base-high)

LLD doesn't understand that option, I'll open PR with upgrade to version 11 and fix for that flag later today/tomorrow.

[revelator]

Sounds good :)

[jeremyd2019]

@revelator I think there are different makepkg config files for clang.

@mati865 I never did send the patch adding that flag upstream to binutils. I had hoped it was just a temporary workaround while we got the bugs ironed out.

[mati865]

@jeremyd2019 I don't plan to upstream LLD patch either.

[revelator]

Hmm but if i use the makepkg config files for clang does it even build ? seing as there is no compiler present by default in the clang dirs.

I could symlink gcc to the clang dirs to get the compile going and remove the symlinks afterwards before installing clang if that is what is intended.

I understand it might just have been a temporary solution, and its quite easy to get around if unsetting LDFLAGS in the PKGBUILD script just before clang takes over compiling libc++ libc++abi libunwind etc. then set LDFLAGS to the same hardening options minus the problematic flag. What im not clear on is does lld push the base address high by default on 64 bit builds ?.

Here is what i do ->

  export CC="${srcdir}/build-${CARCH}/bin/clang"
  export CXX="${srcdir}/build-${CARCH}/bin/clang++"
  # ldd does not understand --default-image-base-high lets hope it atleast does the correct thing here.
  unset LDFLAGS
  if [ "${CARCH}" = "x86_64" ]; then
    export LDFLAGS="-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat"
  else
    export LDFLAGS="-pipe -Wl,--dynamicbase,--nxcompat,--no-seh,--large-address-aware"
  fi```

[jeremyd2019]

sounds reasonable. I believe that @mati865 said that was the default in lld. You could verify an executable/dll's base with rebase -i

[revelator]

Well if it is the default behaviour of ldd i guess im safe.
Feel free to use my little hack for clang untill things get sorted out with binutils.

[revelator]

codelite plugins seem to not like it to much -> terminate called after throwing an instance of 'wxSQLite3Exception'
disabling plugins allows it to load. If compiled without aslr it works just fine with or without plugins.

[revelator]

still having problems with gobject-introspection also, non zero return error.
disabling aslr and dep allows it to work sadly anything relying on it can also not have this enabled :S.
So in essence anything related to glib...

Fixed TDM's shared memory patch, turned out it was an error on my part as the function needs to have exceptions disabled, i got wise some time back and changed the way it normally disabled exceptions by using #pragma GCC optimize "no-exceptions" unfortunatly while this works i forgot to reset it for the rest of the libgcc build.
sadly the pragmas in gcc are rather undocumented which is a shame as they can do more than most would expect.

[revelator]

--nxcompat works for gobject-introspection --dynamicbase does not ugh...

and while gcc now builds i found out that it is broken even with the fix to exceptions so i had to remove the shared memory patch for now. It seems to work somewhat reliable without it but i guess problems might crop up downhill.

added LDFLAGS+=" -Wl,--disable-dynamicbase" to gobject-introspection and a whole ballpark of other packages that rely on it so no aslr for these but atleast i get DEP support.

I have a feeling that it will newer work fully with statically linked runtimes like my version of gcc defaults to so i can either bite the apple and just revert the TDM changes or i will have to live with some packages that wont have ASLR.

[revelator]

Btw. ld from binutils-2.35.1 reports two instances of some features.

  -a N�GLEORD                 Styrelse af delte biblioteker for kompatibilitet med HP/UX
  -A ARK, --architecture ARK  S�t arkitektur
  -b M�L, --format M�L        Angiv m�l for f�lgende inddatafiler
  -c FIL, --mri-script FIL    L�s l�nkerskript i MRI-format
  -d, -dc, -dp                Tving f�lles symboler til at v�re definerede
  --dependency-file FIL       Write dependency file
  --force-group-allocation    Force group members out of groups
  -e ADRESSE, --entry ADRESSE S�t startadresse
  -E, --export-dynamic        Eksport�r alle dynamiske symboler
  --no-export-dynamic         Undo the effect of --export-dynamic
  --enable-non-contiguous-regions
                              Enable support of non-contiguous memory regions
  --enable-non-contiguous-regions-warnings
                              Enable warnings when --enable-non-contiguous-regions may cause unexpected behaviour
  -EB                         L�nk objekt som er big-endian
  -EL                         L�nk objekt som er little-endian
  -f DELBIBL, --auxiliary DELBIBL
                              Ydre filter for symboltabel over delte objekter
  -F DELBIBL, --filter DELBIBL
                              Filter for symboltabel over delte objekter
  -g                          Ignoreret
  -G ST�RRELSE, --gpsize ST�RRELSE
                              Lille datast�rrelse (hvis ingen st�rrelse, samme som --shared)
  -h FILNAVN, -soname FILNAVN S�t internt navn p� delt bibliotek
  -I PROGRAM, --dynamic-linker PROGRAM
                              S�t PROGRAM som den dynamiske l�nker der bruges
  --no-dynamic-linker         Produce an executable with no program interpreter header
  -l BIBLNAVN, --library BIBLNAVN
                              S�g efter biblioteket BIBLNAVN
  -L KATALOG, --library-path KATALOG
                              Tilf�j KATALOG til bibliotekss�gestien
  --sysroot=<DIRECTORY>       Override the default sysroot location
  -m EMULERING                S�t emulering
  -M, --print-map             Vis tabelfil p� standard ud
  -n, --nmagic                Just�r ikke data efter lige sider
  -N, --omagic                Just�r ikke data efter lige sider, g�r ikke teksten kun l�sbar
  --no-omagic                 Just�r data efter lige sider, g�r ikke teksten kun l�sbar
  -o FIL, --output FIL        S�t uddatafilnavnet
  -O                          Optim�r uddatafil
  --out-implib FIL            Generate import library
  -plugin PLUGIN              Load named plugin
  -plugin-opt ARG             Send arg to last-loaded plugin
  -flto                       Ignored for GCC LTO option compatibility
  -flto-partition=            Ignored for GCC LTO option compatibility
  -fuse-ld=                   Ignored for GCC linker option compatibility
  --map-whole-files           Ignored for gold option compatibility
  --no-map-whole-files        Ignored for gold option compatibility
  -Qy                         Ignoreret for kompatibilitet med SVR4
  -q, --emit-relocs           Generate relocations in final output
  -r, -i, --relocatable       Gener�r relok�rbart uddata
  -R FIL, --just-symbols FIL  L�nk kun symboler (hvis katalog, samme som --rpath)
  -s, --strip-all             Fjern alle symboler
  -S, --strip-debug           Fjern fejls�gningssymboler
  --strip-discarded           Strip symbols in discarded sections
  --no-strip-discarded        Do not strip symbols in discarded sections
  -t, --trace                 Udskriv fil�bninger
  -T FIL, --script FIL        L�s l�nkerskript
  --default-script FIL, -dT   L�s forvalgt l�nkerskript
  -u SYMBOL, --undefined SYMBOL
                              Begynd med udefineret reference til SYMBOL
  --require-defined SYMBOL    Require SYMBOL be defined in the final output
  --unique [=SEKTION]         Flet ikke [SEKTION | for�lderl�se] sektioner
  -Ur                         Byg globale konstruktors-/destruktorstabeller
  -v, --version               Vis versionsinformation
  -V                          Vis versions- og emuleringsinformation
  -x, --discard-all           Smid alle lokale symboler v�k
  -X, --discard-locals        Smid tempor�re lokale symboler v�k (standard)
  --discard-none              Smid ikke nogen lokale symboler v�k
  -y SYMBOL, --trace-symbol SYMBOL
                              Udskriv omtale af SYMBOL
  -Y S�GESTI                  Standards�gesti for Solaris-kompatibilitet
  -(, --start-group           Start en gruppe
  -), --end-group             Slut en gruppe
  --accept-unknown-input-arch Accept input files whose architecture cannot be determined
  --no-accept-unknown-input-arch
                              Reject input files whose architecture is unknown
  --as-needed                 Only set DT_NEEDED for following dynamic libs if used
  --no-as-needed              Always set DT_NEEDED for dynamic libraries mentioned on
                                the command line
  -assert N�GLEORD            Ignoreret for SunOS-kompatibilitet
  -Bdynamic, -dy, -call_shared
                              L�nk mod delte biblioteker
  -Bstatic, -dn, -non_shared, -static
                              L�nk ikke mod delte biblioteker
  -Bsymbolic                  Bind globale referencer lokalt
  -Bsymbolic-functions        Bind globale funktionsreferencer lokalt
  --check-sections            Kontroll�r sektionsadresser for overlapninger (standard)
  --no-check-sections         Kontroll�r ikke sektionsadresser for overlapninger
  --copy-dt-needed-entries    Copy DT_NEEDED links mentioned inside DSOs that follow
  --no-copy-dt-needed-entries Do not copy DT_NEEDED links mentioned inside DSOs that follow
  --cref                      Opret krydsreferencetabel
  --defsym SYMBOL=UDTRYK      Defin�r en symbol
  --demangle [=STIL]          Afkod symbolnavn [brug STIL]
  --disable-multiple-abs-defs Do not allow multiple definitions with symbols included
           in filename invoked by -R or --just-symbols
  --embedded-relocs           Gener�r indlejrede relokeringer
  --fatal-warnings            Behandl advarsler som fejl
  --no-fatal-warnings         Behandl ikke advarsler som fejl (forvalgt)
  -fini SYMBOL                Kald SYMBOL ved udl�sning
  --force-exe-suffix          Tving generering af fil med endelsen .exe
  --gc-sections               Fjern ubrugte sektioner (p� visse m�l)
  --no-gc-sections            Fjern ikke ubrugte sektioner (standard)
  --print-gc-sections         List removed unused sections on stderr
  --no-print-gc-sections      Do not list removed unused sections
  --gc-keep-exported          Keep exported symbols when removing unused sections
  --hash-size=<NUMBER>        Set default hash table size close to <NUMBER>
  --help                      Vis hj�lp om flag
  -init SYMBOL                Kald SYMBOL ved indl�sning
  -Map FILE/DIR               Write a linker map to FILE or DIR/<outputname>.map
  --no-define-common          Defin�r ikke f�lles lagring
  --no-demangle               Afkod ikke symbolnavne
  --no-keep-memory            Brug mindre hukommelse og mere disk-I/O
  --no-undefined              Do not allow unresolved references in object files
  --allow-shlib-undefined     Allow unresolved references in shared libraries
  --no-allow-shlib-undefined  Tillad ikke ul�ste referencer i delte biblioteker
  --allow-multiple-definition Tillad flere definitioner
  --no-undefined-version      Forbyd udefineret version
  --default-symver            Create default symbol version
  --default-imported-symver   Create default symbol version for imported symbols
  --no-warn-mismatch          Advar ikke om uparrede inddatafiler
  --no-warn-search-mismatch   Don't warn on finding an incompatible library
  --no-whole-archive          Deaktiv�r ---whole-archive
  --noinhibit-exec            Opret en uddatafil ogs� hvis fejl forekommer
  -nostdlib                   Brug kun bibliotekskataloger som angives
                                p� kommandolinjen
  --oformat M�L               Angiv m�l for uddatafil
  --print-output-format       Print default output format
  --print-sysroot             Print current sysroot
  -qmagic                     Ignoreret for kompatibilitet med Linux
  --reduce-memory-overheads   Reduce memory overheads, possibly taking much longer
  --relax                     Reduce code size by using target specific optimizations
  --no-relax                  Do not use relaxation techniques to reduce code size
  --retain-symbols-file FIL   Behold kun symboler angivne i FIL
  -rpath S�GESTI              S�t k�rselstidss�gesti for delte biblioteker
  -rpath-link S�GESTI         S�t l�nkningstidss�gesti for delte biblioteker
  -shared, -Bshareable        Opret et delt bibliotek
  -pie, --pic-executable      Create a position independent executable
  --sort-common [=ascending|descending]
                              Sort common symbols by alignment [in specified order]
  --sort-section name|alignment
                              Sort sections by name or maximum alignment
  --spare-dynamic-tags ANTAL  Hvor mange m�rker som skal reserveres i .dynamic-sektion
  --split-by-file [=ST�RRELSE]
                              Del uddatasektioner hver ST�RRELSE oktetter
  --split-by-reloc [=ANTAL]   Del uddatasektioner hver ANTAL relokeringer
  --stats                     Vis statistik over hukommelsesbrug
  --target-help               Vis m�lspecifikke flag
  --task-link SYMBOL          Udf�r l�nkning p� opgaveniveau
  --traditional-format        Brug samme format som indbygget l�nker
  --section-start SEKTION=ADRESSE
                              S�t adresse p� navngiven sektion
  -Tbss ADRESSE               S�t adresse p� .bss-sektion
  -Tdata ADRESSE              S�t adresse p� .data-sektion
  -Ttext ADRESSE              S�t adresse p� .text-sektion
  -Ttext-segment ADRESSE      S�t adresse p� .text-segment
  -Trodata-segment ADRESSE    Set address of rodata segment
  -Tldata-segment ADRESSE     Set address of ldata segment
  --unresolved-symbols=<method>
                              How to handle unresolved symbols.  <method> is:
                                ignore-all, report-all, ignore-in-object-files,
                                ignore-in-shared-libs
  --verbose [=NUMBER]         Vis meget information under l�nkning
  --version-script FIL        L�s skript med versionsinformation
  --version-exports-section SYMBOL
                              Tag liste med eksportsymboler fra .exports og
                                brug SYMBOL som version.
  --dynamic-list-data         Add data symbols to dynamic list
  --dynamic-list-cpp-new      Use C++ operator new/delete dynamic list
  --dynamic-list-cpp-typeinfo Use C++ typeinfo dynamic list
  --dynamic-list FIL          Read dynamic list
  --export-dynamic-symbol SYMBOL
                              Export the specified symbol
  --export-dynamic-symbol-list FIL
                              Read export dynamic symbol list
  --warn-common               Advar for duplerede f�lles symboler
  --warn-constructors         Advar hvis globale konstruktorer/destruktorer findes
  --warn-multiple-gp          Advar hvis flere GP-v�rdier bruges
  --warn-once                 Advar kun �n gang per udefineret symbol
  --warn-section-align        Advar hvis begyndelsen p� sektionen �ndres p� grund af justering
  --warn-textrel              Warn if outpout has DT_TEXTREL
  --warn-alternate-em         Warn if an object has alternate ELF machine code
  --warn-unresolved-symbols   Report unresolved symbols as warnings
  --error-unresolved-symbols  Report unresolved symbols as errors
  --whole-archive             Inklud�r alle objekter fra f�lgende arkiver
  --wrap SYMBOL               Brug indkapslingsfunktioner for SYMBOL
  --ignore-unresolved-symbol SYMBOL
                              Unresolved SYMBOL will not cause an error or warning
  --push-state                Push state of flags governing input file handling
  --pop-state                 Pop state of flags governing input file handling
  --print-memory-usage        Report target memory usage
  --orphan-handling =MODE     Control how orphan sections are handled.
  --print-map-discarded       Show discarded sections in map file output (default)
  --no-print-map-discarded    Do not show discarded sections in map file output
@FIL                       Read options from FILE
C:\Msys64\mingw64\bin\ld.exe: m�l som underst�ttes: pe-x86-64 pei-x86-64 pe-bigobj-x86-64 elf64-x86-64 elf64-l1om elf64-k1om pe-i386 pei-i386 elf32-i386 elf32-iamcu elf64-little elf64-big elf32-little elf32-big srec symbolsrec verilog tekhex binary ihex plugin
C:\Msys64\mingw64\bin\ld.exe: emuleringer som underst�ttes: i386pep i386pe
C:\Msys64\mingw64\bin\ld.exe: emuleringsspecifikke flag:
i386pep:
  --base_file <basefil>               Gener�r en basefil for
                                       relok�rbare DLL'er
  --dll                              S�t billedbase til standard for
                                       DLL'er
  --file-alignment <st�rrelse>         S�t filjustering
  --heap <st�rrelse>                   S�t initiel st�rrelse p� bunken
  --image-base <adresse>              S�t startadressen for den k�rbare
  --major-image-version <nummer>     S�t versionsnummer for den k�rbare
  --major-os-version <nummer>        S�t laveste kr�vet OS-version
  --major-subsystem-version <nummer> S�t laveste n�dvendige
                                       OS-undersystemsversion
  --minor-image-version <nummer>     S�t underrevisionsnummer for
                                       den k�rbare
  --minor-os-version <nummer>        S�t laveste kr�vet OS-revision
  --minor-subsystem-version <nummer> S�t laveste n�dvendige
                                       OS-undersystemsrevision
  --section-alignment <st�rrelse>      S�t sektionsjustering
  --stack <st�rrelse>                  S�t st�rrelse p� initiel stak
  --subsystem <navn>[:<version>]     S�t n�dvendigt OS-undersystem
                                       [og kr�vet version]
  --support-old-code                 Underst�ttelse samvirken med gammel kode
  --[no-]leading-underscore          Set explicit symbol underscore prefix mode
  --[no-]insert-timestamp            Use a real timestamp rather than zero (default)
                                     This makes binaries non-deterministic
  --add-stdcall-alias                Eksport�r symboler med og uden @nn
  --disable-stdcall-fixup            L�nk ikke _sym til _sym@nn
  --enable-stdcall-fixup             L�nk _sym til _sym@nn uden advarsler
  --exclude-symbols sym,sym,...      Udelad symboler fra automatisk
                                       eksport
  --exclude-all-symbols              Udelad alle symboler fra automatisk
                                       eksport
  --exclude-libs bibl,bibl,...       Udelad bibliotek fra automatisk
                                       export
  --exclude-modules-for-implib mod,mod,...
                                     Exclude objects, archive members from auto
                                     export, place into import library instead
  --export-all-symbols               Eksport�r automatisk alle symboler
                                       til DLL
  --kill-at                          Fjern @nn fra eksporterede symboler
  --output-def <fil>                 Gener�r en .DEF-fil for bygget DLL
  --warn-duplicate-exports           Warn about duplicate exports
  --compat-implib                    Create backward compatible import libs;
                                       create __imp_<SYMBOL> as well
  --enable-auto-image-base           V�lg automatisk billedbase for DLL'er
                                       med mindre brugeren ikke angiver �n <- here
  --disable-auto-image-base          Do not auto-choose image base (default)
  --dll-search-prefix=<streng>       Brug <streng><basenavn>.dll i stedet
                                       for lib<basenavn>.dll ved dynamisk
                                       l�nkning uden et importbibliotek
  --enable-auto-import               Do sophisticated linking of _sym to
                                       __imp_sym for DATA references
  --disable-auto-import              Import�r ikke DATA-objekter fra DLL'er
                                       automatisk
  --enable-runtime-pseudo-reloc      Work around auto-import limitations by
                                       adding pseudo-relocations resolved at
                                       runtime <- here
  --disable-runtime-pseudo-reloc     Do not add runtime pseudo-relocations for
                                       auto-imported DATA
  --enable-extra-pep-debug            Enable verbose debug output when building
                                       or linking to DLLs (esp. auto-import)
  --enable-long-section-names        Use long COFF section names even in
                                       executable image files
  --disable-long-section-names       Never use long COFF section names, even
                                       in object files
  --[disable-]high-entropy-va        Image is compatible with 64-bit address space
                                       layout randomization (ASLR)
  --[disable-]dynamicbase            Image base address may be relocated using
                                       address space layout randomization (ASLR)
  --enable-reloc-section             Create the base relocation table
  --disable-reloc-section            Do not create the base relocation table
  --[disable-]forceinteg             Code integrity checks are enforced
  --[disable-]nxcompat               Image is compatible with data execution
                                       prevention
  --[disable-]no-isolation           Image understands isolation but do not
                                       isolate the image
  --[disable-]no-seh                 Image does not use SEH; no SE handler may
                                       be called in this image
  --[disable-]no-bind                Do not bind this image
  --[disable-]wdmdriver              Driver uses the WDM model
  --[disable-]tsaware                Image is Terminal Server aware
  --build-id[=STYLE]                 Generate build ID
  --default-image-base-low           Default image bases under 4GB
  --default-image-base-high          Default image bases over  4GB
i386pe:
  --base_file <basefil>               Gener�r en basefil for
                                       relok�rbare DLL'er
  --dll                              S�t billedbase til standard for
                                       DLL'er
  --file-alignment <st�rrelse>         S�t filjustering
  --heap <st�rrelse>                   S�t initiel st�rrelse p� bunken
  --image-base <adresse>              S�t startadressen for den k�rbare
  --major-image-version <nummer>     S�t versionsnummer for den k�rbare
  --major-os-version <nummer>        S�t laveste kr�vet OS-version
  --major-subsystem-version <nummer> S�t laveste n�dvendige
                                       OS-undersystemsversion
  --minor-image-version <nummer>     S�t underrevisionsnummer for
                                       den k�rbare
  --minor-os-version <nummer>        S�t laveste kr�vet OS-revision
  --minor-subsystem-version <nummer> S�t laveste n�dvendige
                                       OS-undersystemsrevision
  --section-alignment <st�rrelse>      S�t sektionsjustering
  --stack <st�rrelse>                  S�t st�rrelse p� initiel stak
  --subsystem <navn>[:<version>]     S�t n�dvendigt OS-undersystem
                                       [og kr�vet version]
  --support-old-code                 Underst�ttelse samvirken med gammel kode
  --[no-]leading-underscore          Set explicit symbol underscore prefix mode
  --thumb-entry=<symbol>             S�t indgangspunktet til at
                                       v�re tommel <symbol>
  --[no-]insert-timestamp            Use a real timestamp rather than zero (default).
                                     This makes binaries non-deterministic
  --add-stdcall-alias                Eksport�r symboler med og uden @nn
  --disable-stdcall-fixup            L�nk ikke _sym til _sym@nn
  --enable-stdcall-fixup             L�nk _sym til _sym@nn uden advarsler
  --exclude-symbols sym,sym,...      Udelad symboler fra automatisk
                                       eksport
  --exclude-all-symbols              Udelad alle symboler fra automatisk
                                       eksport
  --exclude-libs bibl,bibl,...       Udelad bibliotek fra automatisk
                                       export
  --exclude-modules-for-implib mod,mod,...
                                     Exclude objects, archive members from auto
                                     export, place into import library instead.
  --export-all-symbols               Eksport�r automatisk alle symboler
                                       til DLL
  --kill-at                          Fjern @nn fra eksporterede symboler
  --output-def <fil>                 Gener�r en .DEF-fil for bygget DLL
  --warn-duplicate-exports           Warn about duplicate exports
  --compat-implib                    Opret bagudkompatible importbiblioteker;
                                       og opret ogs� __imp_<SYMBOL>.
  --enable-auto-image-base[=<address>] Automatically choose image base for DLLs
                                       (optionally starting with address) unless
                                       specifically set with --image-base <- and here
  --disable-auto-image-base          V�lg ikke billedbase automatisk
                                       (standard).
  --dll-search-prefix=<streng>       Brug <streng><basenavn>.dll i stedet
                                       for lib<basenavn>.dll ved dynamisk
                                       l�nkning uden et importbibliotek
  --enable-auto-import               Do sophisticated linking of _sym to
                                       __imp_sym for DATA references
  --disable-auto-import              Import�r ikke DATA-objekter fra DLL'er
                                       automatisk
  --enable-runtime-pseudo-reloc      Work around auto-import limitations by
                                       adding pseudo-relocations resolved at
                                       runtime. <- here to
  --disable-runtime-pseudo-reloc     Do not add runtime pseudo-relocations for
                                       auto-imported DATA.
  --enable-extra-pe-debug            Brug udf�rlig fejls�gningsuddata ved
                                       bygning af eller l�nkning til DLL'er
                                       (is�r automatisk import)
  --large-address-aware              Executable supports virtual addresses
                                       greater than 2 gigabytes
  --disable-large-address-aware      Executable does not support virtual
                                       addresses greater than 2 gigabytes
  --enable-long-section-names        Use long COFF section names even in
                                       executable image files
  --disable-long-section-names       Never use long COFF section names, even
                                       in object files
  --[disable-]dynamicbase            Image base address may be relocated using
                                       address space layout randomization (ASLR)
  --enable-reloc-section             Create the base relocation table
  --disable-reloc-section            Do not create the base relocation table
  --[disable-]forceinteg             Code integrity checks are enforced
  --[disable-]nxcompat               Image is compatible with data execution
                                       prevention
  --[disable-]no-isolation           Image understands isolation but do not
                                       isolate the image
  --[disable-]no-seh                 Image does not use SEH. No SE handler may
                                       be called in this image
  --[disable-]no-bind                Do not bind this image
  --[disable-]wdmdriver              Driver uses the WDM model
  --[disable-]tsaware                Image is Terminal Server aware
  --build-id[=STYLE]                 Generate build ID```

not sure if a bug but the list gets rather confusing with multiple options to runtime-pseudo-relocs and others all over the place.

[revelator]

...doh i forgot the 64 bit binutils supports both targets forget the above.
on another note instead of using LDFLAGS_FOR_TARGET use BOOT_LDFLAGS to get it to pass the aslr flags to stage2 and 3.
sadly while this gets pretty far it still croaks on --dynamicbase in stage2. I also noticed that gcc turns of position independant for some tools like genmddeps but it uses the -no-PIE flag instead of ld's --disable-dynamicbase. on linux -PIE and -fpie is needed for aslr but these flags seem to break on windows.

[lazka]

DEP and ASLR are enabled by default for some time now.