Introduce PIE base.

Enabled for amd64, i386, and aarch64.

libexec/rtld-elf/Makefile

@@ -89,6 +89,8 @@ beforeinstall:
 SUBDIR+=	tests
 .endif
 
+NOPIE=		yes
+
 .include <bsd.prog.mk>
 ${PROG_FULL}:	${VERSION_MAP}
 .include <bsd.symver.mk>

rescue/librescue/Makefile

@@ -44,4 +44,6 @@ CFLAGS+=       -DHESIOD
 .endif
 CFLAGS+=	-I${.CURDIR}/../../lib/libc/include
 
+NOPIE=		yes
+
 .include <bsd.lib.mk>

rescue/rescue/Makefile

@@ -227,5 +227,7 @@ CRUNCH_PROGS_usr.bin+=	iscsictl
 CRUNCH_PROGS_usr.sbin+=	iscsid
 .endif
 
+NOPIE=		yes
+
 .include <bsd.crunchgen.mk>
 .include <bsd.prog.mk>

share/mk/bsd.lib.mk

@@ -89,6 +89,29 @@ PICFLAG=-fpic
 .endif
 .endif
 
+.if defined(MK_PIE)
+# Ports will not have MK_PIE defined and the following logic requires
+# it be defined.
+
+.if !defined(NO_PIC)
+.if ${MK_PIE} != "no"
+.if !defined(NOPIE)
+CFLAGS+= ${PICFLAG}
+.endif
+.endif
+.endif
+.endif
+
+.if defined(MK_RELRO)
+.if ${MK_RELRO} != "no"
+LDFLAGS+=	-Wl,-z,relro
+.endif
+
+.if ${MK_BIND_NOW} != "no"
+LDFLAGS+=	-Wl,-z,now
+.endif
+.endif
+
 PO_FLAG=-pg
 
 .c.o:

share/mk/bsd.prog.mk

@@ -59,6 +59,33 @@ TAG_ARGS=	-T ${TAGS:[*]:S/ /,/g}
 LDFLAGS+= -static
 .endif
 
+.if defined(MK_PIE)
+# Ports will not have MK_PIE defined and the following logic requires
+# it be defined.
+
+.if ${LDFLAGS:M-static}
+NOPIE=yes
+.endif
+
+.if !defined(NOPIE)
+.if ${MK_PIE} != "no"
+CFLAGS+= -fPIE
+CXXFLAGS+= -fPIE
+LDFLAGS+= -pie
+.endif
+.endif
+.endif
+
+.if defined(MK_RELRO)
+.if ${MK_RELRO} != "no"
+LDFLAGS+=	-Wl,-z,relro
+.endif
+
+.if ${MK_BIND_NOW} != "no"
+LDFLAGS+=	-Wl,-z,now
+.endif
+.endif
+
 .if ${MK_DEBUG_FILES} != "no"
 PROG_FULL=${PROG}.full
 # Use ${DEBUGDIR} for base system debug files, else .debug subdirectory

share/mk/bsd.test.mk

@@ -39,6 +39,8 @@ TESTS_SUBDIRS?=
 # List of variables to pass to the tests at run-time via the environment.
 TESTS_ENV?=
 
+NOPIE=		yes
+
 # Force all tests in a separate distribution file.
 #
 # We want this to be the case even when the distribution name is already

share/mk/src.opts.mk

@@ -54,6 +54,7 @@ __DEFAULT_YES_OPTIONS = \
     AUTHPF \
     AUTOFS \
     BHYVE \
+    BIND_NOW \
     BINUTILS \
     BINUTILS_BOOTSTRAP \
     BLACKLIST \
@@ -148,11 +149,13 @@ __DEFAULT_YES_OPTIONS = \
     RCMDS \
     RBOOTD \
     RCS \
+    RELRO \
     RESCUE \
     ROUTED \
     SENDMAIL \
     SETUID_LOGIN \
     SHAREDOCS \
+    SHARED_TOOLCHAIN \
     SOURCELESS \
     SOURCELESS_HOST \
     SOURCELESS_UCODE \
@@ -186,7 +189,6 @@ __DEFAULT_NO_OPTIONS = \
     NAND \
     OFED \
     OPENLDAP \
-    SHARED_TOOLCHAIN \
     SORT_THREADS \
     SVN \
     SYSTEM_COMPILER
@@ -258,6 +260,12 @@ BROKEN_OPTIONS+=LLDB
 BROKEN_OPTIONS+=LIBSOFT
 .endif
 
+.if ${__T} == "amd64" || ${__T} == "i386" || ${__T} == "aarch64"
+__DEFAULT_YES_OPTIONS+=PIE
+.else
+__DEFAULT_NO_OPTIONS+=PIE
+.endif
+
 .include <bsd.mkopt.mk>
 
 #

sys/boot/common/Makefile.inc

@@ -11,6 +11,7 @@ SRCS+=	load_elf64.c load_elf64_obj.c reloc_elf64.c
 SRCS+=	load_elf32.c load_elf32_obj.c reloc_elf32.c
 .elif ${MACHINE_CPUARCH} == "aarch64"
 SRCS+=	load_elf64.c reloc_elf64.c
+NOPIE=	yes
 .elif ${MACHINE_CPUARCH} == "arm"
 SRCS+=	load_elf32.c reloc_elf32.c
 .elif ${MACHINE_CPUARCH} == "powerpc"

sys/boot/efi/boot1/Makefile

@@ -2,6 +2,10 @@
 
 MAN=
 
+.if ${MACHINE_CPUARCH} == "aarch64"
+NOPIE=		yes
+.endif
+
 .include <src.opts.mk>
 
 MK_SSP=		no

sys/boot/efi/libefi/Makefile

@@ -25,6 +25,7 @@ CFLAGS+=	-msoft-float -mgeneral-regs-only
 .endif
 .if ${MACHINE_ARCH} == "amd64"
 CFLAGS+= -fPIC -mno-red-zone
+NOPIE=	yes
 .endif
 CFLAGS+= -I${.CURDIR}/../include
 CFLAGS+= -I${.CURDIR}/../include/${MACHINE}

sys/boot/efi/loader/Makefile

@@ -2,6 +2,10 @@
 
 MAN=
 
+.if ${MACHINE_CPUARCH} == "aarch64"
+NOPIE=		yes
+.endif
+
 .include <src.opts.mk>
 
 MK_SSP=		no

sys/boot/efi/loader/arch/arm64/Makefile.inc

@@ -22,3 +22,5 @@ loader.help: help.common
 
 FILES+=	loader.rc
 .endif
+
+NOPIE=	yes

sys/boot/fdt/Makefile

@@ -26,5 +26,7 @@ CFLAGS+=	-m32
 
 CFLAGS+=	-Wformat -Wall
 
+NOPIE=		yes
+
 .include <bsd.stand.mk>
 .include <bsd.lib.mk>

sys/boot/ficl/Makefile

@@ -3,6 +3,10 @@
 
 FICLDIR?=	${.CURDIR}
 
+.if ${MACHINE_CPUARCH} == "aarch64"
+NOPIE=		yes
+.endif
+
 .if defined(FICL32)
 .PATH: ${FICLDIR}/${MACHINE_CPUARCH:S/amd64/i386/}
 .elif ${MACHINE_ARCH} == "mips64" || ${MACHINE_ARCH} == "mips64el"

sys/boot/i386/Makefile.inc

@@ -28,4 +28,6 @@ BTXLDR=		${BTXDIR}/btxldr/btxldr
 BTXKERN=	${BTXDIR}/btx/btx
 BTXCRT=		${BTXDIR}/lib/crt0.o
 
+NOPIE=		yes
+
 .include "../Makefile.inc"

sys/boot/usb/Makefile

@@ -52,6 +52,10 @@ CFLAGS+=	-m32
 CFLAGS+=	-mno-abicalls
 .endif
 
+.if ${MACHINE_CPUARCH} == "aarch64"
+NOPIE=		yes
+.endif
+
 
 .include "usbcore.mk"
 .include "../kshim/kshim.mk"