Date: Wed, 5 Nov 2014 13:44:26 +0100 From: Baptiste Daroussin <bapt@FreeBSD.org> To: Konstantin Belousov <kostikbel@gmail.com> Cc: PaX Team <pageexec@freemail.hu>, FreeBSD Arch <freebsd-arch@freebsd.org>, Shawn Webb <lattera@gmail.com> Subject: Re: PIE/PIC support on base Message-ID: <20141105124426.GI10388@ivaldir.etoilebsd.net> In-Reply-To: <20141105122612.GC53947@kib.kiev.ua> References: <CADt0fhzg5G1cLEBNfHXSEi9iP7mCP=8sSwpXbFobig=pm=QsFQ@mail.gmail.com> <CAGSa5y1LBxkUNSgKkw=F9_uykXDeBV7_WL0a7Wt%2B%2BGgMTSULEQ@mail.gmail.com> <CADt0fhweiymn2D09%2Be7f44AreWe%2B8cmAtDVeec0NfmuWuOOhbg@mail.gmail.com> <315B4DC5-0E04-4F6B-BBB0-477D049025BF@bsdimp.com> <CADt0fhyCBa3PTnZ3dpc-hpysyC9V0MXR16s-e10V0ioAfaWHuw@mail.gmail.com> <C7C48B02-E65C-4F90-A503-1FDDCB590B7D@bsdimp.com> <20141105090215.GF10388@ivaldir.etoilebsd.net> <20141105092614.GB53947@kib.kiev.ua> <20141105114855.GH10388@ivaldir.etoilebsd.net> <20141105122612.GC53947@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
--6b3yLyRKT1M6kiA0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 05, 2014 at 02:26:12PM +0200, Konstantin Belousov wrote: > On Wed, Nov 05, 2014 at 12:48:55PM +0100, Baptiste Daroussin wrote: > > On Wed, Nov 05, 2014 at 11:26:14AM +0200, Konstantin Belousov wrote: > > > On Wed, Nov 05, 2014 at 10:02:15AM +0100, Baptiste Daroussin wrote: > > > > On amd64 WANTS_PIE will be useless as we can easily activate PIE on= every places > > > > For i386 we would propably prefer cherry picking the what we want t= o see built > > > > with PIE. Don't know for other arches. > > > >=20 > > > > So here is what I do propose: > > > > if MK_PIE=3Dno: no PIE at all > > > > if MK_PIE=3Dyes: > > > > - on amd64/(platforms without performance penalty): build everythin= g with PIE > > > > from libs to prog > > > See below. > > >=20 > > > > - on i386/(platforms with performance penalty): build with PIE if W= ANTS_PIE > > > > is defined. > > > >=20 > > > > So the difference with the previous approach are: > > > > - No way to opt out PIE for a single binary either totally disable = or enable (I > > > > have encountered no binary so far in the base system which fails = with PIE > > > > enabled - again only tested on amd64) > > > > - Activate PIE for both binaries and libraries (no reason not to in= clude > > > > libraries) > > > What does it mean 'PIE for library' ? There is simply no such thing. > >=20 > > Sorry I badly explained, I was meaning PIC for libs PIE for binaries. > > >=20 > > > Also, I strongly oppose compiling everything with PIC, even on amd64. > > > I described somewhere else that using PIC code changes symbol lookup > > > rules for binaries. So despite not having performance impact, the > > > thing does impact runtime behaviour in subtle ways. The most affected > > > programs are those which support dynamic modules. > Please do not ignore this ^^^^^^ issue. I was not aware of issues here, I'll investigate but will not ignore for us= re :) >=20 > > >=20 > > > Also, what is the state of static binaries + PIE ? Do our binutils > > > support this at all ? The csu is definitely not ready for 'everything > > > PIE'. > >=20 > > Only dynamic binaries will receive PIE support (and in case of using an > > INTERNALLIB will link to the libbla_pic.a) static ones will remain non = PIE. >=20 > And what about libX.a libraries, required by those static binaries ? > It is wrong to compile the .o files for those static libraries in > pic mode. I was not planning to build .a files with PIC, static binaries at all >=20 > More, take look at things which are done with -DPIC, e.g. in the > lib/libc/sys/stack_protector*.c. There, it is critical for correctness. >=20 >=20 I'll have a look thanks for the pointer! regards, Bapt --6b3yLyRKT1M6kiA0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRaG6oACgkQ8kTtMUmk6Ew/DACdGq8qSKEjj04H4ImCimoqRcSb vnkAn3dzT/TUZo4EJiouy3fjZISyOtzC =MHgS -----END PGP SIGNATURE----- --6b3yLyRKT1M6kiA0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141105124426.GI10388>