From owner-freebsd-arch@FreeBSD.ORG Fri Apr 18 17:48:31 2008 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 397AB106566C for ; Fri, 18 Apr 2008 17:48:31 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id C6FC48FC2B for ; Fri, 18 Apr 2008 17:48:30 +0000 (UTC) (envelope-from max@love2party.net) Received: from max41 (port-92-194-21-71.dynamic.qsc.de [92.194.21.71]) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis) id 0ML31I-1Jmuh9124D-0003Gf; Fri, 18 Apr 2008 19:48:28 +0200 From: Max Laier To: freebsd-arch@freebsd.org Date: Fri, 18 Apr 2008 19:45:58 +0200 User-Agent: KMail/1.9.7 References: <20080418132749.GB4840@obiwan.tataz.chchile.org> In-Reply-To: <20080418132749.GB4840@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200804181945.59189.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+mujMtEAPaGjNwJ9kQ4MjDbV6+mqJQG1a5V88 Ngd4vMWMgI3obsNeovTskKDAGRdjmIOre8IVAYLw9FQZqgT4zR a+o9kL6A4xNGHmUDmEtNQ== Cc: Jeremie Le Hen Subject: Re: Integration of ProPolice in FreeBSD X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2008 17:48:31 -0000 On Friday 18 April 2008 15:27:49 Jeremie Le Hen wrote: > Hi, > > As you may already know I've integrated GCC's ProPolice into FreeBSD. > The build infrastructure overlord, namely ru@, (I'm quoting kan@) has > reviewed the patch and technically it is ready to hit the CVS tree. > > A few things should be discussed beforehand though. > > First, should we build world and/or kernel with SSP by default? I've > scamped a trivial benchmark back in 2006: timing buildworld with and > without SSP. You can found the result on my webpage: > http://tataz.chchile.org/~tataz/FreeSBD/SSP/#section1 404 :-\ > Also, the original ProPolice author achieved a thorough performance > comparison with and without SSP, and the overhead is really small: > http://www.trl.ibm.com/projects/security/ssp/node5.html > I would like to reach a consensus on whether SSP should be opt-in or > opt-out on FreeBSD. > > > Another concern that Robert Watson showed back in 2006 [1] when I brought > forward my patch was the compatibility between pre-SSP and post-SSP > binaries/libraries. > > I'll try to make it simple and short. SSP requires two additional > symbols that are kindly provided by libc. Any binary or library > compiled with SSP will require them. As long as your libc contains the > symbols, you can smoothly run pre-SSP applications with post-SSP libs as > well as the other way around. > > Also Kris explained [2] that once applied, it is painful to try to > revert the change (removing SSP symbols from libc). This is true but > once the patch gets committed, it should hopefully never happen. So I'd suggest something along the lines of: 1) Add the needed support symbols to libc (they don't hurt anyone, right?) 2) Add support to build kernel/world with SSP enabled - default OFF. 3) Solicit testing! 4) After some time has passed (and people have had to reinstall libc anyways) and enough feedback has been received flip the switch to default ON. In light of the the recent "let's save stack space in the kernel", I'd like to point out that SSP adds one word to every call. Not much, but still. Finally, what happens if SSP triggers in the kernel? Do we get a useable panic message? Can we get a kdb_traceback() (if compiled in)? Where is the patch, btw? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News