Date: Thu, 16 Oct 2014 18:15:38 -0400 From: Shawn Webb <lattera@gmail.com> To: Jeremie Le Hen <jlh@freebsd.org> Cc: hunger@hunger.hu, David Carlier <david.carlier@hardenedbsd.org>, Oliver Pinter <oliver.pntr@gmail.com>, Sean Bruno <sbruno@freebsd.org>, Konstantin Belousov <kib@freebsd.org>, freebsd-arch@freebsd.org, PaX Team <pageexec@freemail.hu>, Bryan Drewery <bdrewery@freebsd.org> Subject: Re: PIE/PIC support on base Message-ID: <CADt0fhzg5G1cLEBNfHXSEi9iP7mCP=8sSwpXbFobig=pm=QsFQ@mail.gmail.com> In-Reply-To: <CAGSa5y2=bKpaeLO_S5W%2B1YGq02WMgCZn_5bbEMw%2Bx3j-MYDOoA@mail.gmail.com> References: <CAMe1fxaYn%2BJaKzGXx%2Bywv8F0mKDo72g=W23KUWOKZzpm8wX4Tg@mail.gmail.com> <CAGSa5y3s9r0DRyinfqV=PJc_BT=Em-SLfwhD25nP0=6ki9pHWw@mail.gmail.com> <CAMe1fxaBEc5T77xjpRsMi_kkc5LXwPGooLWTO9C1FJcLSPnO8w@mail.gmail.com> <CAGSa5y2=bKpaeLO_S5W%2B1YGq02WMgCZn_5bbEMw%2Bx3j-MYDOoA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 16, 2014 at 5:59 PM, Jeremie Le Hen <jlh@freebsd.org> wrote: > On Thu, Oct 16, 2014 at 8:21 PM, David Carlier > <david.carlier@hardenedbsd.org> wrote: > > > > I chose the "atomic" approach, at the moment very few binaries are > > concerned at the moment. So I applied INCLUDE_PIC_ARCHIVE in the needed > > libraries plus created WITH_PIE which add fPIE/fpie -pie flags only if > you > > include <bsd.prog.pie.mk> (which include <bsd.prog.mk>...) otherwise > other > > binaries include <bsd.prog.mk> as usual hence does not apply. Look > > reasonable approach ? > > I think I understand what you mean. But I think PIE is commonplace > nowadays and I don't understand what you win by not enabling it for > the whole system. Is it a performance concern? Is it to preserve > conservative minds from to much change? :) Looping in Kostik, Bryan Drewery, the PaX team, Hunger, and Sean Bruno. On i386, there is a performance cost due to not having an extra register available for the relocation work that has to happen. PIE doesn't carry much of a performance penalty on amd64, though it still does carry some on first resolution of functions (due to the extra relocation step the RTLD has to worry about). On amd64, after symbol resolution has taken place, there is no further performance penalty due to amd64 having an extra register to use for PIE/PIC. I'm unsure what, if any, performance penalty PIE carries on ARM, AArch64, and sparc64. Certain folk would prefer to see PIE enabled only in certain applications. /bin/ls can't really make much use of PIE. But sshd can. I personally would like to see all of base's applications compiled as PIEs, but that's a long ways off. It took OpenBSD several years to accomplish that. Having certain high-visibility applications (like sshd, inetd, etc) is a great start. Providing a framework for application developers to opt their application into PIE is another great start. Those are my two cents. Thanks, Shawn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADt0fhzg5G1cLEBNfHXSEi9iP7mCP=8sSwpXbFobig=pm=QsFQ>