Date: Fri, 17 Oct 2014 16:12:00 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: Shawn Webb <lattera@gmail.com> Cc: hunger@hunger.hu, David Carlier <david.carlier@hardenedbsd.org>, Oliver Pinter <oliver.pntr@gmail.com>, PaX Team <pageexec@freemail.hu>, Sean Bruno <sbruno@freebsd.org>, freebsd-arch@freebsd.org, Jeremie Le Hen <jlh@freebsd.org>, Bryan Drewery <bdrewery@freebsd.org> Subject: Re: PIE/PIC support on base Message-ID: <20141017131159.GD2153@kib.kiev.ua> In-Reply-To: <CADt0fhzg5G1cLEBNfHXSEi9iP7mCP=8sSwpXbFobig=pm=QsFQ@mail.gmail.com> References: <CAMe1fxaYn%2BJaKzGXx%2Bywv8F0mKDo72g=W23KUWOKZzpm8wX4Tg@mail.gmail.com> <CAGSa5y3s9r0DRyinfqV=PJc_BT=Em-SLfwhD25nP0=6ki9pHWw@mail.gmail.com> <CAMe1fxaBEc5T77xjpRsMi_kkc5LXwPGooLWTO9C1FJcLSPnO8w@mail.gmail.com> <CAGSa5y2=bKpaeLO_S5W%2B1YGq02WMgCZn_5bbEMw%2Bx3j-MYDOoA@mail.gmail.com> <CADt0fhzg5G1cLEBNfHXSEi9iP7mCP=8sSwpXbFobig=pm=QsFQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 16, 2014 at 06:15:38PM -0400, Shawn Webb wrote: > On Thu, Oct 16, 2014 at 5:59 PM, Jeremie Le Hen <jlh@freebsd.org> wrote: > > > On Thu, Oct 16, 2014 at 8:21 PM, David Carlier > > <david.carlier@hardenedbsd.org> wrote: > > > > > > I chose the "atomic" approach, at the moment very few binaries are > > > concerned at the moment. So I applied INCLUDE_PIC_ARCHIVE in the needed > > > libraries plus created WITH_PIE which add fPIE/fpie -pie flags only if > > you > > > include <bsd.prog.pie.mk> (which include <bsd.prog.mk>...) otherwise > > other > > > binaries include <bsd.prog.mk> as usual hence does not apply. Look > > > reasonable approach ? > > > > I think I understand what you mean. But I think PIE is commonplace > > nowadays and I don't understand what you win by not enabling it for > > the whole system. Is it a performance concern? Is it to preserve > > conservative minds from to much change? :) > > > Looping in Kostik, Bryan Drewery, the PaX team, Hunger, and Sean Bruno. > > On i386, there is a performance cost due to not having an extra register > available for the relocation work that has to happen. PIE doesn't carry > much of a performance penalty on amd64, though it still does carry some on > first resolution of functions (due to the extra relocation step the RTLD > has to worry about). On amd64, after symbol resolution has taken place, > there is no further performance penalty due to amd64 having an extra > register to use for PIE/PIC. I'm unsure what, if any, performance penalty > PIE carries on ARM, AArch64, and sparc64. -fPIE generates PIC code, in particular, the main binary symbols are resolved through GOT (and functions are called through PLT). This is additional level of indirection, which causes additional memory access outside of the instruction stream reads. Also, for the same reason, PIE changes ELF rules for the symbol resolution. In particular, symbols from the main binary appear in the dynamic symbol table, and are the subject of interposing. > > Certain folk would prefer to see PIE enabled only in certain applications. > /bin/ls can't really make much use of PIE. But sshd can. I personally would > like to see all of base's applications compiled as PIEs, but that's a long > ways off. It took OpenBSD several years to accomplish that. Having certain > high-visibility applications (like sshd, inetd, etc) is a great start. > Providing a framework for application developers to opt their application > into PIE is another great start. Exercise for certain folks: how does dynamic loading of the PAM modules interacts with PIE ? Hint: see above about dynamic symbols and interposing. > > Those are my two cents. > > Thanks, > > Shawn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141017131159.GD2153>