1 |
On Sat, 17 Jun 2017 14:43:24 +0300 |
2 |
Andrew Savchenko <bircoph@g.o> wrote: |
3 |
|
4 |
> On Thu, 15 Jun 2017 19:52:07 -0500 Matthias Maier wrote: |
5 |
> > > there should be a way of turning these off systematically. the |
6 |
> > > advantage of the current hardened gcc specs is that one can switch |
7 |
> > > between them using gcc-config. if these are forced on for the |
8 |
> > > default profile then there will be no easy way to systematically |
9 |
> > > turn them off. |
10 |
> > |
11 |
> > No - there won't be an easy way for systematically turning off |
12 |
> > SSP and PIE in 17.0 profiles [1,2]. |
13 |
> > |
14 |
> > The hardened toolchain with its different gcc profiles came from a |
15 |
> > time where SSP and PIE were relatively new security features and a |
16 |
> > certain amount of fine-grained control was needed. Further, at that |
17 |
> > time we were talking about external patches against gcc. Nowadays |
18 |
> > everything is upstreamed and (almost) no patches to gcc for |
19 |
> > hardened profiles are applied any more. |
20 |
> > |
21 |
> > Given the fact that all major linux distributions are following the |
22 |
> > path of improved default hardening features (see for example [1]) |
23 |
> > and that we have been using ssp/pie in hardened profiles for years |
24 |
> > now the purpose of fine-grained control over ssp/pie is also highly |
25 |
> > questionable. |
26 |
> > |
27 |
> > The consensus at the moment is that PIE and SSP (as well as stricter |
28 |
> > linker flags) will soon be standard (or, actually *are* already |
29 |
> > standard) compilation options. A per-package override (if |
30 |
> > absoluetely needed) is fine - and, in fact, already in place |
31 |
> > everywhere where needed. |
32 |
> |
33 |
> Gentoo is all about choice, remember? :) |
34 |
> |
35 |
> It is really good to have them by default, it is bad to force them |
36 |
> on everyone. Security is not always of paramount importance |
37 |
> comparing to other factors, sometimes performance matters more, |
38 |
> e.g. in isolated and restricted non-public HPC environment. |
39 |
> |
40 |
> PIE, SSP may lead up to 8% of performance loss[1]. The |
41 |
> stack-protector (especially stack-protector-all or -strong) may |
42 |
> cause even more damage. For compute nodes this may be equivalent to |
43 |
> millions USD loss (depends on the system scale of course). |
44 |
|
45 |
This can probably be fixed by a gcc-config target disabling those as it |
46 |
used to be the case on hardened |