1 |
hi Peter, |
2 |
|
3 |
first of all, i have been following your commitment to hardened stuff, |
4 |
grsecurity and related engagements during the last months and i am |
5 |
amazed by your technical skill level and expertise. |
6 |
|
7 |
On Wed, 2003-11-19 at 12:45, Peter S. Mazinger wrote: |
8 |
> On 18 Nov 2003, Ned Ludd wrote: |
9 |
> |
10 |
> > On Tue, 2003-11-18 at 18:57, Peter S. Mazinger wrote: |
11 |
> > > Hello! |
12 |
> > > |
13 |
> > > I have a clean uClibc environment (not gentoo based), and inspired by |
14 |
> > > hardened-gcc-3.3.2 the gcc specs file was changed to support ET_DYN |
15 |
> > > binaries, the only change I have done is replacing Scrt1.o with "crt1S.o |
16 |
building -pie executables emits this stuff which is normally done by |
17 |
interp.o, redundant this interp.o therefore is. |
18 |
> > > interp.o" (crt1S.o not yet in the uClibc tree, but in portage), due to the |
19 |
> > > fact that Scrt1.o does not exist in uClibc like in glibc-2.3.2. I do not |
20 |
yes, it is in a Redhat branch update of glibc-2.3.2 as far as i can tell |
21 |
> > > know what the difference is between Scrt1.o from glibc and crt1S.o coming |
22 |
basically there is only a small technical difference, the goal is the |
23 |
same: the function _start has the job of position independent calling |
24 |
the glibc function __libc_start_main with the arguments _init _fini and |
25 |
main that are given as arguments to __libc_start_main ;-) |
26 |
|
27 |
> > > from the hardened-gcc-2.4.6 (the version for uClibc is PaX version, so |
28 |
> > > similar to those in hardened-gcc-2.4.6). |
29 |
> > > Could someone comment on problems regarding this change? |
30 |
yo, we try to use mainstream as possible while not giving up our high |
31 |
security PaX environment. |
32 |
if the Scrt1.o proves good, there is no reason to use the pioneering |
33 |
version of pipacs any more ;-) |
34 |
In fact it should be noted that pageexec.virtualave.net introduced and |
35 |
coached us to this all stuff for such a long time and i am proud that |
36 |
Redhat is doing it this way also, by not telling anyone stole anything |
37 |
from anybody - but we all know how to say thank you ;-) |
38 |
> > ... |
39 |
> > |
40 |
> > > I have seen a dependency on binutils-2.14.90.0.7, but this one has some |
41 |
> > > problems with uClibc (does not correctly support canadian cross-compiling, |
42 |
> > > binutils-2.14.90.0.6 yes). Is it really needed, or is |
43 |
> > > binutils-2.14.90.0.6-r7 enough? |
44 |
you need "ld -pie" for the true compiling of etdyn. therefore you need |
45 |
the high binutils. |
46 |
|
47 |
using -shared instead is good but has issues with ./configure running of |
48 |
some program suites and missing functions because this happens: |
49 |
gcc -shared does transparently compile the binary as "dynamic library |
50 |
executable" which means the configure tests fail this way, i type the |
51 |
hardened-gcc stuff in brackets: |
52 |
./configure: gcc -lfoo-library-that-i-am -lsearching-for -lin-configure |
53 |
[-fPIC -shared] -o conftest -c conftest.c |
54 |
|
55 |
which leads to the false positive that the function tested in conftest.c |
56 |
gets compiled and no linker error is emitted which would normally be the |
57 |
situation when the library is not there. |
58 |
then the binary could not compile but fail later during Makefile because |
59 |
libs are not found. |
60 |
|
61 |
Jakub Jelinek then invented the -pie support which is a quick shot of |
62 |
-shared and uses library characteristics but without leaving unresolved |
63 |
symbols and functions hang around in the target binary! |
64 |
the other magic stuff i can't tell you because i would violate Redhat |
65 |
NDA's, *scnr* no, not really ;-) |
66 |
|
67 |
> > > |
68 |
> > > I have rebuilt about 50 packages (mainly development environment) with |
69 |
cool |
70 |
> |
71 |
> > > these changes, but there is some strange behaviour (it is not related |
72 |
> > > to the fact that everything is -fPIC built, I had this already defined |
73 |
> > > earlier in my CFLAGS for almost all packages) |
74 |
well, maybe the -shared bug i mentioned above? |
75 |
> > > I am also interested in an Scrt1.o version for uClibc, so a changes |
76 |
yeah go ahead and create one, take the crt1S.S from pipacs, it's great |
77 |
and maybe we could get him to contribute some comments and explaination |
78 |
too. |
79 |
> > > description between the PaX and the glibc-2.3.2 implementation would be |
80 |
> > > helpful. |
81 |
see pipacs for this too ;-) |
82 |
> > |
83 |
> > <rant> |
84 |
> > Quick rundown. Sctr1.S is a redhat knock off creation of PaX's ctr1S.S |
85 |
> > (ie somebody probably got paid to rip it off and claim it was a redhat |
86 |
> > original creation) they even fscked up the naming convention. I wont go |
87 |
> > to much in detail because I would end up ranting for hours. In short |
88 |
> > Scrt1 the way it gets built by redhat will most likely end up with text |
89 |
> > relocations from what I understand so the PaX crt1S.S should be used and |
90 |
> > preferred till such time as redhat finds a way to break that for us. |
91 |
> > </rant> |
92 |
> Why is then used Scrt1.o in hardened-gcc-3.3.2? |
93 |
forget about the rant. |
94 |
we use it for standardizing our stuff. |
95 |
> |
96 |
> > |
97 |
> > > Why was the default -fomit-frame-pointer option removed? From my |
98 |
> > > experience there are only a few packages, that are incompatible with it |
99 |
> > > (mainly libraries). |
100 |
solar already said that, the speed gain is almost useless compared to |
101 |
the problems you might encounter and bugs getting assigned to you, so |
102 |
better keep hands off that black magic ;-) |
103 |
> > |
104 |
> > You would have to ask the maintainer pappy@g.o about why this |
105 |
> > functionality was removed. However I can say from my personal testing we |
106 |
> > truly don't seem to gain any performance by trying to gain back an extra |
107 |
> > register from adding -fomit-frame-pointer when -fPIC steals away the ebx |
108 |
> > register, in fact I even get roughly exactly same number of instructions |
109 |
> > that get executed when using those flags together. Attached is a file I |
110 |
> > did this testing with. |
111 |
> > |
112 |
> > |
113 |
|
114 |
thanks for corresponding and hope i have helped, |
115 |
|
116 |
Alex |
117 |
|
118 |
|
119 |
-- |
120 |
gentoo-hardened@g.o mailing list |