1 |
Mike Frysinger posted on Thu, 20 Oct 2011 08:55:35 -0400 as excerpted: |
2 |
|
3 |
> On Thursday 20 October 2011 04:47:14 Paweł Hajdan, Jr. wrote: |
4 |
|
5 |
>> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags> |
6 |
>> Debian is starting to make more and more hardening features default |
7 |
|
8 |
> random thoughts: |
9 |
> - we've long defaulted to linking with relro |
10 |
> - defaulting to bindnow is pretty much a no go for USE=-hardened |
11 |
> - PIC/PIE comes with performance penalty for (e.g. x86), |
12 |
> and is often the source of build issues with the hardened port |
13 |
> - we've long defaulted to building with _FORTIFY_SOURCE |
14 |
|
15 |
Thanks on relro and fortify_source. |
16 |
|
17 |
Magnus G suggests possibly adding PIE to amd64, which is already PIC, |
18 |
with the big issue there being the packages doing assembly where the |
19 |
upstreams aren't interested in PIC compliance so Gentoo has to maintain |
20 |
the patches. He says ~30 packages. Obviously hardened already has quite |
21 |
some experience here, and making PIE the amd64 default would certainly |
22 |
broaden the base and should thus make it easier than just hardened caring |
23 |
now, but at a bit more trouble for mainline ~amd64, I'd imagine. |
24 |
|
25 |
Still, speaking as an ~amd64 user myself, that's certainly an acceptable |
26 |
tradeoff from the user-side, particularly as most users will only have |
27 |
perhaps a handful of those 30 packages installed. If the gentoo/amd64 |
28 |
folks and the maintainers of those 30 packages don't mind too much, I |
29 |
believe it does make sense. |
30 |
|
31 |
Then, as legacy x86 gradually dies off and those who haven't already done |
32 |
so gradually switch to amd64 (or possibly arm, but I don't know enough |
33 |
about that to comment in this context), they'd get the security upgrade |
34 |
as a part of the package. =:^) |
35 |
|
36 |
What about x32, tho? Does it get PIC by default too, or not, and if not, |
37 |
given that it's a new arch, would enabling both PIC and PIE and taking |
38 |
whatever hit it brings with it be acceptable? What /are/ the costs |
39 |
there, more like x86 or amd64? |
40 |
|
41 |
And for bindnow, do you mean the "-Wl,-z,now" that's part of my LDFLAGS? |
42 |
If so, I've been running it for years on amd64 at least, no hardened |
43 |
here. And for less time but similarly system-wide, I'm running it on my |
44 |
early 32-bit-atom-based netbook (acer aspire one, AOA150L). AFAIK |
45 |
there's some initial-load-time and arguably some memory cost, but less |
46 |
post-load run-time latency and issues when those libs would be otherwise |
47 |
be lazy-loaded, and I decided that tradeoff was one I could live with! |
48 |
=:^) |
49 |
|
50 |
Years ago there were some issues with the xf86-video-ati driver due to |
51 |
circular load-time dependency issues so I had to disable it for that |
52 |
package (and possibly for a couple other X-related packages) for awhile, |
53 |
but any remaining issues in the packages I run, at least, have been long |
54 |
dealt with in the ebuilds using stripflags or whatever, and I've not had |
55 |
any LDFLAG changes in my /etc/portage/env/*/* files for quite some time. |
56 |
|
57 |
So while Frysinger's certainly the expert that I'm not, and assuming |
58 |
we're talking about the same thing, at least on my kde-based systems both |
59 |
amd64 and x86, my bindnow experience has actually been remarkably |
60 |
smooth, /way/ more so than say... CFLAGS containing -combine (as mine |
61 |
do), for which I've rather a number of /etc/portage/env/*/* entries. |
62 |
|
63 |
So from my experience, bindnow would be a go as well. But I've always |
64 |
been interested in why it might not be the default I thought it seemed it |
65 |
should be, so if Mike or anyone else can point me at something suggesting |
66 |
other than initial-load latency and quite rare circular load issues (or |
67 |
for that matter, much else on that flag, since I frankly don't know as |
68 |
much about it as I'd like), I'd love to read up! |
69 |
|
70 |
-- |
71 |
Duncan - List replies preferred. No HTML msgs. |
72 |
"Every nonfree program has a lord, a master -- |
73 |
and if you use the program, he is your master." Richard Stallman |