| 1 |
Mike Frysinger posted on Thu, 20 Oct 2011 08:55:35 -0400 as excerpted: |
| 2 |
|
| 3 |
> On Thursday 20 October 2011 04:47:14 Paweł Hajdan, Jr. wrote: |
| 4 |
|
| 5 |
>> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags> |
| 6 |
>> Debian is starting to make more and more hardening features default |
| 7 |
|
| 8 |
> random thoughts: |
| 9 |
> - we've long defaulted to linking with relro |
| 10 |
> - defaulting to bindnow is pretty much a no go for USE=-hardened |
| 11 |
> - PIC/PIE comes with performance penalty for (e.g. x86), |
| 12 |
> and is often the source of build issues with the hardened port |
| 13 |
> - we've long defaulted to building with _FORTIFY_SOURCE |
| 14 |
|
| 15 |
Thanks on relro and fortify_source. |
| 16 |
|
| 17 |
Magnus G suggests possibly adding PIE to amd64, which is already PIC, |
| 18 |
with the big issue there being the packages doing assembly where the |
| 19 |
upstreams aren't interested in PIC compliance so Gentoo has to maintain |
| 20 |
the patches. He says ~30 packages. Obviously hardened already has quite |
| 21 |
some experience here, and making PIE the amd64 default would certainly |
| 22 |
broaden the base and should thus make it easier than just hardened caring |
| 23 |
now, but at a bit more trouble for mainline ~amd64, I'd imagine. |
| 24 |
|
| 25 |
Still, speaking as an ~amd64 user myself, that's certainly an acceptable |
| 26 |
tradeoff from the user-side, particularly as most users will only have |
| 27 |
perhaps a handful of those 30 packages installed. If the gentoo/amd64 |
| 28 |
folks and the maintainers of those 30 packages don't mind too much, I |
| 29 |
believe it does make sense. |
| 30 |
|
| 31 |
Then, as legacy x86 gradually dies off and those who haven't already done |
| 32 |
so gradually switch to amd64 (or possibly arm, but I don't know enough |
| 33 |
about that to comment in this context), they'd get the security upgrade |
| 34 |
as a part of the package. =:^) |
| 35 |
|
| 36 |
What about x32, tho? Does it get PIC by default too, or not, and if not, |
| 37 |
given that it's a new arch, would enabling both PIC and PIE and taking |
| 38 |
whatever hit it brings with it be acceptable? What /are/ the costs |
| 39 |
there, more like x86 or amd64? |
| 40 |
|
| 41 |
And for bindnow, do you mean the "-Wl,-z,now" that's part of my LDFLAGS? |
| 42 |
If so, I've been running it for years on amd64 at least, no hardened |
| 43 |
here. And for less time but similarly system-wide, I'm running it on my |
| 44 |
early 32-bit-atom-based netbook (acer aspire one, AOA150L). AFAIK |
| 45 |
there's some initial-load-time and arguably some memory cost, but less |
| 46 |
post-load run-time latency and issues when those libs would be otherwise |
| 47 |
be lazy-loaded, and I decided that tradeoff was one I could live with! |
| 48 |
=:^) |
| 49 |
|
| 50 |
Years ago there were some issues with the xf86-video-ati driver due to |
| 51 |
circular load-time dependency issues so I had to disable it for that |
| 52 |
package (and possibly for a couple other X-related packages) for awhile, |
| 53 |
but any remaining issues in the packages I run, at least, have been long |
| 54 |
dealt with in the ebuilds using stripflags or whatever, and I've not had |
| 55 |
any LDFLAG changes in my /etc/portage/env/*/* files for quite some time. |
| 56 |
|
| 57 |
So while Frysinger's certainly the expert that I'm not, and assuming |
| 58 |
we're talking about the same thing, at least on my kde-based systems both |
| 59 |
amd64 and x86, my bindnow experience has actually been remarkably |
| 60 |
smooth, /way/ more so than say... CFLAGS containing -combine (as mine |
| 61 |
do), for which I've rather a number of /etc/portage/env/*/* entries. |
| 62 |
|
| 63 |
So from my experience, bindnow would be a go as well. But I've always |
| 64 |
been interested in why it might not be the default I thought it seemed it |
| 65 |
should be, so if Mike or anyone else can point me at something suggesting |
| 66 |
other than initial-load latency and quite rare circular load issues (or |
| 67 |
for that matter, much else on that flag, since I frankly don't know as |
| 68 |
much about it as I'd like), I'd love to read up! |
| 69 |
|
| 70 |
-- |
| 71 |
Duncan - List replies preferred. No HTML msgs. |
| 72 |
"Every nonfree program has a lord, a master -- |
| 73 |
and if you use the program, he is your master." Richard Stallman |
Archives