| 1 |
On Mon, 18 Dec 2006, Kevin F. Quinn wrote: |
| 2 |
|
| 3 |
> On Mon, 18 Dec 2006 11:55:31 +0100 (CET) |
| 4 |
> "Peter S. Mazinger" <ps.m@×××.net> wrote: |
| 5 |
> |
| 6 |
> > On Tue, 12 Dec 2006, Alexander Gabert wrote: |
| 7 |
> > |
| 8 |
> > > Kevin: this is the build failures, i would have made them end up |
| 9 |
> > > adding into bugzilla but one of us both wasn't awake. |
| 10 |
> > > |
| 11 |
> > > PSM: if you're reading up: i don't have a clue. |
| 12 |
> > > |
| 13 |
> > > In the meantime, working with bugs.g.o. it's getting a real hassle, |
| 14 |
> > > so can someone please kick that pos in the shins so we can work on |
| 15 |
> > > bugs again? TIA |
| 16 |
> > > |
| 17 |
> > > I think we should have a talk or two and maybe a test case for |
| 18 |
> > > building that libiberty on all arches with either PIC or PIE code. |
| 19 |
> > > I honestly don't care howe we build it, i just want it to work on |
| 20 |
> > > all Gentoo supported arches for hardened. |
| 21 |
> > > |
| 22 |
> > > For those of you having issues with the file: here is the log for |
| 23 |
> > > pitr and miranda: |
| 24 |
> > > |
| 25 |
> > > http://dev.gentoo.org/~pappy/tmp/amd64-pie-libiberty-failure.txt |
| 26 |
> > |
| 27 |
> > It seems some of you are mixing up PIC and PIE. For the record, there |
| 28 |
> > are no PIE libraries and if you want to run a hardened box where each |
| 29 |
> > file is text relocation free, then you have to compile all code that |
| 30 |
> > goes to libraries (even into lib*.a) with -fPIC|-fpic. To quickly |
| 31 |
> > check this statement, compile some object with -fPIE, put into libx.a |
| 32 |
> > and compile a shared lib with -fPIC using code from libx.a. readelf |
| 33 |
> > -d shared_lib | grep TEXTREL. |
| 34 |
> |
| 35 |
> Agreed - however lib*.a are not generally used to build shared |
| 36 |
> libraries; they're mostly for building static binaries. Gcc deals |
| 37 |
> with libiberty (normally) by building a pic version (libiberty_pic.a) |
| 38 |
> for linking to shared libraries when it needs to. We do mess that up, |
| 39 |
> I think - I'm still looking into that. |
| 40 |
|
| 41 |
we do not mess it up, libiberty_pic.a is not used to compile the |
| 42 |
intermediate gen* binaries and if the build specs defaults to PIE |
| 43 |
binaries and then these binaries have text relocations, thus failing on a |
| 44 |
PaX box if the text relocations are blocked (or it is an uClibc hardened |
| 45 |
box, where libc blocks text relocations as well) |
| 46 |
|
| 47 |
> > The pie patches compile everything with -fPIE unless -fPIC was used, |
| 48 |
> > the app itself has to take care (and most apps using libtool do it by |
| 49 |
> > using -fPIC -DPIC) that code that goes into libs is -fPIC compiled. |
| 50 |
> > libtool fails only in cases where configure does not recognize |
| 51 |
> > correctly the target (thats why gnuconfig_update/libtoolize are |
| 52 |
> > needed). |
| 53 |
> > |
| 54 |
> > Some will argue, that it does not make sense to compile code in |
| 55 |
> > lib*.a with -fPIC. Those shouldn't use hardened, because they end up |
| 56 |
> > with text relocations and a hardened box should block text |
| 57 |
> > relocations either in kernel (PaX feature) or libc (possible with |
| 58 |
> > uClibc, but not glibc) |
| 59 |
> |
| 60 |
> I think it's more complicated than that. What should go into a lib*.a |
| 61 |
> archive depends on how it's going to be used. If it's going to be used |
| 62 |
> to build a shared library, then as you say the code needs to be PIC - |
| 63 |
> however this is rare (examples are libc_*nonshared.a). If it's being |
| 64 |
> used to build a non-PIE executable - which usually means building a |
| 65 |
> static executable - then the code needs to be normal (non-PIC). If |
| 66 |
> it's going to be used to build a (PIE) executable, the code needs to be |
| 67 |
> PIE - in practice this is very rare, since linking to lib*.a instead |
| 68 |
> of lib*.so means building static binaries, and that's not sensible |
| 69 |
> when building PIEs as by definition they need the dynamic loader. |
| 70 |
|
| 71 |
No, the code needs to be PIC, else the generated PIE binary has text |
| 72 |
relocation (PIE binary is more like a shared library needing though an |
| 73 |
interpreter/dynamic loader) |
| 74 |
|
| 75 |
> Strictly speaking, on a hardened system, the -vanilla and -hardenednopie |
| 76 |
> compiler cannot be guaranteed to generate working executables - indeed |
| 77 |
> it creates garbage on sparc (x86 seems to be more forgiving; you can mix |
| 78 |
> PIE objects into a non-PIE executable and they appear to work). |
| 79 |
|
| 80 |
because lib*.a has to be PIC. |
| 81 |
|
| 82 |
> I'm working on a sane solution to this problem using ABIs, but it's |
| 83 |
> quite involved, and it's quite a departure from what we currently do. |
| 84 |
> Once I have my thoughts clear, I'll post a proposal. |
| 85 |
> |
| 86 |
> For the moment, however, we can continue as we did before, but |
| 87 |
> highlight that -vanilla and -hardenednopie may not generate working |
| 88 |
> executables. Mostly this affects bootloaders, and things like |
| 89 |
> static busybox. |
| 90 |
|
| 91 |
Wondering why you mention static binaries, I have no problem on a clean |
| 92 |
hardened box with static binaries, even if the lib*.a are PIC |
| 93 |
compiled (mine are for sure, and most of you have it too, if an app is |
| 94 |
using autotools and running ./configure shows that the system supports |
| 95 |
shared libraries and for "dependant libraries" it says "pass_all"), I |
| 96 |
though agree that it is overkill for static binaries to use libraries |
| 97 |
that were PIC compiled. |
| 98 |
|
| 99 |
Peter |
| 100 |
|
| 101 |
-- |
| 102 |
Peter S. Mazinger <ps dot m at gmx dot net> ID: 0xA5F059F2 |
| 103 |
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2 |
| 104 |
|
| 105 |
-- |
| 106 |
gentoo-hardened@g.o mailing list |
Archives