1 |
On Mon, 18 Dec 2006, Kevin F. Quinn wrote: |
2 |
|
3 |
> On Mon, 18 Dec 2006 11:55:31 +0100 (CET) |
4 |
> "Peter S. Mazinger" <ps.m@×××.net> wrote: |
5 |
> |
6 |
> > On Tue, 12 Dec 2006, Alexander Gabert wrote: |
7 |
> > |
8 |
> > > Kevin: this is the build failures, i would have made them end up |
9 |
> > > adding into bugzilla but one of us both wasn't awake. |
10 |
> > > |
11 |
> > > PSM: if you're reading up: i don't have a clue. |
12 |
> > > |
13 |
> > > In the meantime, working with bugs.g.o. it's getting a real hassle, |
14 |
> > > so can someone please kick that pos in the shins so we can work on |
15 |
> > > bugs again? TIA |
16 |
> > > |
17 |
> > > I think we should have a talk or two and maybe a test case for |
18 |
> > > building that libiberty on all arches with either PIC or PIE code. |
19 |
> > > I honestly don't care howe we build it, i just want it to work on |
20 |
> > > all Gentoo supported arches for hardened. |
21 |
> > > |
22 |
> > > For those of you having issues with the file: here is the log for |
23 |
> > > pitr and miranda: |
24 |
> > > |
25 |
> > > http://dev.gentoo.org/~pappy/tmp/amd64-pie-libiberty-failure.txt |
26 |
> > |
27 |
> > It seems some of you are mixing up PIC and PIE. For the record, there |
28 |
> > are no PIE libraries and if you want to run a hardened box where each |
29 |
> > file is text relocation free, then you have to compile all code that |
30 |
> > goes to libraries (even into lib*.a) with -fPIC|-fpic. To quickly |
31 |
> > check this statement, compile some object with -fPIE, put into libx.a |
32 |
> > and compile a shared lib with -fPIC using code from libx.a. readelf |
33 |
> > -d shared_lib | grep TEXTREL. |
34 |
> |
35 |
> Agreed - however lib*.a are not generally used to build shared |
36 |
> libraries; they're mostly for building static binaries. Gcc deals |
37 |
> with libiberty (normally) by building a pic version (libiberty_pic.a) |
38 |
> for linking to shared libraries when it needs to. We do mess that up, |
39 |
> I think - I'm still looking into that. |
40 |
|
41 |
we do not mess it up, libiberty_pic.a is not used to compile the |
42 |
intermediate gen* binaries and if the build specs defaults to PIE |
43 |
binaries and then these binaries have text relocations, thus failing on a |
44 |
PaX box if the text relocations are blocked (or it is an uClibc hardened |
45 |
box, where libc blocks text relocations as well) |
46 |
|
47 |
> > The pie patches compile everything with -fPIE unless -fPIC was used, |
48 |
> > the app itself has to take care (and most apps using libtool do it by |
49 |
> > using -fPIC -DPIC) that code that goes into libs is -fPIC compiled. |
50 |
> > libtool fails only in cases where configure does not recognize |
51 |
> > correctly the target (thats why gnuconfig_update/libtoolize are |
52 |
> > needed). |
53 |
> > |
54 |
> > Some will argue, that it does not make sense to compile code in |
55 |
> > lib*.a with -fPIC. Those shouldn't use hardened, because they end up |
56 |
> > with text relocations and a hardened box should block text |
57 |
> > relocations either in kernel (PaX feature) or libc (possible with |
58 |
> > uClibc, but not glibc) |
59 |
> |
60 |
> I think it's more complicated than that. What should go into a lib*.a |
61 |
> archive depends on how it's going to be used. If it's going to be used |
62 |
> to build a shared library, then as you say the code needs to be PIC - |
63 |
> however this is rare (examples are libc_*nonshared.a). If it's being |
64 |
> used to build a non-PIE executable - which usually means building a |
65 |
> static executable - then the code needs to be normal (non-PIC). If |
66 |
> it's going to be used to build a (PIE) executable, the code needs to be |
67 |
> PIE - in practice this is very rare, since linking to lib*.a instead |
68 |
> of lib*.so means building static binaries, and that's not sensible |
69 |
> when building PIEs as by definition they need the dynamic loader. |
70 |
|
71 |
No, the code needs to be PIC, else the generated PIE binary has text |
72 |
relocation (PIE binary is more like a shared library needing though an |
73 |
interpreter/dynamic loader) |
74 |
|
75 |
> Strictly speaking, on a hardened system, the -vanilla and -hardenednopie |
76 |
> compiler cannot be guaranteed to generate working executables - indeed |
77 |
> it creates garbage on sparc (x86 seems to be more forgiving; you can mix |
78 |
> PIE objects into a non-PIE executable and they appear to work). |
79 |
|
80 |
because lib*.a has to be PIC. |
81 |
|
82 |
> I'm working on a sane solution to this problem using ABIs, but it's |
83 |
> quite involved, and it's quite a departure from what we currently do. |
84 |
> Once I have my thoughts clear, I'll post a proposal. |
85 |
> |
86 |
> For the moment, however, we can continue as we did before, but |
87 |
> highlight that -vanilla and -hardenednopie may not generate working |
88 |
> executables. Mostly this affects bootloaders, and things like |
89 |
> static busybox. |
90 |
|
91 |
Wondering why you mention static binaries, I have no problem on a clean |
92 |
hardened box with static binaries, even if the lib*.a are PIC |
93 |
compiled (mine are for sure, and most of you have it too, if an app is |
94 |
using autotools and running ./configure shows that the system supports |
95 |
shared libraries and for "dependant libraries" it says "pass_all"), I |
96 |
though agree that it is overkill for static binaries to use libraries |
97 |
that were PIC compiled. |
98 |
|
99 |
Peter |
100 |
|
101 |
-- |
102 |
Peter S. Mazinger <ps dot m at gmx dot net> ID: 0xA5F059F2 |
103 |
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2 |
104 |
|
105 |
-- |
106 |
gentoo-hardened@g.o mailing list |