1 |
On Mon, 15 Jan 2007 19:58:37 +0100 (CET) |
2 |
"Peter S. Mazinger" <ps.m@×××.net> wrote: |
3 |
|
4 |
> On Mon, 8 Jan 2007, Kevin F. Quinn wrote: |
5 |
> |
6 |
> > Well, building PIE doesn't find anything as such. My preference at |
7 |
> > the moment is to build gcc itself with SSP, NOW and RELRO (which |
8 |
> > don't have any conflict from one stage to the next), but not PIE. |
9 |
> > glibc I'm building with both SSP and PIE switched off. |
10 |
> |
11 |
> Why do you not add -fPIC to libiberty.a and all the PIE issues within |
12 |
> intermediate files are gone? |
13 |
|
14 |
The main reason is that forcing libiberty.a is fixing the symptom, |
15 |
rather than the cure. I think the cure is to fix the configure script |
16 |
so that it understands default -fPIE doesn't mean the platform is all |
17 |
default PIC. I'm pretty sure that's the root cause. |
18 |
|
19 |
|
20 |
> The other easy way is guarding pie with !D_INGCC:!D_LIBGCCx, where x |
21 |
> is maybe empty, maybe 2, cant recall now |
22 |
> |
23 |
> > The crt files should definitely never be built -fPIE. For the |
24 |
> > lib*.a provided by gcc and libc, it may be worth building them both |
25 |
> > PIE and no-PIE. How they would be selected on use is another |
26 |
> > problem... |
27 |
> |
28 |
> agreed that crt*.o should not be PIC/PIE |
29 |
> I dont think it is worth the trouble to have PIE versions of the |
30 |
> crt*S versions, lets have only the PIC versions as it is, Scrt1.o |
31 |
> could be though -fPIE. |
32 |
|
33 |
Yep. |
34 |
|
35 |
> libgcc.a/libgcc_eh.a/libstdc++.a/libsupc++.a are all PIC and I cant |
36 |
> think of a good way to handle them multilib-alike, so I would keep |
37 |
> them PIC. |
38 |
|
39 |
Yep. |
40 |
|
41 |
> The multilib option could be applied though for the libs |
42 |
> provided by glibc |
43 |
|
44 |
I'm going to give up on the multilib-alike - it's just too messy. So |
45 |
I'm returning to 'pieworld' but fixed to avoid -fPIE crtstuff, and have |
46 |
static PIEs working consistently everywhere. |
47 |
|
48 |
|
49 |
> > > > > [...] |
50 |
> > > > > No, the code needs to be PIC, else the generated PIE binary |
51 |
> > > > > has text relocation (PIE binary is more like a shared library |
52 |
> > > > > needing though an interpreter/dynamic loader). |
53 |
> > > > |
54 |
> > > > The only time this is an issue is when lib*.a archives are being |
55 |
> > > > used to link executables. This is rather rare - indeed the only |
56 |
> > > > places I've seen it done are in gcc and glibc. |
57 |
> > > > |
58 |
> > > > |
59 |
> > > > ok; maybe I wasn't clear: |
60 |
> > > > |
61 |
> > > > 1) Objects to be linked into shared libraries must be PIC |
62 |
> > > > |
63 |
> > > > 2) Objects to be linked into position-independent executables |
64 |
> > > > should be PIE (but PIC objects are work too, they just put more |
65 |
> > > > through the PLT than necessary) |
66 |
> > > > |
67 |
> > > > 3) Objects to be linked into normal executables (i.e. not PIEs) |
68 |
> > > > should be normal - neither PIC nor PIE. |
69 |
> > > > |
70 |
> > > > I think you'll agree those statements are true. |
71 |
> > > |
72 |
> > > not with 2) |
73 |
> > > if that would be true, then the intermediate files would not have |
74 |
> > > text relocations, libiberty.a's objects are compiled -fPIE |
75 |
> > > instead of -fPIC (-DPIC does not influence the result) |
76 |
> > |
77 |
> > |
78 |
> > If it's false, then we're in trouble - because PIEs would always |
79 |
> > have textrels. |
80 |
> > |
81 |
> > The way to build a PIE, as I understand it, is to: |
82 |
> > |
83 |
> > (1) compile all objects -fPIE |
84 |
> > (2) link with -fPIE -pie |
85 |
> |
86 |
> (2) link with -pie (-fPIE does not/should not influence linking) |
87 |
|
88 |
I would have thought so, however gcc info says: |
89 |
|
90 |
`-pie' |
91 |
Produce a position independent executable on targets which support |
92 |
it. For predictable results, you must also specify the same set |
93 |
of options that were used to generate code (`-fpie', `-fPIE', or |
94 |
model suboptions) when you specify this option. |
95 |
|
96 |
so I was just following that advice. I suspect it makes no difference |
97 |
on x86, amd64, ppc - but perhaps it does on some platforms. |
98 |
|
99 |
I think that when linking, the gcc driver also processes the cc1 spec, |
100 |
(where you've added ${pie:-fPIE}) so our default is to add '-fPIE -pie' |
101 |
anyway. |
102 |
|
103 |
|
104 |
> > If that creates executables with textrels, then we're in trouble |
105 |
> > everywhere. However I don't think that's the case - I understand we |
106 |
> > get textrels when: |
107 |
> > |
108 |
> > a) linking normal or -fPIE objects into shared libraries |
109 |
> > b) linking normal objects in to PIE executables |
110 |
> |
111 |
> due to a) we have to have lib*.a PIC, unless we do the multilib |
112 |
> approach with a separate set of static libs compiled -fPIE |
113 |
|
114 |
Why would anyone link a lib*.a into a shared library? Surely you would |
115 |
just link to the .so? |
116 |
|
117 |
|
118 |
> > and I think the textrels in the intermediate files occur when |
119 |
> > starting |
120 |
> > >from a vanilla compiler, where libiberty.a is built normally (i.e. |
121 |
> > >not |
122 |
> > PIE or PIC) in the first pass. Possibly it's also affected by |
123 |
> > configure thinking the compiler generates PIC by default. |
124 |
> |
125 |
> earlier the PIC patch for libiberty.a was ok, why is now a sed |
126 |
> expression a so big trouble adding -fPIC to libiberty.a, wont hurt |
127 |
> anyone, does not make anything bigger and so on..., I dont really |
128 |
> understand all these objections that keep us discussing and not |
129 |
> solving anything |
130 |
|
131 |
See above (top) - I think fixing configure sorts this out properly, |
132 |
because the build process then proceeds as upstream wrote it to. |
133 |
|
134 |
|
135 |
> Note: Kevin, you disabled 2 patches in hardened overlay, the |
136 |
> libstdc++_pic one is coming from uClibc, better consult vapier about |
137 |
> that if you want it removed. |
138 |
|
139 |
ok; I just disabled that to be sure I wasn't getting any forced -fPIC |
140 |
stuff, to check the configure fix. If libstdc++.a is acceptable -fPIE |
141 |
then I think we're fine - if you really need it -fPIC, then that |
142 |
implies you're linking it into shared libraries which is strange. |
143 |
|
144 |
|
145 |
> > > > So, to lib*.a archives. These are collections of object files |
146 |
> > > > - how they should be built depends on what they're going to be |
147 |
> > > > used for, and the above rules apply in the same way. In the |
148 |
> > > > vast majority of cases, whenever someone is linking lib*.a |
149 |
> > > > archives into something, it's into static binaries as the |
150 |
> > > > lib*.a is the static equivalent of lib*.so. For these cases, |
151 |
> > > > we should have normal (no-PIE) objects. |
152 |
> > > > |
153 |
> > > > The cases internal to gcc/glibc are exceptions, in that the |
154 |
> > > > archives are used to build shared libraries (which use the |
155 |
> > > > lib*_nonshared.a archives which should always be PIC anyway) and |
156 |
> > > > those executables - which if we want them to be PIE of course |
157 |
> > > > need PIE objects. I think a better way to approach this sort |
158 |
> > > > of case is to modify the build process explicitly to build PIE |
159 |
> > > > objects where needed, rather than using the altered defaults. |
160 |
> > > |
161 |
> > > there are many exceptions, but you do not see them with a |
162 |
> > > glibc/gnu system. On an uClibc hardened system, if configure |
163 |
> > > fails to detect correctly the system (needing |
164 |
> > > gnuconfig-update/libtoolize), it will probably build only lib*.a |
165 |
> > > instead of both lib*.so/lib*.a, and the next app compiled against |
166 |
> > > lib*.a will have text relocations. |
167 |
> > |
168 |
> > I was not aware of that. I would have expected embedded systems to |
169 |
> > be keen on shared libraries, as they reduce physical memory |
170 |
> > requirements. Would it be better to have autotools working properly |
171 |
> > with uclibc? How many packages are we talking about? Would it be |
172 |
> > reasonable to suggest they be modified to build shared libraries |
173 |
> > properly (perhaps by directing configure explicitly)? |
174 |
> |
175 |
> autotools works mostly correct now for uClibc and many patches were |
176 |
> added to solve all these issues if you make use of autoconfig |
177 |
> option/gnuconfig_update/(e)libtoolize, so the tools are provided by |
178 |
> gentoo, it depends only on the devs using them properly |
179 |
|
180 |
ok; great. Best thing here is to bug where devs are using autotools |
181 |
badly - that's of benefit to everyone. |
182 |
|
183 |
|
184 |
> > > > > > Strictly speaking, on a hardened system, the -vanilla and |
185 |
> > > > > > -hardenednopie compiler cannot be guaranteed to generate |
186 |
> > > > > > working executables - indeed it creates garbage on sparc |
187 |
> > > > > > (x86 seems to be more forgiving; you can mix PIE objects |
188 |
> > > > > > into a non-PIE executable and they appear to work). |
189 |
> > > > > |
190 |
> > > > > because lib*.a has to be PIC. |
191 |
> > > > |
192 |
> > > > Like I say, whether they should be normal, PIC or PIE depends on |
193 |
> > > > what they're used for - and in general you just don't know. The |
194 |
> > > > most common use for lib*.a files from the system (/usr/lib etc) |
195 |
> > > > is to build static binaries. |
196 |
> > > > |
197 |
> > > > Consider also the state of the crt*.o objects - on existing |
198 |
> > > > hardened systems crtbegin.o and friends are built -fPIE. This |
199 |
> > > > makes the |
200 |
> > > |
201 |
> > > no, crt*S.o are compiled -fPIC at least on linux, see |
202 |
> > > gcc/config/t-linux CRTSTUFF_T_CFLAGS_S, only those without S are |
203 |
> > > compiled -fPIE (if gcc defaults to hardened and ... and ..., |
204 |
> > > depending on the version of the piepatches) |
205 |
> > |
206 |
> > Yes. It was just the non-S versions I was talking about |
207 |
> > (crtbegin.o, crtend.o and friends, crt1.o from libc). |
208 |
> > |
209 |
> > > > switching of startfile/endfile in the specs achieve almost |
210 |
> > > > nothing |
211 |
> > > > - on x86, crtend.o and crtendS.o are identical, and |
212 |
> > > > crtbegin.o/crtbeginS.o are almost the same. Have we really |
213 |
> > > > analysed the source for those objects, to verify that building |
214 |
> > > > them -fPIE gives sensible results? I suspect not. |
215 |
> > > |
216 |
> > > maybe we should add -fno-PIE to crtbegin.o/crtend.o/crtbeginT.o to |
217 |
> > > guard against the above case. |
218 |
> > |
219 |
> > I did try that, also building crt1.o (libc) with -fno-PIE. The |
220 |
> > modifications to the toolchain build files got more and more |
221 |
> > involved, which I really want to avoid. In addition, I suspect |
222 |
> > that will break your "PIE/static" binaries; where perhaps it would |
223 |
> > be better to use crt*S.o/Scrt1.o. |
224 |
> |
225 |
> I wanted some time ago to add some corrections into gcc upstream due |
226 |
> to incorrect handling of HAVE_LD_PIE within the generation of specs, |
227 |
> crtbegin/crtend related (the issue was, that if binutils does not |
228 |
> support -pie, then it does not make sense to use Scrt*.o files to |
229 |
> link) The collection of the proposed patches is in |
230 |
> piepatches/upstream subdir. They were not accepted upstream, the |
231 |
> comment from Jakub Jelinek was something like: |
232 |
> it does not matter to use Scrt*.o files if no pie linking is done, it |
233 |
> adds only 1-2 cycles more. |
234 |
> so living with the 1-2 cycles performance loss, we could always use |
235 |
> Scrt* files on a hardened box. |
236 |
|
237 |
Yeah. I think I have this working; doing it an easy way by patching |
238 |
the makefiles directly when USE=hardened (instead of trying to modify |
239 |
the whole make process to do it perfectly - which is hard, and a waste |
240 |
of time, really). |
241 |
|
242 |
|
243 |
> > > > > > I'm working on a sane solution to this problem using ABIs, |
244 |
> > > > > > but it's quite involved, and it's quite a departure from |
245 |
> > > > > > what we currently do. Once I have my thoughts clear, I'll |
246 |
> > > > > > post a proposal. |
247 |
> > > > > > |
248 |
> > > > > > For the moment, however, we can continue as we did before, |
249 |
> > > > > > but highlight that -vanilla and -hardenednopie may not |
250 |
> > > > > > generate working executables. Mostly this affects |
251 |
> > > > > > bootloaders, and things like static busybox. |
252 |
> > > > > |
253 |
> > > > > Wondering why you mention static binaries, |
254 |
> > > > |
255 |
> > > > Static binaries should not be PIE - the two concepts don't |
256 |
> > > > mix. It doesn't make sense to build an ET_EXEC executable |
257 |
> > > > (which is what static executables are) with PIE code. |
258 |
> > > |
259 |
> > > sadly, when compiling we do not know if the object will go into |
260 |
> > > static/ET_EXEC/ET_DYN, else we could handle that (we handle only |
261 |
> > > the case if the final binary is compiled and linked in one step) |
262 |
> > |
263 |
> > Yep. The only way I can think of to deal with that would be a |
264 |
> > normal/PIE multilib setup. For glibc systems it is probably not |
265 |
> > worth the trouble (since we rarely use the lib*.a archives |
266 |
> > anyway). For uclibc, it would depend how much breakage there is in |
267 |
> > building shared libraries. |
268 |
> |
269 |
> well, my overlay is almost 30MB big, the most of it solves these |
270 |
> issues, -z defs/-z now problems, probably needs a cleanup, but I |
271 |
> expect about 15MB will stay... |
272 |
> but you know, I am crazy, I do use uClibc on my work/development box |
273 |
> natively, so I use probably much more of the apps, that a normal |
274 |
> gentoo-embedded box wouldnt need ;) |
275 |
> |
276 |
> > > > > I have no problem on a |
277 |
> > > > > clean hardened box with static binaries, |
278 |
> > > > |
279 |
> > > > What you have aren't really static binaries - they're ET_EXECs |
280 |
> > > > with PIE objects inside. This kinda works on x86, but on sparc |
281 |
> > > > it just segfaults on startup (due to the contents of crt*.o). |
282 |
> > > |
283 |
> > > I know ppc/arm does not have any problem with it (mips is out of |
284 |
> > > question because it is always PIC except the kernel) |
285 |
> > > |
286 |
> > > give fno-PIE a try for those, maybe it solves the issue. |
287 |
> > |
288 |
> > I did try that, I think, but without any success. |
289 |
> > |
290 |
> > |
291 |
> > > > > even if the lib*.a are PIC |
292 |
> > > > > compiled (mine are for sure, and most of you have it too, if |
293 |
> > > > > an app is using autotools and running ./configure shows that |
294 |
> > > > > the system supports shared libraries and for "dependant |
295 |
> > > > > libraries" it says "pass_all"), I though agree that it is |
296 |
> > > > > overkill for static binaries to use libraries that were PIC |
297 |
> > > > > compiled. |
298 |
> > > > |
299 |
> > > > The problem with static binaries is that they're not correct on |
300 |
> > > > all platforms, when built with PIE objects. sparc in particular |
301 |
> > > > segfaults. It does create executables that run on x86, but |
302 |
> > > > they're a bizarre PIE/ET_EXEC hybrid that makes little sense. |
303 |
> > > |
304 |
> > > sparc or sparc64 or both? have you compared assembler output? |
305 |
> > > does it make a difference if you provide -K PIC to the assembler |
306 |
> > > or not? |
307 |
> > |
308 |
> > sparc64 (sparcv9). The problem was symbols not being resolved |
309 |
> > properly, iirc. I don't remember exactly what I tried, now - I |
310 |
> > tried many things, although not -K PIC (I would assume that would |
311 |
> > be passed to the assembler when building -fPIE or -fPIC). |
312 |
> |
313 |
> I am not sure about -K PIC usage, it is true, that if you use |
314 |
> -fPIE|-fPIC on the command-line, it will add for sparc -K PIC. |
315 |
> the scenario I am thinking of: |
316 |
> a hardened-pie specs will enforce -K PIC/-fPIE on all objects with |
317 |
> some exceptions. could it be. I wonder if the assembler wouldnt |
318 |
> autoget -K PIC, but the objects are compiled with -fPIE, would the |
319 |
> object be usable on sparc in a static executable? |
320 |
> To do such a test you have to disable the autoadding -K PIC in specs |
321 |
> (asm_pie section) |
322 |
|
323 |
Haven't tested yet (getting pieworld right first). It seems '-K PIC' |
324 |
is an undocumented feature of ld on sparc - indeed it means the |
325 |
documented '-K' option fails to parse (!). I thought it was just a |
326 |
compatibility thing for the Sun 'as' (which is often used in preference |
327 |
to GNU gas on Solaris) where -K PIC is meaningful, but it looks like |
328 |
it's more than that. |
329 |
|
330 |
-- |
331 |
Kevin F. Quinn |