Re: [gentoo-hardened] Firefox won't compile on hardened profile - gentoo-hardened

From:	Grant <emailgrant@×××××.com>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] Firefox won't compile on hardened profile
Date:	Sun, 19 Feb 2012 19:19:51
Message-Id:	`CAN0CFw0y-WRpCcL3oQJsDzs3-yeRPVS3MQA+cfKMSXF+5Euwww@mail.gmail.com`
In Reply to:	Re: [gentoo-hardened] Firefox won't compile on hardened profile by "Tóth Attila"

1

> The email I replied to was originally posted by "Hinnerk van Bruinehsen".

2

3

Crazy, gmail is acting like it was in response to my message about

4

compiling firefox.  Sorry about that.

5

6

- Grant

7

8

9

> Let's see my question in details, that might clarify it. Here is the part

10

> of the ebuild I'm asking questions about:

11

>

12

> "

13

>        if [[ $(gcc-major-version) -lt 4 ]]; then

14

>                append-cxxflags -fno-stack-protector

15

>        elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3

16

> ]]; then

17

>                if use amd64 || use x86; then

18

>                        append-flags -mno-avx

19

>                fi

20

>        fi

21

> "

22

>

23

> Break it down:

24

>

25

> "

26

>        if [[ $(gcc-major-version) -lt 4 ]]; then

27

>                append-cxxflags -fno-stack-protector

28

> "

29

> The first part is a historical remnant from times before Zorry. We used

30

> gcc-3.4.6 for a long time. It used a different implementation for SSP.

31

>

32

> "

33

>        elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3

34

> ]]; then

35

>                if use amd64 || use x86; then

36

>                        append-flags -mno-avx

37

>                fi

38

>        fi

39

> "

40

>

41

> The second part disables avx optimisations if the gcc version is newer

42

> than 4.3. However avx support isn't around so long and it's not mature.

43

> Avx is an instruction set extension, that is getting some attention

44

> lately. I'm lucky to have a system, with a capable processor. The block

45

> disabling the optimisations resides right besides the stack-protector

46

> statement. That's why I thought some hardened floks put it there. And I'm

47

> curious about the reason.

48

>

49

> Of course it might be simply there, because enabling avx optimizations can

50

> actually decrease performance. Like you can see it here:

51

> http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1

52

>

53

> Security is more important for me compared to speed. That's why I'm

54

> interested in any security effect of a compiler option (like creating

55

> textrels or so). If it's a security problem, I won't use corei7-avx, but

56

> rather go for simple corei7.

57

>

58

> Regards:

59

> Dw.

60

> --

61

> dr Tóth Attila, Radiológus, 06-20-825-8057

62

> Attila Toth MD, Radiologist, +36-20-825-8057

63

>

64

> 2012.Február 19.(V) 19:32 időpontban Grant ezt írta:

65

>>> There's a snippet in your ebuild:

66

>>> "append-flags -mno-avx"

67

>>>

68

>>> What is the problem with avx? Is it an option counteracting with

69

>>> security?

70

>>

71

>> I'm sorry but I'm not sure what you mean.  I should change the firefox

72

>> ebuild?

73

>>

74

>> - Grant

75

>>

76

>>

77

>>>>>>>>> Firefox won't compile on my system due to the issue

78

>>>>>>>>> described here:

79

>>>>>>>>>

80

>>>>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060

81

>>>>>>>>

82

>>>>>>>>

83

>>>>>>>>>

84

>>>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system

85

>>>>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,

86

>>>>>>>> grsec/pax enabled.

87

>>>>>>>

88

>>>>>>> To confirm, you aren't on a hardened profile?

89

>>>>>>

90

>>>>>> I am on a hardened profile, currently using

91

>>>>>> hardened/linux/amd64/no-multilib/selinux profile, only running

92

>>>>>> stable software.

93

>>>>>

94

>>>>> I don't get it then.  Does anyone know why I can't compile Firefox

95

>>>>> as described in the link above?  This sums it up:

96

>>>>>

97

>>>>> "firefox-9.0 ebuild stalls at the install phase while xpcshell

98

>>>>> command tops CPU usage for hours."

99

>>>>>

100

>>>>> Although xpcshell doesn't use any CPU for me.  It just sits there

101

>>>>> and the install phase doesn't proceed.

102

>>>>>

103

>>>>> - Grant

104

>>>>>

105

>>>>

106

>>>> I can compile Icecat with a customized ebuild. since it's basically

107

>>>> the same as Firefox, maybe that helps. Basically it disables jit.

1	> The email I replied to was originally posted by "Hinnerk van Bruinehsen".
2
3	Crazy, gmail is acting like it was in response to my message about
4	compiling firefox. Sorry about that.
5
6	- Grant
7
8
9	> Let's see my question in details, that might clarify it. Here is the part
10	> of the ebuild I'm asking questions about:
11	>
12	> "
13	> if [[ $(gcc-major-version) -lt 4 ]]; then
14	> append-cxxflags -fno-stack-protector
15	> elif [[ $(gcc-major-version) -gt 4 \|\| $(gcc-minor-version) -gt 3
16	> ]]; then
17	> if use amd64 \|\| use x86; then
18	> append-flags -mno-avx
19	> fi
20	> fi
21	> "
22	>
23	> Break it down:
24	>
25	> "
26	> if [[ $(gcc-major-version) -lt 4 ]]; then
27	> append-cxxflags -fno-stack-protector
28	> "
29	> The first part is a historical remnant from times before Zorry. We used
30	> gcc-3.4.6 for a long time. It used a different implementation for SSP.
31	>
32	> "
33	> elif [[ $(gcc-major-version) -gt 4 \|\| $(gcc-minor-version) -gt 3
34	> ]]; then
35	> if use amd64 \|\| use x86; then
36	> append-flags -mno-avx
37	> fi
38	> fi
39	> "
40	>
41	> The second part disables avx optimisations if the gcc version is newer
42	> than 4.3. However avx support isn't around so long and it's not mature.
43	> Avx is an instruction set extension, that is getting some attention
44	> lately. I'm lucky to have a system, with a capable processor. The block
45	> disabling the optimisations resides right besides the stack-protector
46	> statement. That's why I thought some hardened floks put it there. And I'm
47	> curious about the reason.
48	>
49	> Of course it might be simply there, because enabling avx optimizations can
50	> actually decrease performance. Like you can see it here:
51	> http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1
52	>
53	> Security is more important for me compared to speed. That's why I'm
54	> interested in any security effect of a compiler option (like creating
55	> textrels or so). If it's a security problem, I won't use corei7-avx, but
56	> rather go for simple corei7.
57	>
58	> Regards:
59	> Dw.
60	> --
61	> dr Tóth Attila, Radiológus, 06-20-825-8057
62	> Attila Toth MD, Radiologist, +36-20-825-8057
63	>
64	> 2012.Február 19.(V) 19:32 időpontban Grant ezt írta:
65	>>> There's a snippet in your ebuild:
66	>>> "append-flags -mno-avx"
67	>>>
68	>>> What is the problem with avx? Is it an option counteracting with
69	>>> security?
70	>>
71	>> I'm sorry but I'm not sure what you mean. I should change the firefox
72	>> ebuild?
73	>>
74	>> - Grant
75	>>
76	>>
77	>>>>>>>>> Firefox won't compile on my system due to the issue
78	>>>>>>>>> described here:
79	>>>>>>>>>
80	>>>>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
81	>>>>>>>>
82	>>>>>>>>
83	>>>>>>>>>
84	>>>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
85	>>>>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
86	>>>>>>>> grsec/pax enabled.
87	>>>>>>>
88	>>>>>>> To confirm, you aren't on a hardened profile?
89	>>>>>>
90	>>>>>> I am on a hardened profile, currently using
91	>>>>>> hardened/linux/amd64/no-multilib/selinux profile, only running
92	>>>>>> stable software.
93	>>>>>
94	>>>>> I don't get it then. Does anyone know why I can't compile Firefox
95	>>>>> as described in the link above? This sums it up:
96	>>>>>
97	>>>>> "firefox-9.0 ebuild stalls at the install phase while xpcshell
98	>>>>> command tops CPU usage for hours."
99	>>>>>
100	>>>>> Although xpcshell doesn't use any CPU for me. It just sits there
101	>>>>> and the install phase doesn't proceed.
102	>>>>>
103	>>>>> - Grant
104	>>>>>
105	>>>>
106	>>>> I can compile Icecat with a customized ebuild. since it's basically
107	>>>> the same as Firefox, maybe that helps. Basically it disables jit.

Gentoo Archives: gentoo-hardened