| 1 |
On Tue, Oct 01, 2013 at 11:59:33AM +0200, "Tóth Attila" wrote: |
| 2 |
> You made me curious, so I took a look at on this. |
| 3 |
> |
| 4 |
> The eclass has a single function stating: "Set up CFLAGS for a debug |
| 5 |
> build" in its description. Although it is not conditional for debug |
| 6 |
> builds, so gets applied all the time, being called from the eclass' |
| 7 |
> src_configure function. The filter flags statements are conditional and |
| 8 |
> applied only in case of a static-libs build. |
| 9 |
> Appending lazy binding is also conditional for Xorg and drivers. |
| 10 |
> |
| 11 |
> According to the Hardened/Toolchains wiki, one can find this section: |
| 12 |
> "The following packages have issues with BIND_NOW at the time of writing, |
| 13 |
> and it has to be relaxed somewhat for them: |
| 14 |
> X - some drivers consist of several libraries which are co-dependent, |
| 15 |
> and the modules frequently have references to modules that they load. |
| 16 |
> transcode - relies on lazy binding to be able to load its modules; the |
| 17 |
> issues are similar to the X issues." |
| 18 |
> |
| 19 |
> The function does not check whether the build happens on a hardened system |
| 20 |
> or not. |
| 21 |
> |
| 22 |
> If you are using a hardened toolchain, relro and now is specified by |
| 23 |
> default. I guess lazy takes precedence if present. Unless it would have no |
| 24 |
> effect. I'm not sure what you mean by adding relro and now to the filters. |
| 25 |
> Since these would be applied anyways by gcc specs. I'm also not sure what |
| 26 |
> happens if both lazy and relro+now are appended at the same time. |
| 27 |
> |
| 28 |
> If I would try to test Xorg and its drivers with relro+now, I would |
| 29 |
> comment out the append lazy line. I can give that a try if it is |
| 30 |
> reasonable, but the statement in the wiki seems pretty clear. I don't know |
| 31 |
> when those experiences described came from. |
| 32 |
> |
| 33 |
I've got an answer from Zorry via irc yesterday: |
| 34 |
It seems like full RELRO used to break some graphics drivers. There seems to be |
| 35 |
no real recent testing though. |
| 36 |
From my experience I can tell that intel seems to work fine for me (Zorry |
| 37 |
explicitely stated that radeon tend to break). |
| 38 |
I've had no time to create a hardened environment on my only nvidia machine to |
| 39 |
test nouveau and nvidia (the proprietary one). |
| 40 |
Since I have no radeon I've got no chance to test that at all (the failure |
| 41 |
happens on loading the driver, not build time sadly). |
| 42 |
|
| 43 |
Bug #339984 is a relatively old tracker bug that doesn't reflect the current |
| 44 |
state. |
| 45 |
|
| 46 |
WKR |
| 47 |
Hinnerk |
Archives