1 |
On Mon, 8 Jan 2007, Kevin F. Quinn wrote: |
2 |
|
3 |
> Well, building PIE doesn't find anything as such. My preference at the |
4 |
> moment is to build gcc itself with SSP, NOW and RELRO (which don't |
5 |
> have any conflict from one stage to the next), but not PIE. glibc I'm |
6 |
> building with both SSP and PIE switched off. |
7 |
|
8 |
Why do you not add -fPIC to libiberty.a and all the PIE issues within |
9 |
intermediate files are gone? |
10 |
The other easy way is guarding pie with !D_INGCC:!D_LIBGCCx, where x is |
11 |
maybe empty, maybe 2, cant recall now |
12 |
|
13 |
> The crt files should definitely never be built -fPIE. For the lib*.a |
14 |
> provided by gcc and libc, it may be worth building them both PIE and |
15 |
> no-PIE. How they would be selected on use is another problem... |
16 |
|
17 |
agreed that crt*.o should not be PIC/PIE |
18 |
I dont think it is worth the trouble to have PIE versions of the crt*S |
19 |
versions, lets have only the PIC versions as it is, Scrt1.o could be |
20 |
though -fPIE. |
21 |
libgcc.a/libgcc_eh.a/libstdc++.a/libsupc++.a are all PIC and I cant think |
22 |
of a good way to handle them multilib-alike, so I would keep them PIC. |
23 |
The multilib option could be applied though for the libs provided by glibc |
24 |
|
25 |
> |
26 |
> > > > [...] |
27 |
> > > > No, the code needs to be PIC, else the generated PIE binary has |
28 |
> > > > text relocation (PIE binary is more like a shared library needing |
29 |
> > > > though an interpreter/dynamic loader). |
30 |
> > > |
31 |
> > > The only time this is an issue is when lib*.a archives are being |
32 |
> > > used to link executables. This is rather rare - indeed the only |
33 |
> > > places I've seen it done are in gcc and glibc. |
34 |
> > > |
35 |
> > > |
36 |
> > > ok; maybe I wasn't clear: |
37 |
> > > |
38 |
> > > 1) Objects to be linked into shared libraries must be PIC |
39 |
> > > |
40 |
> > > 2) Objects to be linked into position-independent executables |
41 |
> > > should be PIE (but PIC objects are work too, they just put more |
42 |
> > > through the PLT than necessary) |
43 |
> > > |
44 |
> > > 3) Objects to be linked into normal executables (i.e. not PIEs) |
45 |
> > > should be normal - neither PIC nor PIE. |
46 |
> > > |
47 |
> > > I think you'll agree those statements are true. |
48 |
> > |
49 |
> > not with 2) |
50 |
> > if that would be true, then the intermediate files would not have |
51 |
> > text relocations, libiberty.a's objects are compiled -fPIE instead of |
52 |
> > -fPIC (-DPIC does not influence the result) |
53 |
> |
54 |
> |
55 |
> If it's false, then we're in trouble - because PIEs would always have |
56 |
> textrels. |
57 |
> |
58 |
> The way to build a PIE, as I understand it, is to: |
59 |
> |
60 |
> (1) compile all objects -fPIE |
61 |
> (2) link with -fPIE -pie |
62 |
|
63 |
(2) link with -pie (-fPIE does not/should not influence linking) |
64 |
|
65 |
> If that creates executables with textrels, then we're in trouble |
66 |
> everywhere. However I don't think that's the case - I understand we |
67 |
> get textrels when: |
68 |
> |
69 |
> a) linking normal or -fPIE objects into shared libraries |
70 |
> b) linking normal objects in to PIE executables |
71 |
|
72 |
due to a) we have to have lib*.a PIC, unless we do the multilib approach |
73 |
with a separate set of static libs compiled -fPIE |
74 |
|
75 |
> and I think the textrels in the intermediate files occur when starting |
76 |
> >from a vanilla compiler, where libiberty.a is built normally (i.e. not |
77 |
> PIE or PIC) in the first pass. Possibly it's also affected by |
78 |
> configure thinking the compiler generates PIC by default. |
79 |
|
80 |
earlier the PIC patch for libiberty.a was ok, why is now a sed expression |
81 |
a so big trouble adding -fPIC to libiberty.a, wont hurt anyone, does not |
82 |
make anything bigger and so on..., I dont really understand all these |
83 |
objections that keep us discussing and not solving anything |
84 |
|
85 |
Note: Kevin, you disabled 2 patches in hardened overlay, the libstdc++_pic |
86 |
one is coming from uClibc, better consult vapier about that if you want it |
87 |
removed. |
88 |
|
89 |
> > > So, to lib*.a archives. These are collections of object files - how |
90 |
> > > they should be built depends on what they're going to be used for, |
91 |
> > > and the above rules apply in the same way. In the vast majority of |
92 |
> > > cases, whenever someone is linking lib*.a archives into something, |
93 |
> > > it's into static binaries as the lib*.a is the static equivalent of |
94 |
> > > lib*.so. For these cases, we should have normal (no-PIE) objects. |
95 |
> > > |
96 |
> > > The cases internal to gcc/glibc are exceptions, in that the |
97 |
> > > archives are used to build shared libraries (which use the |
98 |
> > > lib*_nonshared.a archives which should always be PIC anyway) and |
99 |
> > > those executables - which if we want them to be PIE of course need |
100 |
> > > PIE objects. I think a better way to approach this sort of case is |
101 |
> > > to modify the build process explicitly to build PIE objects where |
102 |
> > > needed, rather than using the altered defaults. |
103 |
> > |
104 |
> > there are many exceptions, but you do not see them with a glibc/gnu |
105 |
> > system. On an uClibc hardened system, if configure fails to detect |
106 |
> > correctly the system (needing gnuconfig-update/libtoolize), it will |
107 |
> > probably build only lib*.a instead of both lib*.so/lib*.a, and the |
108 |
> > next app compiled against lib*.a will have text relocations. |
109 |
> |
110 |
> I was not aware of that. I would have expected embedded systems to be |
111 |
> keen on shared libraries, as they reduce physical memory requirements. |
112 |
> Would it be better to have autotools working properly with uclibc? How |
113 |
> many packages are we talking about? Would it be reasonable to suggest |
114 |
> they be modified to build shared libraries properly (perhaps by |
115 |
> directing configure explicitly)? |
116 |
|
117 |
autotools works mostly correct now for uClibc and many patches were added |
118 |
to solve all these issues if you make use of autoconfig |
119 |
option/gnuconfig_update/(e)libtoolize, so the tools are provided by |
120 |
gentoo, it depends only on the devs using them properly |
121 |
|
122 |
> > > > > Strictly speaking, on a hardened system, the -vanilla and |
123 |
> > > > > -hardenednopie compiler cannot be guaranteed to generate working |
124 |
> > > > > executables - indeed it creates garbage on sparc (x86 seems to |
125 |
> > > > > be more forgiving; you can mix PIE objects into a non-PIE |
126 |
> > > > > executable and they appear to work). |
127 |
> > > > |
128 |
> > > > because lib*.a has to be PIC. |
129 |
> > > |
130 |
> > > Like I say, whether they should be normal, PIC or PIE depends on |
131 |
> > > what they're used for - and in general you just don't know. The |
132 |
> > > most common use for lib*.a files from the system (/usr/lib etc) is |
133 |
> > > to build static binaries. |
134 |
> > > |
135 |
> > > Consider also the state of the crt*.o objects - on existing hardened |
136 |
> > > systems crtbegin.o and friends are built -fPIE. This makes the |
137 |
> > |
138 |
> > no, crt*S.o are compiled -fPIC at least on linux, see |
139 |
> > gcc/config/t-linux CRTSTUFF_T_CFLAGS_S, only those without S are |
140 |
> > compiled -fPIE (if gcc defaults to hardened and ... and ..., |
141 |
> > depending on the version of the piepatches) |
142 |
> |
143 |
> Yes. It was just the non-S versions I was talking about (crtbegin.o, |
144 |
> crtend.o and friends, crt1.o from libc). |
145 |
> |
146 |
> > > switching of startfile/endfile in the specs achieve almost nothing |
147 |
> > > - on x86, crtend.o and crtendS.o are identical, and |
148 |
> > > crtbegin.o/crtbeginS.o are almost the same. Have we really |
149 |
> > > analysed the source for those objects, to verify that building them |
150 |
> > > -fPIE gives sensible results? I suspect not. |
151 |
> > |
152 |
> > maybe we should add -fno-PIE to crtbegin.o/crtend.o/crtbeginT.o to |
153 |
> > guard against the above case. |
154 |
> |
155 |
> I did try that, also building crt1.o (libc) with -fno-PIE. The |
156 |
> modifications to the toolchain build files got more and more involved, |
157 |
> which I really want to avoid. In addition, I suspect that will break |
158 |
> your "PIE/static" binaries; where perhaps it would be better to use |
159 |
> crt*S.o/Scrt1.o. |
160 |
|
161 |
I wanted some time ago to add some corrections into gcc upstream due to |
162 |
incorrect handling of HAVE_LD_PIE within the generation of specs, |
163 |
crtbegin/crtend related (the issue was, that if binutils does not support |
164 |
-pie, then it does not make sense to use Scrt*.o files to link) |
165 |
The collection of the proposed patches is in piepatches/upstream subdir. |
166 |
They were not accepted upstream, the comment from Jakub Jelinek was |
167 |
something like: |
168 |
it does not matter to use Scrt*.o files if no pie linking is done, it adds |
169 |
only 1-2 cycles more. |
170 |
so living with the 1-2 cycles performance loss, we could always use Scrt* |
171 |
files on a hardened box. |
172 |
|
173 |
> > > > > I'm working on a sane solution to this problem using ABIs, but |
174 |
> > > > > it's quite involved, and it's quite a departure from what we |
175 |
> > > > > currently do. Once I have my thoughts clear, I'll post a |
176 |
> > > > > proposal. |
177 |
> > > > > |
178 |
> > > > > For the moment, however, we can continue as we did before, but |
179 |
> > > > > highlight that -vanilla and -hardenednopie may not generate |
180 |
> > > > > working executables. Mostly this affects bootloaders, and |
181 |
> > > > > things like static busybox. |
182 |
> > > > |
183 |
> > > > Wondering why you mention static binaries, |
184 |
> > > |
185 |
> > > Static binaries should not be PIE - the two concepts don't mix. It |
186 |
> > > doesn't make sense to build an ET_EXEC executable (which is what |
187 |
> > > static executables are) with PIE code. |
188 |
> > |
189 |
> > sadly, when compiling we do not know if the object will go into |
190 |
> > static/ET_EXEC/ET_DYN, else we could handle that (we handle only the |
191 |
> > case if the final binary is compiled and linked in one step) |
192 |
> |
193 |
> Yep. The only way I can think of to deal with that would be a |
194 |
> normal/PIE multilib setup. For glibc systems it is probably not worth |
195 |
> the trouble (since we rarely use the lib*.a archives anyway). For |
196 |
> uclibc, it would depend how much breakage there is in building shared |
197 |
> libraries. |
198 |
|
199 |
well, my overlay is almost 30MB big, the most of it solves these issues, |
200 |
-z defs/-z now problems, probably needs a cleanup, but I expect about |
201 |
15MB will stay... |
202 |
but you know, I am crazy, I do use uClibc on my work/development box |
203 |
natively, so I use probably much more of the apps, that a normal |
204 |
gentoo-embedded box wouldnt need ;) |
205 |
|
206 |
> > > > I have no problem on a |
207 |
> > > > clean hardened box with static binaries, |
208 |
> > > |
209 |
> > > What you have aren't really static binaries - they're ET_EXECs with |
210 |
> > > PIE objects inside. This kinda works on x86, but on sparc it just |
211 |
> > > segfaults on startup (due to the contents of crt*.o). |
212 |
> > |
213 |
> > I know ppc/arm does not have any problem with it (mips is out of |
214 |
> > question because it is always PIC except the kernel) |
215 |
> > |
216 |
> > give fno-PIE a try for those, maybe it solves the issue. |
217 |
> |
218 |
> I did try that, I think, but without any success. |
219 |
> |
220 |
> |
221 |
> > > > even if the lib*.a are PIC |
222 |
> > > > compiled (mine are for sure, and most of you have it too, if an |
223 |
> > > > app is using autotools and running ./configure shows that the |
224 |
> > > > system supports shared libraries and for "dependant libraries" it |
225 |
> > > > says "pass_all"), I though agree that it is overkill for static |
226 |
> > > > binaries to use libraries that were PIC compiled. |
227 |
> > > |
228 |
> > > The problem with static binaries is that they're not correct on all |
229 |
> > > platforms, when built with PIE objects. sparc in particular |
230 |
> > > segfaults. It does create executables that run on x86, but they're |
231 |
> > > a bizarre PIE/ET_EXEC hybrid that makes little sense. |
232 |
> > |
233 |
> > sparc or sparc64 or both? have you compared assembler output? does it |
234 |
> > make a difference if you provide -K PIC to the assembler or not? |
235 |
> |
236 |
> sparc64 (sparcv9). The problem was symbols not being resolved |
237 |
> properly, iirc. I don't remember exactly what I tried, now - I tried |
238 |
> many things, although not -K PIC (I would assume that would be passed |
239 |
> to the assembler when building -fPIE or -fPIC). |
240 |
|
241 |
I am not sure about -K PIC usage, it is true, that if you use -fPIE|-fPIC |
242 |
on the command-line, it will add for sparc -K PIC. |
243 |
the scenario I am thinking of: |
244 |
a hardened-pie specs will enforce -K PIC/-fPIE on all objects with some |
245 |
exceptions. could it be. I wonder if the assembler wouldnt autoget -K PIC, |
246 |
but the objects are compiled with -fPIE, would the object be usable on |
247 |
sparc in a static executable? |
248 |
To do such a test you have to disable the autoadding -K PIC in specs |
249 |
(asm_pie section) |
250 |
|
251 |
Peter |
252 |
|
253 |
-- |
254 |
Peter S. Mazinger <ps dot m at gmx dot net> ID: 0xA5F059F2 |
255 |
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2 |
256 |
|
257 |
-- |
258 |
gentoo-hardened@g.o mailing list |