From owner-freebsd-toolchain@freebsd.org Fri Aug 26 15:14:31 2016 Return-Path: Delivered-To: freebsd-toolchain@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D344AB70756 for ; Fri, 26 Aug 2016 15:14:31 +0000 (UTC) (envelope-from pfg@FreeBSD.org) Received: from nm43-vm10.bullet.mail.bf1.yahoo.com (nm43-vm10.bullet.mail.bf1.yahoo.com [216.109.114.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 99AB9A2A for ; Fri, 26 Aug 2016 15:14:31 +0000 (UTC) (envelope-from pfg@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1472224464; bh=4UuK7sbJmHmwK1B8T4XUOksad+igGCmqwCiMJ2dEUIc=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=PGu9hkCA5nTrAAwgCITSnJp04bog1y+C4z3g83PuBHXHgYsbFbImewlsDw9pZqyMFx5nmWnuRDNGdpnU58Ccnyb/4194ZQCX+76OVXhKkC9IQemFroABQI2Zaw9+r39JA1r/xVqCw3JJZa8+Y1bTP5p5pkox/8mZ4Q58ETJwESIXZ8LxZ5/dBz45JuBs46nEYVGfyCFjQcQel378XPdnckW1r1Oug0yXizAWk+Z44zrlBrSY2HKeSd5Vsj7Mg/liXmIZgnBtitW32RDwePme61Uo5A6dLqHcXLjiQpOSMILgsx405WqxKjbsO5E9fbOpWayBf0TzNaayMBAfno1a2g== Received: from [98.139.215.140] by nm43.bullet.mail.bf1.yahoo.com with NNFMP; 26 Aug 2016 15:14:24 -0000 Received: from [98.139.211.160] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 26 Aug 2016 15:14:24 -0000 Received: from [127.0.0.1] by smtp217.mail.bf1.yahoo.com with NNFMP; 26 Aug 2016 15:14:24 -0000 X-Yahoo-Newman-Id: 246555.53956.bm@smtp217.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 3RH4RKgVM1k8p6BZTnUVp21nTINb3oEaL0zThGxckLlgP7l cMiYivD4gNXtFwUCcZTkIPn7T7I2WGmvyf40c23PDXCeAlm4OsQ0kBXsZEwD 6exMoCI4sVyEU826nMHJkq8ZQp5KxhkjvPaYNSxXasn62fWETZ.mkzBbasKf YxC5PP0o_HTdtn2W6Kxh.nbhCMaeuq6skO4D1XsxxWVg4WeHNaL3c_3NLY_Y OB4pVZelLwJQ1vvP3mHA2o1CQjzDM0QI7WTN4kI4BS.XpREjAbHWthYYrC.G tVi4YBfy7qPm8SHhNX2hMA9oEQNIOwSDM6d.GRBFgnz_KeqA9wrm7ukai1hC D.9Ytfn.SlONHEybjDaf9KzUY4JrcbTZzoBUjR_aAVmZgtWOLYIYUTV.VO9w eP9vTp4PAfD0Qldl66pRwtM5q59q.nyTPfn5uWeNzaXi13p1TlvK9LQ3_tWu rB9X_AdRp7gZOZILR14hLPEHwrfXRqovZe6ej5btnnmF5msHYGsCGTL58MJQ OmppgibSh9yagEEo_xJ0nD4ddbxHw0eYH4HqPWDYqbELa2Q-- X-Yahoo-SMTP: xcjD0guswBAZaPPIbxpWwLcp9Unf Subject: Re: Time to enable partial relro To: Warner Losh References: <20160826105618.GS83214@kib.kiev.ua> Cc: Konstantin Belousov , "freebsd-toolchain@FreeBSD.org" From: Pedro Giffuni Message-ID: Date: Fri, 26 Aug 2016 10:14:33 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-toolchain@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Maintenance of FreeBSD's integrated toolchain List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2016 15:14:31 -0000 Hello; On 08/26/16 10:06, Warner Losh wrote: > On Fri, Aug 26, 2016 at 9:00 AM, Pedro Giffuni wrote: >> >> >> On 08/26/16 05:56, Konstantin Belousov wrote: >>> >>> On Thu, Aug 25, 2016 at 05:50:31PM -0500, Pedro Giffuni wrote: >>>> >>>> Hello; >>>> >>>> GNU RELRO support was committed in r230784 (2012-01-30) but we never >>>> enabled it by default. >>>> >>>> There was some discussion about it on >>>> https://reviews.freebsd.org/D3001 >>>> >>>> By now, all Linux distributions, NetBSD and DragonFly support it and >>>> it is the default for most systems in binutils 2.27. >>>> >>>> This doesn't affect performance, I ran it through an exp-run last >>>> year, no other OS has had issues etc ... seems safe and can be >>>> disabled if needed when linking. >>> >>> Exp-run does not test anything interesting about relro. If all testing >>> that was done is basically just an exp-run, then there was no useful >>> runtime testing done. >>> >> >> The exp-run does cover Java and other VM-type thingies that bootstrap. >> For upstream binutils this is now the default (at least for linux, >> they never ask us if we want to follow). So the change has been tested >> extensively but perhaps not on cases that are relevant to us. >> >> Note that the "fix" for any port is ultimately trivial: >> LDFLAGS+= "-z norelro" >> >>>> >>>> I think it's time to enable it be default in our base binutils. If >>>> there are no objections, I will just commit the attached patch over >>>> the weekend. >>> >>> >>> There are objections, the change must be runtime tested on large and >>> representative set of real-world applications before turning the knob. >>> >> >> You are not giving any hint on what would be a "representative set of >> real-world applications". Given that you committed the initial support your >> objection stands very high and is a blocker. :( >> >> As I see it committing it now would give ample time to test this in current >> before it hits any release. If you want more extensive testing merging it in >> -stable right after the 11-Release is guaranteed to help >> weed out any remaining update ports may need. > > I'd say a minimum is 'buildworld' + a test boot on at least Intel (i386 and > amd64), armv6 and mips (both 32-bit and 64-bit) before we proceed. How > many of those have we done? > I have been running it my desktop (amd64) for a year now. I can test i386 in a VM but I doubt it will affect anything. The issue, and it's probably kib's worry are some rarely used but important ports. Stuff like erlang, or virtualbox maybe, but as I wrote, the fix (if needed) is trivial by adding a flag to the link command. FWIW, but it is largely irrelevant to us, RELRO is the default on OpenBSD and there is no way out of it there. Pedro.