Date: Fri, 5 Jun 2020 10:36:27 -0400 From: Ed Maste <emaste@freebsd.org> To: Dewayne Geraghty <dewayne@heuristicsystems.com.au> Cc: freebsd-security@freebsd.org Subject: Re: Improved PIE binary tooling Message-ID: <CAPyFy2DaTtiZTgiEt2oqg1v47ziqN1rG9N1Kdqq2pKPuEJc-LQ@mail.gmail.com> In-Reply-To: <41b8b5b5-9589-d9f8-3844-3a9df15d86f2@heuristicsystems.com.au> References: <CAPyFy2Cw_peC6XSvTZS8E=a5t3YtA2W6CakT=E-EQWs3qtfEJQ@mail.gmail.com> <41b8b5b5-9589-d9f8-3844-3a9df15d86f2@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 4 Jun 2020 at 20:15, Dewayne Geraghty <dewayne@heuristicsystems.com.au> wrote: > > Thank-you Ed. Though I have two questions: > > 1. We've recompiled all the ports I use with either -fPIC or -fPIE and > the linker flag -pie. Is there something required for ports to utilise > these changes, or are the changes only in the mk files affecting the > base system build? No additional change is needed - the linker will automatically add this flag when -pie is specified. > 2. I've also taken advantage of employing -fstack-clash-protection, > unfortunately this is currently only available via gcc (we're using gcc9 > at the moment). Does the fact that we use gcc9 and binutils 2.33.1 > influence the outcome of your changes? Mmm, good question - the LLD commit indicated that binutils should set this too, but I haven't tried. You can check `readelf -d` on one of your PIE binaries, and if the flag is not set probably submit a PR against devel/binutils. -fstack-clash-protection is in Clang now, but it landed after 10.0. The next Clang update will include it. (It was actually committed and reverted four times, but stuck on the fifth try.)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2DaTtiZTgiEt2oqg1v47ziqN1rG9N1Kdqq2pKPuEJc-LQ>