From owner-freebsd-arch@FreeBSD.ORG Thu Oct 16 22:15:41 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9B6233AD; Thu, 16 Oct 2014 22:15:41 +0000 (UTC) Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 976E1943; Thu, 16 Oct 2014 22:15:40 +0000 (UTC) Received: by mail-wg0-f46.google.com with SMTP id l18so4739782wgh.17 for ; Thu, 16 Oct 2014 15:15:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=f1/IRrSObsrfjODYvRe0ARDnTZRKbhy6lzYgvMvLvNY=; b=KbQ148IJc9XGCC3iPTZgQo1mwP8SFFFVWhvBKVkpAfYUbXaD6jIvg/3sCzzfYVhDgQ 1Q/fLsRDQ9bMgo7PX7DWc/8g64Oqzs/FCYvO184bI4P52Uecd2LzrvPTdOU4zqA4a9fC s4bRbjhEkkL+1yFKbPDn/9lrzJMTE5phqcU1FMNZGfbHDZie7rNybYfHiRE55IVMIrHj UyzUGyY5FfXwJD9jw1pFeOA3jNtzKDBLRmXDe1iJxEOawMOZGPtwETYaCnYXt6Yc3DqY d0Yp/eiTUEPmMfkeQu9OR3vNPAvbwt1mSypmuQCbOUG1QjLr0mVLNF2n2OnsAvaCWA/8 9gqA== MIME-Version: 1.0 X-Received: by 10.180.37.143 with SMTP id y15mr24039987wij.29.1413497738830; Thu, 16 Oct 2014 15:15:38 -0700 (PDT) Received: by 10.216.141.6 with HTTP; Thu, 16 Oct 2014 15:15:38 -0700 (PDT) In-Reply-To: References: Date: Thu, 16 Oct 2014 18:15:38 -0400 Message-ID: Subject: Re: PIE/PIC support on base From: Shawn Webb To: Jeremie Le Hen Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: hunger@hunger.hu, David Carlier , Oliver Pinter , Sean Bruno , Konstantin Belousov , freebsd-arch@freebsd.org, PaX Team , Bryan Drewery X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2014 22:15:41 -0000 On Thu, Oct 16, 2014 at 5:59 PM, Jeremie Le Hen wrote: > On Thu, Oct 16, 2014 at 8:21 PM, David Carlier > wrote: > > > > I chose the "atomic" approach, at the moment very few binaries are > > concerned at the moment. So I applied INCLUDE_PIC_ARCHIVE in the needed > > libraries plus created WITH_PIE which add fPIE/fpie -pie flags only if > you > > include (which include ...) otherwise > other > > binaries include as usual hence does not apply. Look > > reasonable approach ? > > I think I understand what you mean. But I think PIE is commonplace > nowadays and I don't understand what you win by not enabling it for > the whole system. Is it a performance concern? Is it to preserve > conservative minds from to much change? :) Looping in Kostik, Bryan Drewery, the PaX team, Hunger, and Sean Bruno. On i386, there is a performance cost due to not having an extra register available for the relocation work that has to happen. PIE doesn't carry much of a performance penalty on amd64, though it still does carry some on first resolution of functions (due to the extra relocation step the RTLD has to worry about). On amd64, after symbol resolution has taken place, there is no further performance penalty due to amd64 having an extra register to use for PIE/PIC. I'm unsure what, if any, performance penalty PIE carries on ARM, AArch64, and sparc64. Certain folk would prefer to see PIE enabled only in certain applications. /bin/ls can't really make much use of PIE. But sshd can. I personally would like to see all of base's applications compiled as PIEs, but that's a long ways off. It took OpenBSD several years to accomplish that. Having certain high-visibility applications (like sshd, inetd, etc) is a great start. Providing a framework for application developers to opt their application into PIE is another great start. Those are my two cents. Thanks, Shawn