From owner-freebsd-arch@FreeBSD.ORG Fri Oct 17 04:56:03 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F0E818AC for ; Fri, 17 Oct 2014 04:56:03 +0000 (UTC) Received: from mail-lb0-f174.google.com (mail-lb0-f174.google.com [209.85.217.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 668E1E8 for ; Fri, 17 Oct 2014 04:56:02 +0000 (UTC) Received: by mail-lb0-f174.google.com with SMTP id p9so53655lbv.19 for ; Thu, 16 Oct 2014 21:55:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=p9yG/l3CkyXOUoeMI3Xeix7yRXBdCyR/fIVF8pMl4H8=; b=B18eAEiMRT/UlQYakG1guG2rI7N230UIMA03k8lKpJFIBRFnZ9tuk/q2ffssKQXN2o WBYkkUx6ISnOiu4YIMxkNYh5I1qbaG1/NKkKnWXA0690hBpr6i82k0IIf82uw1Xmo96f B6XPuRqEuZ0Tg3vSJiSjATCHPpAkEo3IDCjYRz4DId9ojtp1v7s8xuorHbfYGd6d8OwL 93VSWIbpaObQGbmxdhrM+AufhKAEi0L/VlgMfQS6xAcJemIG2Wz0M1RVxaqrK+ufatEy ekuG/CFOKSp3rWoJYY8IOZSDo7Ki/Z9Ft9WFLjJSRVe6CT/b51kC7JIDaEPR+9RLABGi g8sg== X-Gm-Message-State: ALoCoQmm38L3OxQ03d7qBRxCIqNDFjcmTLyh8na8QTXPalRG/okdoT+coFwHgT/Jg+4R5e7BjEsS MIME-Version: 1.0 X-Received: by 10.152.19.133 with SMTP id f5mr410463lae.87.1413521755521; Thu, 16 Oct 2014 21:55:55 -0700 (PDT) Received: by 10.25.23.85 with HTTP; Thu, 16 Oct 2014 21:55:55 -0700 (PDT) X-Originating-IP: [80.111.192.87] In-Reply-To: References: <5440489F.3080602@FreeBSD.org> Date: Fri, 17 Oct 2014 05:55:55 +0100 Message-ID: Subject: Fwd: PIE/PIC support on base From: David Carlier To: freebsd-arch@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2014 04:56:04 -0000 ---------- Forwarded message ---------- From: David Carlier Date: Fri, Oct 17, 2014 at 5:52 AM Subject: Re: PIE/PIC support on base To: Jeremie Le Hen , Baptiste Daroussin , Shawn Webb Except Baptiste, what do you all think about USE_PIE versus WITH_PIE ? On Thu, Oct 16, 2014 at 11:37 PM, Bryan Drewery wrote: > On 10/16/2014 5:15 PM, Shawn Webb wrote: > > > > > > On Thu, Oct 16, 2014 at 5:59 PM, Jeremie Le Hen > > wrote: > > > > On Thu, Oct 16, 2014 at 8:21 PM, David Carlier > > > > wrote: > > > > > > I chose the "atomic" approach, at the moment very few binaries are > > > concerned at the moment. So I applied INCLUDE_PIC_ARCHIVE in the > needed > > > libraries plus created WITH_PIE which add fPIE/fpie -pie flags > only if you > > > include > (which include > > >...) otherwise other > > > binaries include > as usual > hence does not apply. Look > > > reasonable approach ? > > > > I think I understand what you mean. But I think PIE is commonplace > > nowadays and I don't understand what you win by not enabling it for > > the whole system. Is it a performance concern? Is it to preserve > > conservative minds from to much change? :) > > > > > > Looping in Kostik, Bryan Drewery, the PaX team, Hunger, and Sean Bruno. > > > > On i386, there is a performance cost due to not having an extra register > > available for the relocation work that has to happen. PIE doesn't carry > > much of a performance penalty on amd64, though it still does carry some > > on first resolution of functions (due to the extra relocation step the > > RTLD has to worry about). On amd64, after symbol resolution has taken > > place, there is no further performance penalty due to amd64 having an > > extra register to use for PIE/PIC. I'm unsure what, if any, performance > > penalty PIE carries on ARM, AArch64, and sparc64. > > > > I think if the performance impact can be well understood on all > architectures, and that it is not more than a few % points, other people > may be more willing to enable it on all. I can't speak for them, but if > the impact is not significant then it is safer and simpler to enable > everywhere and I would think that argument would win over anything else. > What do I know though? That approach failed already. > > > Certain folk would prefer to see PIE enabled only in certain > > applications. /bin/ls can't really make much use of PIE. But sshd can. I > > personally would like to see all of base's applications compiled as > > PIEs, but that's a long ways off. It took OpenBSD several years to > > accomplish that. Having certain high-visibility applications (like sshd, > > inetd, etc) is a great start. Providing a framework for application > > developers to opt their application into PIE is another great start. > > > > Those are my two cents. > > > > Thanks, > > > > Shawn > > > -- > Regards, > Bryan Drewery > >