From owner-freebsd-arch@FreeBSD.ORG Fri Oct 17 08:05:14 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 283389AE; Fri, 17 Oct 2014 08:05:14 +0000 (UTC) Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1EE10327; Fri, 17 Oct 2014 08:05:12 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id a1so319786wgh.23 for ; Fri, 17 Oct 2014 01:05:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=q/BzosFKREIc6Ojq+YgFUm5nEVbtLy53+mWv9qBKjBE=; b=PW8Nq1uic+gzG+1qItfNl6ZEfkRGZBkIGt09r7xEWIpdNffXqdlMcF5tyYZrWIknDo FHrsDhWgNQAQVVR6ccMvYWixh1pss9QKyE4uMl59cLn6+RrRQuBClEhAydVj5lAODIH8 1BFnMaxvnM2DAYvGdeDmcYzdrRfttaSy78lYNJQEu5ygt1M36mGBljexzmaJfaHXII4Q LQVRxUIE8lp/nF7aoZ4WQ0X0WL5WWlvtD623lApWtp2O5snzAgq3HGNKjlKM2/H5jy1p 2CzKV6bLVfUnureK0Qt3GNKqDrZxO+6Ix66mMWZ6Ri/soIpLHJRlKOPaSUClQvDotMcF A1Nw== MIME-Version: 1.0 X-Received: by 10.194.121.74 with SMTP id li10mr8219586wjb.40.1413533111457; Fri, 17 Oct 2014 01:05:11 -0700 (PDT) Received: by 10.216.141.6 with HTTP; Fri, 17 Oct 2014 01:05:11 -0700 (PDT) In-Reply-To: References: Date: Fri, 17 Oct 2014 04:05:11 -0400 Message-ID: Subject: Re: PIE/PIC support on base From: Shawn Webb To: Jeremie Le Hen Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: hunger@hunger.hu, David Carlier , Oliver Pinter , Sean Bruno , Konstantin Belousov , freebsd-arch@freebsd.org, PaX Team , Bryan Drewery X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2014 08:05:14 -0000 On Fri, Oct 17, 2014 at 3:53 AM, Jeremie Le Hen wrote: > On Fri, Oct 17, 2014 at 12:15 AM, Shawn Webb wrote: > > > > > > On Thu, Oct 16, 2014 at 5:59 PM, Jeremie Le Hen wrote: > >> > >> On Thu, Oct 16, 2014 at 8:21 PM, David Carlier > >> wrote: > >> > > >> > I chose the "atomic" approach, at the moment very few binaries are > >> > concerned at the moment. So I applied INCLUDE_PIC_ARCHIVE in the > needed > >> > libraries plus created WITH_PIE which add fPIE/fpie -pie flags only if > >> > you > >> > include (which include ...) otherwise > >> > other > >> > binaries include as usual hence does not apply. Look > >> > reasonable approach ? > >> > >> I think I understand what you mean. But I think PIE is commonplace > >> nowadays and I don't understand what you win by not enabling it for > >> the whole system. Is it a performance concern? Is it to preserve > >> conservative minds from to much change? :) > > > > > > Looping in Kostik, Bryan Drewery, the PaX team, Hunger, and Sean Bruno. > > > > On i386, there is a performance cost due to not having an extra register > > available for the relocation work that has to happen. PIE doesn't carry > much > > of a performance penalty on amd64, though it still does carry some on > first > > resolution of functions (due to the extra relocation step the RTLD has to > > worry about). On amd64, after symbol resolution has taken place, there > is no > > further performance penalty due to amd64 having an extra register to use > for > > PIE/PIC. I'm unsure what, if any, performance penalty PIE carries on ARM, > > AArch64, and sparc64. > > > > Certain folk would prefer to see PIE enabled only in certain > applications. > > /bin/ls can't really make much use of PIE. But sshd can. I personally > would > > like to see all of base's applications compiled as PIEs, but that's a > long > > ways off. It took OpenBSD several years to accomplish that. Having > certain > > high-visibility applications (like sshd, inetd, etc) is a great start. > > Providing a framework for application developers to opt their application > > into PIE is another great start. > > > > Those are my two cents. > > OK. As long as i386 is still an important architecture, it can make > sense to enable this on a per-binary basis if we don't want to have a > discrepancy between archs. Also I buy your argument on /bin/ls but I > was challenging to enable for the whole system because I wonder if > there aren't some unexpected attack surfaces, besides the obvious ones > (servers). > > Do you know what took so much time to OpenBSD? In a private conversation with Theo, I realized that my recollection of the time it took OpenBSD to compile all of base as PIEs was wrong. Quoting him: "It took 5 people approximately 3 months to debug it, activate it, and start shipping it the next release. That was on amd64, for all dynamically linked binaries, except one (a gcc bug took some time to find). The next architectures followed about 1 or 2 per 6-month release." Given that only one person has worked on this in the past (me) and now the task has been delegated to another (David Carlier), I think we're doing okay on our end. There's a lot of moving parts, and neither of us fully understand all of them completely. We're working on it in HardenedBSD, in the hardened/current/pie branch. I'm thinking we might try for a WITH_PIE knob (and *not* use USE_PIE) and have certain high-profile applications opt-in to PIE until we work out all the details for everything en masse. Baptiste did bring up a good point with INTERNALLIB and I'm unsure of how we should handle that. Any guidance is appreciated. We'll continue on the route we're currently going unless we have guidance to suggest otherwise. Thanks, Shawn