From owner-freebsd-arch@FreeBSD.ORG Wed Nov 5 12:44:32 2014 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 53E0E157 for ; Wed, 5 Nov 2014 12:44:32 +0000 (UTC) Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D52EA2A9 for ; Wed, 5 Nov 2014 12:44:31 +0000 (UTC) Received: by mail-wg0-f42.google.com with SMTP id k14so819326wgh.1 for ; Wed, 05 Nov 2014 04:44:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=ducp8V4151aeMY1vAAIoX0VIFd/G0Lu/IbVXwgeqodk=; b=P7jcxylvEEwWXD+nPc6j4gpJw2Bh9JcfouaagDrHkNsI85R0O2bpL7qolP20ENe182 nUuADqtI6xixSrsIhW6TPguoKJFZk537WpPTYKwkyTwoZKxYR8np0V2pqow963Egl+Sr H8fAC7/sFUf/ENsGd0oXW+GXCy9seiZxrMXvn0SQ/rM7hmn4AtjpwhOYrpkBr281z2X+ 2Wn3YIfvSPpN/ISR0ziFMEzcPshPdEV2jyuAnAInTrjMKLS9sZawm0lGiH4F3ESMyuC8 9NJ49PjMzb6MK7pXUGdpngF+OJ9F13i8Sq5w07QOs7Gg3fCqTSUbkcZTARnN92mh1MOg YhbA== X-Received: by 10.194.250.41 with SMTP id yz9mr17492234wjc.34.1415191470081; Wed, 05 Nov 2014 04:44:30 -0800 (PST) Received: from ivaldir.etoilebsd.net ([2001:41d0:8:db4c::1]) by mx.google.com with ESMTPSA id bj7sm3956995wjc.33.2014.11.05.04.44.28 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Nov 2014 04:44:28 -0800 (PST) Sender: Baptiste Daroussin Date: Wed, 5 Nov 2014 13:44:26 +0100 From: Baptiste Daroussin To: Konstantin Belousov Subject: Re: PIE/PIC support on base Message-ID: <20141105124426.GI10388@ivaldir.etoilebsd.net> References: <315B4DC5-0E04-4F6B-BBB0-477D049025BF@bsdimp.com> <20141105090215.GF10388@ivaldir.etoilebsd.net> <20141105092614.GB53947@kib.kiev.ua> <20141105114855.GH10388@ivaldir.etoilebsd.net> <20141105122612.GC53947@kib.kiev.ua> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6b3yLyRKT1M6kiA0" Content-Disposition: inline In-Reply-To: <20141105122612.GC53947@kib.kiev.ua> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: PaX Team , FreeBSD Arch , Shawn Webb X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 12:44:32 -0000 --6b3yLyRKT1M6kiA0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 05, 2014 at 02:26:12PM +0200, Konstantin Belousov wrote: > On Wed, Nov 05, 2014 at 12:48:55PM +0100, Baptiste Daroussin wrote: > > On Wed, Nov 05, 2014 at 11:26:14AM +0200, Konstantin Belousov wrote: > > > On Wed, Nov 05, 2014 at 10:02:15AM +0100, Baptiste Daroussin wrote: > > > > On amd64 WANTS_PIE will be useless as we can easily activate PIE on= every places > > > > For i386 we would propably prefer cherry picking the what we want t= o see built > > > > with PIE. Don't know for other arches. > > > >=20 > > > > So here is what I do propose: > > > > if MK_PIE=3Dno: no PIE at all > > > > if MK_PIE=3Dyes: > > > > - on amd64/(platforms without performance penalty): build everythin= g with PIE > > > > from libs to prog > > > See below. > > >=20 > > > > - on i386/(platforms with performance penalty): build with PIE if W= ANTS_PIE > > > > is defined. > > > >=20 > > > > So the difference with the previous approach are: > > > > - No way to opt out PIE for a single binary either totally disable = or enable (I > > > > have encountered no binary so far in the base system which fails = with PIE > > > > enabled - again only tested on amd64) > > > > - Activate PIE for both binaries and libraries (no reason not to in= clude > > > > libraries) > > > What does it mean 'PIE for library' ? There is simply no such thing. > >=20 > > Sorry I badly explained, I was meaning PIC for libs PIE for binaries. > > >=20 > > > Also, I strongly oppose compiling everything with PIC, even on amd64. > > > I described somewhere else that using PIC code changes symbol lookup > > > rules for binaries. So despite not having performance impact, the > > > thing does impact runtime behaviour in subtle ways. The most affected > > > programs are those which support dynamic modules. > Please do not ignore this ^^^^^^ issue. I was not aware of issues here, I'll investigate but will not ignore for us= re :) >=20 > > >=20 > > > Also, what is the state of static binaries + PIE ? Do our binutils > > > support this at all ? The csu is definitely not ready for 'everything > > > PIE'. > >=20 > > Only dynamic binaries will receive PIE support (and in case of using an > > INTERNALLIB will link to the libbla_pic.a) static ones will remain non = PIE. >=20 > And what about libX.a libraries, required by those static binaries ? > It is wrong to compile the .o files for those static libraries in > pic mode. I was not planning to build .a files with PIC, static binaries at all >=20 > More, take look at things which are done with -DPIC, e.g. in the > lib/libc/sys/stack_protector*.c. There, it is critical for correctness. >=20 >=20 I'll have a look thanks for the pointer! regards, Bapt --6b3yLyRKT1M6kiA0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRaG6oACgkQ8kTtMUmk6Ew/DACdGq8qSKEjj04H4ImCimoqRcSb vnkAn3dzT/TUZo4EJiouy3fjZISyOtzC =MHgS -----END PGP SIGNATURE----- --6b3yLyRKT1M6kiA0--