openembedded-core.lists.openembedded.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled
@ 2022-01-20  3:30 Kyle Russell
  2022-01-20  8:30 ` [OE-core] " Alexander Kanavin
  0 siblings, 1 reply; 5+ messages in thread
From: Kyle Russell @ 2022-01-20  3:30 UTC (permalink / raw)
  To: openembedded-core; +Cc: Kyle Russell

Since a prelinked rootfs is in conflict with PIE, don't attempt the latter
if the image enables prelink.
---
 meta/conf/distro/include/security_flags.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index e469eadca1..be6feb9e5f 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -5,7 +5,7 @@
 # From a Yocto Project perspective, this file is included and tested
 # in the DISTRO="poky" configuration.
 
-GCCPIE ?= "--enable-default-pie"
+GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', '--disable-default-pie', '--enable-default-pie', d)}"
 # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can be set
 
 # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled
  2022-01-20  3:30 [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled Kyle Russell
@ 2022-01-20  8:30 ` Alexander Kanavin
  2022-01-20 17:41   ` Kyle Russell
  0 siblings, 1 reply; 5+ messages in thread
From: Alexander Kanavin @ 2022-01-20  8:30 UTC (permalink / raw)
  To: bkylerussell; +Cc: OE-core

[-- Attachment #1: Type: text/plain, Size: 1567 bytes --]

I think we pretty much abandoned prelink at this point, are you using it
and do you see the benefits?

Alex

On Thu, 20 Jan 2022 at 04:30, <bkylerussell@gmail.com> wrote:

> Since a prelinked rootfs is in conflict with PIE, don't attempt the latter
> if the image enables prelink.
> ---
>  meta/conf/distro/include/security_flags.inc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/conf/distro/include/security_flags.inc
> b/meta/conf/distro/include/security_flags.inc
> index e469eadca1..be6feb9e5f 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -5,7 +5,7 @@
>  # From a Yocto Project perspective, this file is included and tested
>  # in the DISTRO="poky" configuration.
>
> -GCCPIE ?= "--enable-default-pie"
> +GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink',
> '--disable-default-pie', '--enable-default-pie', d)}"
>  # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can
> be set
>
>  # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as
> they use
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160749):
> https://lists.openembedded.org/g/openembedded-core/message/160749
> Mute This Topic: https://lists.openembedded.org/mt/88551948/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 2516 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled
  2022-01-20  8:30 ` [OE-core] " Alexander Kanavin
@ 2022-01-20 17:41   ` Kyle Russell
  2022-01-20 20:43     ` Richard Purdie
  2022-01-20 20:51     ` Peter Kjellerstedt
  0 siblings, 2 replies; 5+ messages in thread
From: Kyle Russell @ 2022-01-20 17:41 UTC (permalink / raw)
  To: Alexander Kanavin; +Cc: OE-core

[-- Attachment #1: Type: text/plain, Size: 2010 bytes --]

Yes, we do use prelink.  I think our use case primarily benefits from CoW
memory savings, rather than load times.  Of course, GCCPIE can be
overridden in the distro layer, but seeing as image-prelink.bbclass still
exists upstream, the default definition should support configurations that
choose to enable it.

On Thu, Jan 20, 2022 at 3:30 AM Alexander Kanavin <alex.kanavin@gmail.com>
wrote:

> I think we pretty much abandoned prelink at this point, are you using it
> and do you see the benefits?
>
> Alex
>
> On Thu, 20 Jan 2022 at 04:30, <bkylerussell@gmail.com> wrote:
>
>> Since a prelinked rootfs is in conflict with PIE, don't attempt the latter
>> if the image enables prelink.
>> ---
>>  meta/conf/distro/include/security_flags.inc | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/meta/conf/distro/include/security_flags.inc
>> b/meta/conf/distro/include/security_flags.inc
>> index e469eadca1..be6feb9e5f 100644
>> --- a/meta/conf/distro/include/security_flags.inc
>> +++ b/meta/conf/distro/include/security_flags.inc
>> @@ -5,7 +5,7 @@
>>  # From a Yocto Project perspective, this file is included and tested
>>  # in the DISTRO="poky" configuration.
>>
>> -GCCPIE ?= "--enable-default-pie"
>> +GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink',
>> '--disable-default-pie', '--enable-default-pie', d)}"
>>  # If static PIE is known to work well, GLIBCPIE="--enable-static-pie"
>> can be set
>>
>>  # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as
>> they use
>> --
>> 2.25.1
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#160749):
>> https://lists.openembedded.org/g/openembedded-core/message/160749
>> Mute This Topic: https://lists.openembedded.org/mt/88551948/1686489
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
>> alex.kanavin@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>>

[-- Attachment #2: Type: text/html, Size: 3217 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled
  2022-01-20 17:41   ` Kyle Russell
@ 2022-01-20 20:43     ` Richard Purdie
  2022-01-20 20:51     ` Peter Kjellerstedt
  1 sibling, 0 replies; 5+ messages in thread
From: Richard Purdie @ 2022-01-20 20:43 UTC (permalink / raw)
  To: bkylerussell, Alexander Kanavin; +Cc: OE-core

On Thu, 2022-01-20 at 12:41 -0500, bkylerussell@gmail.com wrote:
> Yes, we do use prelink.  I think our use case primarily benefits from CoW
> memory savings, rather than load times.  Of course, GCCPIE can be overridden
> in the distro layer, but seeing as image-prelink.bbclass still exists
> upstream, the default definition should support configurations that choose to
> enable it.  

It would seem that glibc plan to remove prelink support in 2.36. If anyone wants
it to stick around they need to convince the glibc developers not to do that as
I don't think we'd be able to sustain it if it is removed there.

I'm seriously considering removing prelink from OE-Core before the LTS at this
point given the position glibc has and the lack of maintenance prelink clearly
has in OE :(.

Cheers,

Richard


^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled
  2022-01-20 17:41   ` Kyle Russell
  2022-01-20 20:43     ` Richard Purdie
@ 2022-01-20 20:51     ` Peter Kjellerstedt
  1 sibling, 0 replies; 5+ messages in thread
From: Peter Kjellerstedt @ 2022-01-20 20:51 UTC (permalink / raw)
  To: bkylerussell, Alexander Kanavin; +Cc: OE-core

[-- Attachment #1: Type: text/plain, Size: 2493 bytes --]

Interesting, I thought the image-prelink class had been removed completely, but apparently it was only the references to it in local.conf.sample that was removed.

Anyway, if you are going to do that change, I believe it is better to use bb.data.inherits_class() to see if the image-prelink class is in use:

GCCPIE ?= "${@'--disable-default-pie' if bb.data.inherits_class('image-prelink', d) else '--enable-default-pie'}"

//Peter

From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of bkylerussell@gmail.com
Sent: den 20 januari 2022 18:42
To: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled

Yes, we do use prelink.  I think our use case primarily benefits from CoW memory savings, rather than load times.  Of course, GCCPIE can be overridden in the distro layer, but seeing as image-prelink.bbclass still exists upstream, the default definition should support configurations that choose to enable it.

On Thu, Jan 20, 2022 at 3:30 AM Alexander Kanavin <alex.kanavin@gmail.com<mailto:alex.kanavin@gmail.com>> wrote:
I think we pretty much abandoned prelink at this point, are you using it and do you see the benefits?

Alex

On Thu, 20 Jan 2022 at 04:30, <bkylerussell@gmail.com<mailto:bkylerussell@gmail.com>> wrote:
Since a prelinked rootfs is in conflict with PIE, don't attempt the latter
if the image enables prelink.
---
 meta/conf/distro/include/security_flags.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index e469eadca1..be6feb9e5f 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -5,7 +5,7 @@
 # From a Yocto Project perspective, this file is included and tested
 # in the DISTRO="poky" configuration.

-GCCPIE ?= "--enable-default-pie"
+GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', '--disable-default-pie', '--enable-default-pie', d)}<mailto:$%7b@bb.utils.contains('USER_CLASSES',%20'image-prelink',%20'--disable-default-pie',%20'--enable-default-pie',%20d)%7d>"
 # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can be set

 # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
--
2.25.1

[-- Attachment #2: Type: text/html, Size: 6539 bytes --]

^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-01-20 20:51 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-20  3:30 [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled Kyle Russell
2022-01-20  8:30 ` [OE-core] " Alexander Kanavin
2022-01-20 17:41   ` Kyle Russell
2022-01-20 20:43     ` Richard Purdie
2022-01-20 20:51     ` Peter Kjellerstedt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).