* [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled @ 2022-01-20 3:30 Kyle Russell 2022-01-20 8:30 ` [OE-core] " Alexander Kanavin 0 siblings, 1 reply; 5+ messages in thread From: Kyle Russell @ 2022-01-20 3:30 UTC (permalink / raw) To: openembedded-core; +Cc: Kyle Russell Since a prelinked rootfs is in conflict with PIE, don't attempt the latter if the image enables prelink. --- meta/conf/distro/include/security_flags.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index e469eadca1..be6feb9e5f 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -5,7 +5,7 @@ # From a Yocto Project perspective, this file is included and tested # in the DISTRO="poky" configuration. -GCCPIE ?= "--enable-default-pie" +GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', '--disable-default-pie', '--enable-default-pie', d)}" # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can be set # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use -- 2.25.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled 2022-01-20 3:30 [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled Kyle Russell @ 2022-01-20 8:30 ` Alexander Kanavin 2022-01-20 17:41 ` Kyle Russell 0 siblings, 1 reply; 5+ messages in thread From: Alexander Kanavin @ 2022-01-20 8:30 UTC (permalink / raw) To: bkylerussell; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 1567 bytes --] I think we pretty much abandoned prelink at this point, are you using it and do you see the benefits? Alex On Thu, 20 Jan 2022 at 04:30, <bkylerussell@gmail.com> wrote: > Since a prelinked rootfs is in conflict with PIE, don't attempt the latter > if the image enables prelink. > --- > meta/conf/distro/include/security_flags.inc | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta/conf/distro/include/security_flags.inc > b/meta/conf/distro/include/security_flags.inc > index e469eadca1..be6feb9e5f 100644 > --- a/meta/conf/distro/include/security_flags.inc > +++ b/meta/conf/distro/include/security_flags.inc > @@ -5,7 +5,7 @@ > # From a Yocto Project perspective, this file is included and tested > # in the DISTRO="poky" configuration. > > -GCCPIE ?= "--enable-default-pie" > +GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', > '--disable-default-pie', '--enable-default-pie', d)}" > # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can > be set > > # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as > they use > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#160749): > https://lists.openembedded.org/g/openembedded-core/message/160749 > Mute This Topic: https://lists.openembedded.org/mt/88551948/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > > [-- Attachment #2: Type: text/html, Size: 2516 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled 2022-01-20 8:30 ` [OE-core] " Alexander Kanavin @ 2022-01-20 17:41 ` Kyle Russell 2022-01-20 20:43 ` Richard Purdie 2022-01-20 20:51 ` Peter Kjellerstedt 0 siblings, 2 replies; 5+ messages in thread From: Kyle Russell @ 2022-01-20 17:41 UTC (permalink / raw) To: Alexander Kanavin; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 2010 bytes --] Yes, we do use prelink. I think our use case primarily benefits from CoW memory savings, rather than load times. Of course, GCCPIE can be overridden in the distro layer, but seeing as image-prelink.bbclass still exists upstream, the default definition should support configurations that choose to enable it. On Thu, Jan 20, 2022 at 3:30 AM Alexander Kanavin <alex.kanavin@gmail.com> wrote: > I think we pretty much abandoned prelink at this point, are you using it > and do you see the benefits? > > Alex > > On Thu, 20 Jan 2022 at 04:30, <bkylerussell@gmail.com> wrote: > >> Since a prelinked rootfs is in conflict with PIE, don't attempt the latter >> if the image enables prelink. >> --- >> meta/conf/distro/include/security_flags.inc | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/meta/conf/distro/include/security_flags.inc >> b/meta/conf/distro/include/security_flags.inc >> index e469eadca1..be6feb9e5f 100644 >> --- a/meta/conf/distro/include/security_flags.inc >> +++ b/meta/conf/distro/include/security_flags.inc >> @@ -5,7 +5,7 @@ >> # From a Yocto Project perspective, this file is included and tested >> # in the DISTRO="poky" configuration. >> >> -GCCPIE ?= "--enable-default-pie" >> +GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', >> '--disable-default-pie', '--enable-default-pie', d)}" >> # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" >> can be set >> >> # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as >> they use >> -- >> 2.25.1 >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#160749): >> https://lists.openembedded.org/g/openembedded-core/message/160749 >> Mute This Topic: https://lists.openembedded.org/mt/88551948/1686489 >> Group Owner: openembedded-core+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ >> alex.kanavin@gmail.com] >> -=-=-=-=-=-=-=-=-=-=-=- >> >> [-- Attachment #2: Type: text/html, Size: 3217 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled 2022-01-20 17:41 ` Kyle Russell @ 2022-01-20 20:43 ` Richard Purdie 2022-01-20 20:51 ` Peter Kjellerstedt 1 sibling, 0 replies; 5+ messages in thread From: Richard Purdie @ 2022-01-20 20:43 UTC (permalink / raw) To: bkylerussell, Alexander Kanavin; +Cc: OE-core On Thu, 2022-01-20 at 12:41 -0500, bkylerussell@gmail.com wrote: > Yes, we do use prelink. I think our use case primarily benefits from CoW > memory savings, rather than load times. Of course, GCCPIE can be overridden > in the distro layer, but seeing as image-prelink.bbclass still exists > upstream, the default definition should support configurations that choose to > enable it. It would seem that glibc plan to remove prelink support in 2.36. If anyone wants it to stick around they need to convince the glibc developers not to do that as I don't think we'd be able to sustain it if it is removed there. I'm seriously considering removing prelink from OE-Core before the LTS at this point given the position glibc has and the lack of maintenance prelink clearly has in OE :(. Cheers, Richard ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled 2022-01-20 17:41 ` Kyle Russell 2022-01-20 20:43 ` Richard Purdie @ 2022-01-20 20:51 ` Peter Kjellerstedt 1 sibling, 0 replies; 5+ messages in thread From: Peter Kjellerstedt @ 2022-01-20 20:51 UTC (permalink / raw) To: bkylerussell, Alexander Kanavin; +Cc: OE-core [-- Attachment #1: Type: text/plain, Size: 2493 bytes --] Interesting, I thought the image-prelink class had been removed completely, but apparently it was only the references to it in local.conf.sample that was removed. Anyway, if you are going to do that change, I believe it is better to use bb.data.inherits_class() to see if the image-prelink class is in use: GCCPIE ?= "${@'--disable-default-pie' if bb.data.inherits_class('image-prelink', d) else '--enable-default-pie'}" //Peter From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of bkylerussell@gmail.com Sent: den 20 januari 2022 18:42 To: Alexander Kanavin <alex.kanavin@gmail.com> Cc: OE-core <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled Yes, we do use prelink. I think our use case primarily benefits from CoW memory savings, rather than load times. Of course, GCCPIE can be overridden in the distro layer, but seeing as image-prelink.bbclass still exists upstream, the default definition should support configurations that choose to enable it. On Thu, Jan 20, 2022 at 3:30 AM Alexander Kanavin <alex.kanavin@gmail.com<mailto:alex.kanavin@gmail.com>> wrote: I think we pretty much abandoned prelink at this point, are you using it and do you see the benefits? Alex On Thu, 20 Jan 2022 at 04:30, <bkylerussell@gmail.com<mailto:bkylerussell@gmail.com>> wrote: Since a prelinked rootfs is in conflict with PIE, don't attempt the latter if the image enables prelink. --- meta/conf/distro/include/security_flags.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index e469eadca1..be6feb9e5f 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -5,7 +5,7 @@ # From a Yocto Project perspective, this file is included and tested # in the DISTRO="poky" configuration. -GCCPIE ?= "--enable-default-pie" +GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', '--disable-default-pie', '--enable-default-pie', d)}<mailto:$%7b@bb.utils.contains('USER_CLASSES',%20'image-prelink',%20'--disable-default-pie',%20'--enable-default-pie',%20d)%7d>" # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can be set # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use -- 2.25.1 [-- Attachment #2: Type: text/html, Size: 6539 bytes --] ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-01-20 20:51 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-01-20 3:30 [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled Kyle Russell 2022-01-20 8:30 ` [OE-core] " Alexander Kanavin 2022-01-20 17:41 ` Kyle Russell 2022-01-20 20:43 ` Richard Purdie 2022-01-20 20:51 ` Peter Kjellerstedt
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).