This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: RFC: Add --enable-static-pie to build static executables as PIE

From: "H.J. Lu" <hjl dot tools at gmail dot com>
To: "Carlos O'Donell" <carlos at redhat dot com>
Cc: Alan Modra <amodra at gmail dot com>, Rich Felker <dalias at libc dot org>, GNU C Library <libc-alpha at sourceware dot org>
Date: Tue, 18 Jul 2017 06:21:45 -0700
Subject: Re: RFC: Add --enable-static-pie to build static executables as PIE
Authentication-results: sourceware.org; auth=none
References: <CAMe9rOpAVyDYwe5o3S+0T96Ryeug=qHwgbQguGL4kaqJOrKViw@mail.gmail.com> <20170717222937.GQ1627@brightrain.aerifal.cx> <CAMe9rOozp6T25FzpP41S+PaWmANa955=K8hZcFagmFfoaQKgSA@mail.gmail.com> <20170718042500.GI14520@bubble.grove.modra.org> <CAMe9rOq3h1mvrLUn7CQ9vJ=NmERhr=Hb1KHu7-zkA6aKKT7WHA@mail.gmail.com> <c4629cca-3000-d7d3-28c8-d2142fcc4cfd@redhat.com> <CAMe9rOpkqOLqXCZQDVSd0xKWEJFZLCaDXpQw5hdtx_Hhs74aiQ@mail.gmail.com> <12b75a8d-68de-8559-5538-3926213307de@redhat.com>

On Tue, Jul 18, 2017 at 6:14 AM, Carlos O'Donell <carlos@redhat.com> wrote:
> On 07/18/2017 09:10 AM, H.J. Lu wrote:
>> On Tue, Jul 18, 2017 at 6:08 AM, Carlos O'Donell <carlos@redhat.com> wrote:
>>> On 07/18/2017 08:30 AM, H.J. Lu wrote:
>>>>> - What practical benefit do you get with a "static PIE"?
>>>>
>>>> A static PIE can be loaded at random address without
>>>> dynamic linker.
>>>
>>> This is just a restating of what it does, Alan asked what practical
>>> benefit it would have. What use cases do you see? Do you see us
>>> completely replacing non-PIE static binaries with PIE static binaries
>>> and then randomizing their load address to improve security?
>>>
>>
>> Yes.  That is the main use of PIE, isn't it?
>
> Yes, distributions use PIE for security hardening.
>
> Do you forsee any other uses?

I am not aware of it.

> What problems would we face in adopting PIE static binaries at the
> distribution level?

Nothing I can see.

> How much bigger/slower are the code sequences for PIE static
> binaries? I assume it is just the normal difference between non-PIC
> vs. PIC?

It is just PIE vs non-PIE.  For size

Non-PIE;

[hjl@gnu-tools-1 build-x86_64-linux]$ size elf/sln
   text   data    bss    dec    hex filename
 603214   8268   5488 616970  96a0a elf/sln
[hjl@gnu-tools-1 build-x86_64-linux]$

PIE:

[hjl@gnu-tools-1 build-x86_64-linux]$ size elf/sln
   text   data    bss    dec    hex filename
 629171  20620   5424 655215  9ff6f elf/sln
[hjl@gnu-tools-1 build-x86_64-linux]$


-- 
H.J.

References:
- RFC: Add --enable-static-pie to build static executables as PIE
  - From: H.J. Lu
- Re: RFC: Add --enable-static-pie to build static executables as PIE
  - From: Rich Felker
- Re: RFC: Add --enable-static-pie to build static executables as PIE
  - From: H.J. Lu
- Re: RFC: Add --enable-static-pie to build static executables as PIE
  - From: Alan Modra
- Re: RFC: Add --enable-static-pie to build static executables as PIE
  - From: H.J. Lu
- Re: RFC: Add --enable-static-pie to build static executables as PIE
  - From: Carlos O'Donell
- Re: RFC: Add --enable-static-pie to build static executables as PIE
  - From: H.J. Lu
- Re: RFC: Add --enable-static-pie to build static executables as PIE
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]