This is the mail archive of the
mailing list for the glibc project.
Re: PING^N: [PATCH] Add --enable-static-pie to build static PIE [BZ #19574]
- From: Carlos O'Donell <carlos at redhat dot com>
- To: "H.J. Lu" <hjl dot tools at gmail dot com>, Joseph Myers <joseph at codesourcery dot com>
- Cc: Szabolcs Nagy <szabolcs dot nagy at arm dot com>, nd <nd at arm dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 15 Dec 2017 19:05:53 -0800
- Subject: Re: PING^N: [PATCH] Add --enable-static-pie to build static PIE [BZ #19574]
- Authentication-results: sourceware.org; auth=none
- References: <CAMe9rOoyPf-77=cqmEW5Vg2KHwq48g6giW38qpA=oDUsnHaxCA@mail.gmail.com> <alpine.DEB.firstname.lastname@example.org> <CAMe9rOrWi1W+F6K3TRL-2ipz-K4e0aP0ywsVg0XWgdCU1FV7OQ@mail.gmail.com> <CAMe9rOrTW7-JBtfOWjQrqMtS6Kp8efsAAbouFwQOnaAzh=sNpA@mail.gmail.com> <CAMe9rOr5qR-MnP+bEY_3OPdPK1qTnn_7JLi3Xn688E9JWKr1Zw@mail.gmail.com> <5A12C781.email@example.com> <CAMe9rOohYeS4BJFp=TB4Zz26V4K2n8ZXSJX9kYqgEa=eW+w1xQ@mail.gmail.com> <5A18196C.firstname.lastname@example.org> <CAMe9rOqFfabivUDke1_ZxyEtV+L9T7VwKKdsdnR9M418L2TQBg@mail.gmail.com> <CAMe9rOpNdwd52vEnAUzOkmwkJXUWZz9-=dc9xfeZ96CYVM=8gQ@mail.gmail.com> <email@example.com> <CAMe9rOpehZgqn6AXyRf8e99eTO8_Vw2+GVgcEyie0cW3fwwefirstname.lastname@example.org> <email@example.com> <CAMe9rOqaWBNa6S5YoMLgOVK4dizSpE+GGOeeWYRROTUUCjfKXA@mail.gmail.com>
On 12/15/2017 06:03 PM, H.J. Lu wrote:
> On Fri, Dec 15, 2017 at 1:19 PM, Carlos O'Donell <firstname.lastname@example.org> wrote:
>> On 12/01/2017 10:24 AM, H.J. Lu wrote:
>>> On Thu, Nov 30, 2017 at 1:44 PM, Carlos O'Donell <email@example.com> wrote:
>>>> High Level:
>>>> At a high level I have no objection with the idea of static PIE executables,
>>>> it makes sense to support such things.
>>> Thanks for your feedbacks.
>> Thank you for putting together a v2, sorry it took me a while to review.
>> This version looks good to me, it cleans up the outstanding issues with the
>> implementation, and you have answered my questions about testing in the design.
>> The firstword hack is removed in the implementation and that was the only thing
>> that needed cleanup.
>> Looks good to me. Please feel free to commit.
> Thanks for your time. I checked it in with the updated commit log.
> I also updated
> for static PIE status. Should build-many-glibcs.py be updated to also
> build static
> PIE for i386, x86_64 and x32? We can't build it by default since the
> recent linker
> is needed.
It couldn't hurt to enable an extra build for i386, x86_64, and x32 with
static PIE, that way we get better coverage.
However, I defer this decision to Joseph Myers, if he thinks this would
add value without adding too much cost to the build, then I'm happy to see
Personally I think static PIE should *always* be used since it hardens
static executables in ways which are useful. Static executables should be
special tools which are always present on the system, and hardening them
from attack is important.