| Message ID | 20220120033045.1098738-1-bkylerussell@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | security_flags.inc: don't default to PIE if image-prelink is enabled | expand |
I think we pretty much abandoned prelink at this point, are you using it and do you see the benefits? Alex On Thu, 20 Jan 2022 at 04:30, <bkylerussell@gmail.com> wrote: > Since a prelinked rootfs is in conflict with PIE, don't attempt the latter > if the image enables prelink. > --- > meta/conf/distro/include/security_flags.inc | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta/conf/distro/include/security_flags.inc > b/meta/conf/distro/include/security_flags.inc > index e469eadca1..be6feb9e5f 100644 > --- a/meta/conf/distro/include/security_flags.inc > +++ b/meta/conf/distro/include/security_flags.inc > @@ -5,7 +5,7 @@ > # From a Yocto Project perspective, this file is included and tested > # in the DISTRO="poky" configuration. > > -GCCPIE ?= "--enable-default-pie" > +GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', > '--disable-default-pie', '--enable-default-pie', d)}" > # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can > be set > > # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as > they use > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#160749): > https://lists.openembedded.org/g/openembedded-core/message/160749 > Mute This Topic: https://lists.openembedded.org/mt/88551948/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
Yes, we do use prelink. I think our use case primarily benefits from CoW memory savings, rather than load times. Of course, GCCPIE can be overridden in the distro layer, but seeing as image-prelink.bbclass still exists upstream, the default definition should support configurations that choose to enable it. On Thu, Jan 20, 2022 at 3:30 AM Alexander Kanavin <alex.kanavin@gmail.com> wrote: > I think we pretty much abandoned prelink at this point, are you using it > and do you see the benefits? > > Alex > > On Thu, 20 Jan 2022 at 04:30, <bkylerussell@gmail.com> wrote: > >> Since a prelinked rootfs is in conflict with PIE, don't attempt the latter >> if the image enables prelink. >> --- >> meta/conf/distro/include/security_flags.inc | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/meta/conf/distro/include/security_flags.inc >> b/meta/conf/distro/include/security_flags.inc >> index e469eadca1..be6feb9e5f 100644 >> --- a/meta/conf/distro/include/security_flags.inc >> +++ b/meta/conf/distro/include/security_flags.inc >> @@ -5,7 +5,7 @@ >> # From a Yocto Project perspective, this file is included and tested >> # in the DISTRO="poky" configuration. >> >> -GCCPIE ?= "--enable-default-pie" >> +GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', >> '--disable-default-pie', '--enable-default-pie', d)}" >> # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" >> can be set >> >> # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as >> they use >> -- >> 2.25.1 >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#160749): >> https://lists.openembedded.org/g/openembedded-core/message/160749 >> Mute This Topic: https://lists.openembedded.org/mt/88551948/1686489 >> Group Owner: openembedded-core+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ >> alex.kanavin@gmail.com] >> -=-=-=-=-=-=-=-=-=-=-=- >> >>
On Thu, 2022-01-20 at 12:41 -0500, bkylerussell@gmail.com wrote: > Yes, we do use prelink. I think our use case primarily benefits from CoW > memory savings, rather than load times. Of course, GCCPIE can be overridden > in the distro layer, but seeing as image-prelink.bbclass still exists > upstream, the default definition should support configurations that choose to > enable it. It would seem that glibc plan to remove prelink support in 2.36. If anyone wants it to stick around they need to convince the glibc developers not to do that as I don't think we'd be able to sustain it if it is removed there. I'm seriously considering removing prelink from OE-Core before the LTS at this point given the position glibc has and the lack of maintenance prelink clearly has in OE :(. Cheers, Richard
Interesting, I thought the image-prelink class had been removed completely, but apparently it was only the references to it in local.conf.sample that was removed.
Anyway, if you are going to do that change, I believe it is better to use bb.data.inherits_class() to see if the image-prelink class is in use:
GCCPIE ?= "${@'--disable-default-pie' if bb.data.inherits_class('image-prelink', d) else '--enable-default-pie'}"
//Peter
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of bkylerussell@gmail.com
Sent: den 20 januari 2022 18:42
To: Alexander Kanavin <alex.kanavin@gmail.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled
Yes, we do use prelink. I think our use case primarily benefits from CoW memory savings, rather than load times. Of course, GCCPIE can be overridden in the distro layer, but seeing as image-prelink.bbclass still exists upstream, the default definition should support configurations that choose to enable it.
On Thu, Jan 20, 2022 at 3:30 AM Alexander Kanavin <alex.kanavin@gmail.com<mailto:alex.kanavin@gmail.com>> wrote:
I think we pretty much abandoned prelink at this point, are you using it and do you see the benefits?
Alex
On Thu, 20 Jan 2022 at 04:30, <bkylerussell@gmail.com<mailto:bkylerussell@gmail.com>> wrote:
Since a prelinked rootfs is in conflict with PIE, don't attempt the latter
if the image enables prelink.
---
meta/conf/distro/include/security_flags.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index e469eadca1..be6feb9e5f 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -5,7 +5,7 @@
# From a Yocto Project perspective, this file is included and tested
# in the DISTRO="poky" configuration.
-GCCPIE ?= "--enable-default-pie"
+GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', '--disable-default-pie', '--enable-default-pie', d)}<mailto:$%7b@bb.utils.contains('USER_CLASSES',%20'image-prelink',%20'--disable-default-pie',%20'--enable-default-pie',%20d)%7d>"
# If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can be set
# _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
--
2.25.1
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index e469eadca1..be6feb9e5f 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -5,7 +5,7 @@ # From a Yocto Project perspective, this file is included and tested # in the DISTRO="poky" configuration. -GCCPIE ?= "--enable-default-pie" +GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', '--disable-default-pie', '--enable-default-pie', d)}" # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can be set # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use