Improved PIE binary tooling
Ed Maste
emaste at freebsd.org
Fri Jun 5 14:36:41 UTC 2020
On Thu, 4 Jun 2020 at 20:15, Dewayne Geraghty
<dewayne at heuristicsystems.com.au> wrote:
>
> Thank-you Ed. Though I have two questions:
>
> 1. We've recompiled all the ports I use with either -fPIC or -fPIE and
> the linker flag -pie. Is there something required for ports to utilise
> these changes, or are the changes only in the mk files affecting the
> base system build?
No additional change is needed - the linker will automatically add
this flag when -pie is specified.
> 2. I've also taken advantage of employing -fstack-clash-protection,
> unfortunately this is currently only available via gcc (we're using gcc9
> at the moment). Does the fact that we use gcc9 and binutils 2.33.1
> influence the outcome of your changes?
Mmm, good question - the LLD commit indicated that binutils should set
this too, but I haven't tried. You can check `readelf -d` on one of
your PIE binaries, and if the flag is not set probably submit a PR
against devel/binutils.
-fstack-clash-protection is in Clang now, but it landed after 10.0.
The next Clang update will include it. (It was actually committed and
reverted four times, but stuck on the fifth try.)
More information about the freebsd-security
mailing list