On 01/27/2012 02:39 PM, "Paweł Hajdan, Jr." wrote:
On 1/27/12 8:02 PM, Jason A. Donenfeld wrote:
I've just been informed that RHEL does not allow non-PIE executables. We
really should follow suit here.
I'm generally in favor of enabling more hardening features by default
(i.e. reversing the default, so that people who want to disable PIE can
still do it). Note that the hardened profile uses PIE by default iirc.
Exactly. Jason, if you want PIE across the board (with a few
exceptions), switch to hardened.
The most common argument against it is performance loss I think, and
there are probably less than 10 packages that have some compilation
issues with PIE. In my opinion we can deal with that, and security
benefits are much more important.
If the discussion on this doesn't get conclusive, how about adding the
question to the Council's agenda?
I'm trying to measure the perf difference on amd64 even as I type this.
With nbench I'm only seeing about a 4% hit with PIE. I'm going to try
to narrow it down to some POC code that you can play with. Mostly the
hit comes on setting up call stacks because of the extra machinery in
PIE. When I've investigated further I'll let the list know.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
