Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if image-prelink is enabled

Thu, 20 Jan 2022 12:51:56 -0800 

Interesting, I thought the image-prelink class had been removed completely, but 
apparently it was only the references to it in local.conf.sample that was 
removed.

Anyway, if you are going to do that change, I believe it is better to use 
bb.data.inherits_class() to see if the image-prelink class is in use:

GCCPIE ?= "${@'--disable-default-pie' if 
bb.data.inherits_class('image-prelink', d) else '--enable-default-pie'}"

//Peter

From: [email protected] 
<[email protected]> On Behalf Of [email protected]
Sent: den 20 januari 2022 18:42
To: Alexander Kanavin <[email protected]>
Cc: OE-core <[email protected]>
Subject: Re: [OE-core] [PATCH] security_flags.inc: don't default to PIE if 
image-prelink is enabled

Yes, we do use prelink.  I think our use case primarily benefits from CoW 
memory savings, rather than load times.  Of course, GCCPIE can be overridden in 
the distro layer, but seeing as image-prelink.bbclass still exists upstream, 
the default definition should support configurations that choose to enable it.

On Thu, Jan 20, 2022 at 3:30 AM Alexander Kanavin 
<[email protected]<mailto:[email protected]>> wrote:
I think we pretty much abandoned prelink at this point, are you using it and do 
you see the benefits?

Alex

On Thu, 20 Jan 2022 at 04:30, 
<[email protected]<mailto:[email protected]>> wrote:
Since a prelinked rootfs is in conflict with PIE, don't attempt the latter
if the image enables prelink.
---
 meta/conf/distro/include/security_flags.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/distro/include/security_flags.inc 
b/meta/conf/distro/include/security_flags.inc
index e469eadca1..be6feb9e5f 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -5,7 +5,7 @@
 # From a Yocto Project perspective, this file is included and tested
 # in the DISTRO="poky" configuration.

-GCCPIE ?= "--enable-default-pie"
+GCCPIE ?= "${@bb.utils.contains('USER_CLASSES', 'image-prelink', 
'--disable-default-pie', '--enable-default-pie', 
d)}<mailto:$%[email protected]('USER_CLASSES',%20'image-prelink',%20'--disable-default-pie',%20'--enable-default-pie',%20d)%7d>"
 # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can be 
set

 # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they 
use
--
2.25.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#160789): 
https://lists.openembedded.org/g/openembedded-core/message/160789
Mute This Topic: https://lists.openembedded.org/mt/88551948/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to