On 22/07/2021 22:05, Alexander Kanavin wrote:
PIE is nowadays more or less the only available option and is expected
for improved security; Yocto does not even test non-PIE builds or
provide an off the shelf way to turn it off.
I am worried about those libraries, which are non-PIE libraries by
default. My theory is, that they are non-PIE since prelink is able to
operate on them. So prelink can "at least" be used a PIE detector.
They are:
lib/libdl-2.33.so is prelinked
lib/ld-2.33.so is prelinked
lib/libpthread-2.33.so is prelinked
lib/libc-2.33.so is prelinked
Is there are rational explanation why they are not compiled in PIE mode
and/or if they are compiled in PIE mode how cross-prelink can operate on
them? If cross-prelink can operate on them why not on the others?
I also have to note that prelink does show higher RAM consumption in
your tests as well (MemFree column). On the constrained systems which
would benefit most from improved prelink timings that might be a bigger
loss than not prelinking.
I guess we agree that MemFree shows free physical memory (user and
kernel space).
My experiments show, that non-PIE and no prelink leaves the biggest
amount of free physical memory.
They also show that non-PIE and prelink leave the smallest amount of
free physical memory ;)
The difference is significant
prelinked-no-pie/no-prelink-no-pie: 4552 (kB)
If we leave things are they are:
prelinked-no-pie/prelinked-with-pie: 3972 (kB)
If we disable prelink (as you suggest - and I tend to agree since it
does not make sense as it is right now)
prelinked-no-pie/no-prelink-with-pie: 4120 (kB)
...
but
if you look at the next line MemAvailable kB things looks a bit differently.
My interpretation of MemAvailable is, that it is an estimate of virtual
memory available after reclaimable parts of memory (caches, buffer,
slab,...) have been reclaimed without getting swap involved.
I see this:
MemAvailable kB
prelinked-with-pie 939412
no-prelink-with-pie 939696
prelinked-no-pie 940344
no-prelink-no-pie 941216
Which means, that our current default setting is the worst possible
solution ;)
no-prelink-no-pie would (theoretically) be the best.
I will try to update my second article and try to explain a bit more my
interpretation of the results and maybe also try to see what bootchart
says to all this.
Don't get me wrong. I am neither pro nor con prelink. I just would like
to understand what it does, if it does something ;)
I spent quite some time on this - also discussing with most of you offline.
If you ask me, we should use your patch, since people didn't even notice
that prelink can not prelink on PIE binaries for a couple of years.
So there does not seem to be much demand for it ;)
We can keep a "placebo" in for the homeopaths who think they use prelink
in their images since PIE was enabled ;)
But yes, there is a timing benefit visible in the tests: 0.01s vs 0.1s.
Also less CPU usage can be seen. I hope I'll find time to run some test
with bootchart. Maybe then we can also see boot time, memory, CPU,...
Regards,
Robert
Alex
On Mon, 19 Jul 2021 at 22:58, Robert [email protected]
<[email protected]
<mailto:[email protected]>> wrote:
Hi Alex, RP, Mark,
I did some research on the subject in order to try to figure out
what is
going on.
1) I come to a similar conclusion with what found, but tried to look a
bit deeper for the reason.
1.1) The reason that cross-prelink is not prelinking is, that for a
quite some time by default everything is built with PIE mode by default
and cross-prelink does not seem to be able to work on exe/libs compiled
with PIE mode. So seeing the same behavior with and without prelinking
is what I would expect as long as everything is compiled with PIE mode.
A more detailed analysis of my tests can be found on my not yet
officially published site:
https://rlbl.me/prelink-1 <https://rlbl.me/prelink-1>
https://rlbl.me/prelink-2 <https://rlbl.me/prelink-2>
Alex:
Can you please rebuild your test images without PIE mode and re-run the
tests?
Then we should have the 4 test cases:
prelinked-with-pie
no-prelink-with-pie
prelink-no-pie
no-prelink-no-pie
I guess then we can discuss what are the next steps.
In my opinion the current default settings, which compile close to
everything in PIE mode, but invoke also cross-prelink do not make much
sense.
The question is: "Do we want to drop cross-prelink, or do we want to
drag it along and come up more fine-grained configuration options?"
We could e.g. exclude certain files from pre-linking.
IMHO cross-prelink still works, but not on exe/libs which were compiled
in PIE mode.
Regards,
Robert
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54205): https://lists.yoctoproject.org/g/yocto/message/54205
Mute This Topic: https://lists.yoctoproject.org/mt/83558267/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
