[arch-dev-public] Changing compilation flags
Allan McRae
allan at archlinux.org
Tue Dec 13 09:37:20 UTC 2016
On 13/12/16 19:23, Jan Alexander Steffens via arch-dev-public wrote:
> On Mon, Oct 24, 2016 at 5:56 AM Allan McRae <allan at archlinux.org> wrote:
>
>> Hi all,
>>
>> The results from the test-sec-flags [1] suite are in. Many thanks to
>> those that wrote this and those that submitted results. I'm not going
>> to list the summaries here, but the results show that at worst enabling
>> a bunch of security flags in our packages will have a <1% impact on
>> performance (and more likely a fraction of a percent).
>>
>> That means we will add all of these to our default CFLAGS/LDFLAGS etc.
>> The changes are:
>>
>> 1) building gcc to enable PIE by default
>> 2) add -z,now to LDFLAGS
>> 3) and -fno-plt and -fstack-check to our CFLAGS
>>
>> Adding PIE means that programs get loaded at a random address,
>> preventing an attacker from manipulating global data or hijacking
>> control by reusing code. Without this, ASLR is ineffective. Enabling
>> this by default in our compiler (there is a configure flag) means we
>> will need to rebuild all packages with static libraries (which should be
>> a fairly limited set).
>>
>> Adding -z,now to LDFLAGS disables lazy loading. This means all function
>> symbols are loaded at startup (with minor performance hit), but that
>> means our RELRO support will make everything ro instead of some of the
>> things. Doing this enables us to use -fno-plt in our CFLAGS, which is a
>> run-time optimisation allowing faster use of libraries.
>>
>> Adding -fstack-check to our CFLAGS guarantees stack overflows aren't
>> exploitable.
>>
>> Note that any of these flags can be disabled in a PKGBUILD if really
>> needed... But if that is the case, bug reports should be filed.
>>
>>
>> Given an assumed lack of objection, I will enable the build flags in our
>> pacman.conf and rebuild gcc to enable pie and put them in [staging] at
>> the end of this week (what better way to celebrate Halloween). We will
>> need a new devtools release then too. Then the packages with static
>> libraries will need rebuilt.
>>
>> After that, I would like to see [core] completely rebuilt, and audited
>> to ensure our CFLAGS/LDFLAGS are actually being used in the build.
>>
>> Cheers,
>> Allan
>>
>
> Will this affect i686 as well? According to this commit (
> https://github.com/zen-kernel/zen-kernel/commit/cc701dc61a7187e9dfc300ad6ec3b7a677dc4717)
> at least Ubuntu seems to have skipped that for now.
That commit shows they disabled it for one package.
It will affect both.
A
More information about the arch-dev-public
mailing list