Re: HEADS-UP: PIE enabled by default on main

From: Konstantin Belousov <kostikbel_at_gmail.com>
Date: Fri, 26 Feb 2021 20:57:55 +0200
On Fri, Feb 26, 2021 at 07:34:03PM +0100, Gordon Bergling wrote:
> On Thu, Feb 25, 2021 at 03:58:07PM -0500, Ed Maste wrote:
> > As of 9a227a2fd642 (main-n245052) base system binaries are now built
> > as position-independent executable (PIE) by default, for 64-bit
> > architectures. PIE executables are used in conjunction with address
> > randomization as a mitigation for certain types of security
> > vulnerabilities.
> > 
> > If you track -CURRENT and normally build WITHOUT_CLEAN you'll need to
> > do one initial clean build -- either run `make cleanworld` or set
> > WITH_CLEAN=yes.
> > 
> > No significant user-facing changes are expected from this change, but
> > there are some minor ones. For example, `file` will indicate that
> > binaries are PIE by reporting something like `ELF 64-bit LSB pie
> > executable` rather than `ELF 64-bit LSB executable`. Also, for most
> > workloads no notable performance impact is expected.
> > 
> > For almost all ports this should result in no change. There are a
> > small number of ports that use base system /usr/share/mk
> > infrastructure and thus inherit the base system default, and some of
> > those initially failed to build. Those found during an exp-run in
> > PR253275 have been addressed or have patches waiting.
> > 
> > Please watch out for any new issues after you next update the base
> > system and/or ports, and report issues via a Bugzilla PR or in reply
> > here.
> 
> Thats a huge step forward in terms on security.
Can you explain why?

Thanks.

> Thanks for the efforts and anyone involved.
> 
> --Gordon
Received on Fri Feb 26 2021 - 17:58:11 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC