From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 53377139694 for ; Sat, 17 Jun 2017 11:43:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 738FBE0BB3; Sat, 17 Jun 2017 11:43:31 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 17A3FE0B73 for ; Sat, 17 Jun 2017 11:43:30 +0000 (UTC) Received: from localhost (unknown [46.148.239.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bircoph) by smtp.gentoo.org (Postfix) with ESMTPSA id B527C3418A9 for ; Sat, 17 Jun 2017 11:43:28 +0000 (UTC) Date: Sat, 17 Jun 2017 14:43:24 +0300 From: Andrew Savchenko To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Hardening a default profile Message-Id: <20170617144324.d814f5c31189c785bafc72bc@gentoo.org> In-Reply-To: <874lvgoitk.fsf@kestrel.kyomu.43-1.org> References: <878tktnupm.fsf@kestrel.kyomu.43-1.org> <60680dd3-b243-cfe7-43ce-50361cd4c65e@gentoo.org> <874lvgoitk.fsf@kestrel.kyomu.43-1.org> X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.30; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Sat__17_Jun_2017_14_43_24_+0300_Wd6YW3vc5hQOFoye" X-Archives-Salt: 123b1d54-460e-453f-9226-fe7e72ed95b0 X-Archives-Hash: 8d9eee14a69da351b7dda52e05d88cdf --Signature=_Sat__17_Jun_2017_14_43_24_+0300_Wd6YW3vc5hQOFoye Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, 15 Jun 2017 19:52:07 -0500 Matthias Maier wrote: > > there should be a way of turning these off systematically. the > > advantage of the current hardened gcc specs is that one can switch > > between them using gcc-config. if these are forced on for the default > > profile then there will be no easy way to systematically turn them off. >=20 > No - there won't be an easy way for systematically turning off > SSP and PIE in 17.0 profiles [1,2]. >=20 > The hardened toolchain with its different gcc profiles came from a time > where SSP and PIE were relatively new security features and a certain > amount of fine-grained control was needed. Further, at that time we were > talking about external patches against gcc. Nowadays everything is > upstreamed and (almost) no patches to gcc for hardened profiles are > applied any more. >=20 > Given the fact that all major linux distributions are following the path > of improved default hardening features (see for example [1]) and that we > have been using ssp/pie in hardened profiles for years now the purpose > of fine-grained control over ssp/pie is also highly questionable. >=20 > The consensus at the moment is that PIE and SSP (as well as stricter > linker flags) will soon be standard (or, actually *are* already > standard) compilation options. A per-package override (if absoluetely > needed) is fine - and, in fact, already in place everywhere where > needed. Gentoo is all about choice, remember? :) It is really good to have them by default, it is bad to force them on everyone. Security is not always of paramount importance comparing to other factors, sometimes performance matters more, e.g. in isolated and restricted non-public HPC environment. PIE, SSP may lead up to 8% of performance loss[1]. The stack-protector (especially stack-protector-all or -strong) may cause even more damage. For compute nodes this may be equivalent to millions USD loss (depends on the system scale of course). [1] https://bugs.archlinux.org/task/18864 Best regards, Andrew Savchenko --Signature=_Sat__17_Jun_2017_14_43_24_+0300_Wd6YW3vc5hQOFoye Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAllFFdwACgkQ9lNaM7oe 5I1QPBAArwdLYQveJnntNoipgNdGuyHBa7klLOAlsk1vJwsEByfwWEVdcb/40KTb olhfJiqYR34oFxNwfQkk/RIwOhWt7s7T08JzOZ6LMQlxUdO1lRxOrWgj7V9GcOHo SwT6vin8X396zzFeY0B/+F3JHV00Nq8u5JCaKNLWz/0c+G/M9OtDQ//iM2cmWFxi WRTE89XZvVNkYJpm3B8QCHCl/IdcmYxdhBifRfWS8FOyj0HLmyNI+p8DsBNIluou y+zPIAXzg70MbP6W6ab5/o1kSX6ZBzfrn/zFCiOWTG7XKJVk5n3gwVebGuJgsWDT rTzEsHW2DpaCv96NSUKyMc3clUcuDh3KKIjX23ozUWBVR6tinhCHknlOBglQ5PVY B5cXGiAECjvcFqeEWLtEOb6+qhgfr0e1v2v/Hk7EmiUQY1Z3Ah8v3xr102JTzIj8 3Crrtv2nf+/szbkHSXRxSK1ynwM1rUeX3ceUUWXV6qbmdvLGvjHUATeUIYOFXdQ5 jakH/3dtK9HDqElD8OUhQ47fZ2nwoIX1+4yXDGEbUvRNsrM00T2vNJ/O+VD4OX1S 7m3oCg0cZO0f2bThIPkVhuzSmivNQUvcCtT3KQ4nhDwL+hXuEHEUYPxfJ9rXPPQR spx+MqT7fTYkSsAxKFUNbuZfqmDFFB4vlqRWVoVPeh7H1PFjv1I= =72Oy -----END PGP SIGNATURE----- --Signature=_Sat__17_Jun_2017_14_43_24_+0300_Wd6YW3vc5hQOFoye--