Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > muc.lists.netbsd.port.powerpc > #669

RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc

From Martin Husemann <martin@duskware.de>
Newsgroups muc.lists.netbsd.port.powerpc
Subject RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc
Date 2025-05-28 16:59 +0200
Organization Newsgate at muc.de e.V.
Message-ID <20250528145948.GA3679@mail.duskware.de> (permalink)
References <20250527174930.GD5399@mail.duskware.de>

Show all headers | View raw

As Greg pointed out we should take a more global view, so I added a bit more
data and did more testing...

I noticed we do not have PAX enabled in GENERIC, so I added these two lines
to my kernel config:

options         PAX_MPROTECT=1          # PaX mprotect(2) restrictions
options         PAX_ASLR=1              # PaX Address Space Layout Randomization

The resulting kernel works and "sysctl security.pax" confirms that aslr and
mprotect are enabled.

To make aslr more efficient we need to have relocatable binaries, so I also
enabled MKPIE=yes. This causes the binaries to grow slightly. I compared
totals (size -t) over all binaries in /bin:

   text	   data	    bss	    dec	    hex
1380714	  40580	 197387	1618681	 18b2f9	/bin/* current
1551487	  84968	 188399	1824854	 1bd856	/bin/* pic

			+12.7%

Overall the size of the sets does not grow that much, and strangely the
debug set shrinks seriously (I am not quite sure why). This comparision
is slightly unfair, I used my localy build sets and the latest build
from the releng auto builds and extracted the uncompressed tar size. My
local builds are NOT reproducable (build.sh -P), so there is some minor
variation in stored paths (the releng sets are reproducable), but it
certainly does not explain this huge debug difference.

I left out all unchanged sets (etc, fonts, ...). First results are:

size of		PIC		current		difference %
base.tgz:	244561920	231342080	5.71
comp.tgz:	481413120	459796480	4.70
debug.tgz:	418058240	566272000	-26.17
games.tgz:	9072640		8704000		4.24
misc.tgz:	15165440	15165440	0.00
rescue.tgz:	9994240		9564160		4.50
tests.tgz:	85032960	78100480	8.88
text.tgz:	12328960	11417600	7.98
xbase.tgz:	31959040	30935040	3.31
xcomp.tgz:	53063680	52090880	1.87
xdebug.tgz:	81643520	81582080	0.08
xserver.tgz:	28928000	27904000	3.67

total:		1471221760	1572874240	-6.46

So for my own machines (where I always install debug sets) this is a net
win. Leaving out the debug sets this becomes:

size of		PIC		current		difference %
base.tgz:	244561920	231342080	5.71
comp.tgz:	481413120	459796480	4.70
games.tgz:	9072640		8704000		4.24
misc.tgz:	15165440	15165440	0.00
rescue.tgz:	9994240		9564160		4.50
tests.tgz:	85032960	78100480	8.88
text.tgz:	12328960	11417600	7.98
xbase.tgz:	31959040	30935040	3.31
xcomp.tgz:	53063680	52090880	1.87
xserver.tgz:	28928000	27904000	3.67

total:		971520000	925020160	5.03

(all sizes in byte and uncompressed, basically what the .tgz would extract
to as a .tar)

Not too bad overall IMHO.

I did a full atf test run with the PIE-updated system and there were no
regressions (https://www.netbsd.org/~martin/macppc-atf/). Besides
spurious differences one (most likely slightly broken) test program did not
fail for the PIE version, so less failures overall in this run.


I propose to:

 a) add aslr and mprotect options the macppc GENERIC (and maybe other
    ppc kernels), see above for the exact config lines.
 b) enable MKPIE=yes by default for all ppc architectures

And do all this soonish (like in a week or so) before we branch for netbsd-11.

Martin

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de

Back to muc.lists.netbsd.port.powerpc | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Turn on MKPIE for ppc? Martin Husemann <martin@duskware.de> - 2025-05-27 19:49 +0200
  Re: Turn on MKPIE for ppc? Greg Troxel <gdt@lexort.com> - 2025-05-27 15:42 -0400
    Re: Turn on MKPIE for ppc? Greg Troxel <gdt@lexort.com> - 2025-05-27 16:37 -0400
  RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc Martin Husemann <martin@duskware.de> - 2025-05-28 16:59 +0200
    re: RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc matthew green <mrg@eterna23.net> - 2025-05-30 06:02 +1000
      Re: RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc Martin Husemann <martin@duskware.de> - 2025-05-30 11:40 +0200
    Re: RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc "Frank Wille" <frank@phoenix.owl.de> - 2025-06-02 11:49 +0200

csiph-web