Document that --enable-static-pie implies PIE
Commit Message
To build static PIE, all .o files are compiled with -fPIE. Since
--enable-static-pie is designed to provide additional security hardening
benefits, it also implies that dynamic PIE is created by default for
better security hardening.
OK for master?
H.J.
---
* manual/install.texi: Document that --enable-static-pie
implies PIE.
* INSTALL: Regenerated.
---
INSTALL | 3 ++-
manual/install.texi | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
Comments
Hi,
H.J. Lu wrote:
> --- a/manual/install.texi
> +++ b/manual/install.texi
> @@ -123,7 +123,8 @@ address without help from a dynamic linker. All static programs as
> well as static tests are built as static PIE, except for those marked
> with no-pie. The resulting glibc can be used with the GCC option,
> -static-pie, which is available with GCC 8 or above, to create static
> -PIE.
> +PIE. This option also implies that dynamic position independent
> +executable (PIE) is created by default.
>
> @item --disable-profile
> Don't build libraries with profiling information. You may want to use
When the new text says that dynamic PIE is created by default, what does
that mean? Does it mean that my executables will automatically act as
though I passed -fPIE by default when I link them or that support for
-fPIE will be included in glibc? If the latter, is it saying that such
support will be included in the glibc distribution by default but that I
can turn it off? i.e. what is the option to unset this default, or what
would be the option to turn it on if I don't --enable-static-pie?
Unrelated: while I'm reading this text
> Static PIE is similar to static executable,
This is missing an article. Perhaps it means something like
A static position independent executable is similar to a static
executable
(adding "a" twice). But that also feels strange --- isn't a static PIE
a kind of static executable? Maybe:
A static PIE is similar to a traditional static executable but
can be loaded at any address without help from a dynamic linker.
(adding "a" twice and adding "traditional")
Thanks and hope that helps,
Jonathan
On Tue, Dec 19, 2017 at 11:35 AM, Jonathan Nieder <jrnieder@gmail.com> wrote:
> Hi,
>
> H.J. Lu wrote:
>
>> --- a/manual/install.texi
>> +++ b/manual/install.texi
>> @@ -123,7 +123,8 @@ address without help from a dynamic linker. All static programs as
>> well as static tests are built as static PIE, except for those marked
>> with no-pie. The resulting glibc can be used with the GCC option,
>> -static-pie, which is available with GCC 8 or above, to create static
>> -PIE.
>> +PIE. This option also implies that dynamic position independent
>> +executable (PIE) is created by default.
>>
>> @item --disable-profile
>> Don't build libraries with profiling information. You may want to use
>
> When the new text says that dynamic PIE is created by default, what does
> that mean? Does it mean that my executables will automatically act as
> though I passed -fPIE by default when I link them or that support for
> -fPIE will be included in glibc? If the latter, is it saying that such
> support will be included in the glibc distribution by default but that I
> can turn it off? i.e. what is the option to unset this default, or what
> would be the option to turn it on if I don't --enable-static-pie?
How about
This option also implies that glibc programs and tests are created as
dynamic position independent executable (PIE) by default.
> Unrelated: while I'm reading this text
>
>> Static PIE is similar to static executable,
>
> This is missing an article. Perhaps it means something like
>
> A static position independent executable is similar to a static
> executable
>
> (adding "a" twice). But that also feels strange --- isn't a static PIE
> a kind of static executable? Maybe:
>
> A static PIE is similar to a traditional static executable but
> can be loaded at any address without help from a dynamic linker.
>
> (adding "a" twice and adding "traditional")
>
Can you submit a separate patch?
H.J. Lu wrote:
> On Tue, Dec 19, 2017 at 11:35 AM, Jonathan Nieder <jrnieder@gmail.com> wrote:
>> When the new text says that dynamic PIE is created by default, what does
>> that mean? Does it mean that my executables will automatically act as
>> though I passed -fPIE by default when I link them or that support for
>> -fPIE will be included in glibc? If the latter, is it saying that such
>> support will be included in the glibc distribution by default but that I
>> can turn it off? i.e. what is the option to unset this default, or what
>> would be the option to turn it on if I don't --enable-static-pie?
>
> How about
>
> This option also implies that glibc programs and tests are created as
> dynamic position independent executable (PIE) by default.
With s/executable/executables/, LGTM.
>> Unrelated: while I'm reading this text
>>
>>> Static PIE is similar to static executable,
>>
>> This is missing an article.
[...]
> Can you submit a separate patch?
Sure thing. Will try to find time to send one tonight.
Thanks,
Jonathan
@@ -93,7 +93,8 @@ will be used, and CFLAGS sets optimization options for the compiler.
programs as well as static tests are built as static PIE, except
for those marked with no-pie. The resulting glibc can be used with
the GCC option, -static-pie, which is available with GCC 8 or
- above, to create static PIE.
+ above, to create static PIE. This option also implies that dynamic
+ position independent executable (PIE) is created by default.
'--disable-profile'
Don't build libraries with profiling information. You may want to
@@ -123,7 +123,8 @@ address without help from a dynamic linker. All static programs as
well as static tests are built as static PIE, except for those marked
with no-pie. The resulting glibc can be used with the GCC option,
-static-pie, which is available with GCC 8 or above, to create static
-PIE.
+PIE. This option also implies that dynamic position independent
+executable (PIE) is created by default.
@item --disable-profile
Don't build libraries with profiling information. You may want to use