diff mbox

Document that --enable-static-pie implies PIE

Message ID 20171219185156.GA25849@gmail.com
State New, archived
Headers show

Commit Message

H.J. Lu Dec. 19, 2017, 6:51 p.m. UTC
To build static PIE, all .o files are compiled with -fPIE.  Since
--enable-static-pie is designed to provide additional security hardening
benefits, it also implies that dynamic PIE is created by default for
better security hardening.

OK for master?

H.J.
---
	* manual/install.texi: Document that --enable-static-pie
	implies PIE.
	* INSTALL: Regenerated.
---
 INSTALL             | 3 ++-
 manual/install.texi | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

Comments

Jonathan Nieder Dec. 19, 2017, 7:35 p.m. UTC | #1
Hi,

H.J. Lu wrote:

> --- a/manual/install.texi
> +++ b/manual/install.texi
> @@ -123,7 +123,8 @@ address without help from a dynamic linker.  All static programs as
>  well as static tests are built as static PIE, except for those marked
>  with no-pie.  The resulting glibc can be used with the GCC option,
>  -static-pie, which is available with GCC 8 or above, to create static
> -PIE.
> +PIE.  This option also implies that dynamic position independent
> +executable (PIE) is created by default.
>  
>  @item --disable-profile
>  Don't build libraries with profiling information.  You may want to use

When the new text says that dynamic PIE is created by default, what does
that mean?  Does it mean that my executables will automatically act as
though I passed -fPIE by default when I link them or that support for
-fPIE will be included in glibc?  If the latter, is it saying that such
support will be included in the glibc distribution by default but that I
can turn it off?  i.e. what is the option to unset this default, or what
would be the option to turn it on if I don't --enable-static-pie?

Unrelated: while I'm reading this text

>  Static PIE is similar to static executable,

This is missing an article.  Perhaps it means something like

	A static position independent executable is similar to a static
	executable

(adding "a" twice).  But that also feels strange --- isn't a static PIE
a kind of static executable?  Maybe:

	A static PIE is similar to a traditional static executable but
	can be loaded at any address without help from a dynamic linker.

(adding "a" twice and adding "traditional")

Thanks and hope that helps,
Jonathan
H.J. Lu Dec. 19, 2017, 8:31 p.m. UTC | #2
On Tue, Dec 19, 2017 at 11:35 AM, Jonathan Nieder <jrnieder@gmail.com> wrote:
> Hi,
>
> H.J. Lu wrote:
>
>> --- a/manual/install.texi
>> +++ b/manual/install.texi
>> @@ -123,7 +123,8 @@ address without help from a dynamic linker.  All static programs as
>>  well as static tests are built as static PIE, except for those marked
>>  with no-pie.  The resulting glibc can be used with the GCC option,
>>  -static-pie, which is available with GCC 8 or above, to create static
>> -PIE.
>> +PIE.  This option also implies that dynamic position independent
>> +executable (PIE) is created by default.
>>
>>  @item --disable-profile
>>  Don't build libraries with profiling information.  You may want to use
>
> When the new text says that dynamic PIE is created by default, what does
> that mean?  Does it mean that my executables will automatically act as
> though I passed -fPIE by default when I link them or that support for
> -fPIE will be included in glibc?  If the latter, is it saying that such
> support will be included in the glibc distribution by default but that I
> can turn it off?  i.e. what is the option to unset this default, or what
> would be the option to turn it on if I don't --enable-static-pie?

How about

This option also implies that glibc programs and tests are created as
dynamic position independent executable (PIE) by default.

> Unrelated: while I'm reading this text
>
>>  Static PIE is similar to static executable,
>
> This is missing an article.  Perhaps it means something like
>
>         A static position independent executable is similar to a static
>         executable
>
> (adding "a" twice).  But that also feels strange --- isn't a static PIE
> a kind of static executable?  Maybe:
>
>         A static PIE is similar to a traditional static executable but
>         can be loaded at any address without help from a dynamic linker.
>
> (adding "a" twice and adding "traditional")
>

Can you submit a separate patch?
Jonathan Nieder Dec. 19, 2017, 8:46 p.m. UTC | #3
H.J. Lu wrote:
> On Tue, Dec 19, 2017 at 11:35 AM, Jonathan Nieder <jrnieder@gmail.com> wrote:

>> When the new text says that dynamic PIE is created by default, what does
>> that mean?  Does it mean that my executables will automatically act as
>> though I passed -fPIE by default when I link them or that support for
>> -fPIE will be included in glibc?  If the latter, is it saying that such
>> support will be included in the glibc distribution by default but that I
>> can turn it off?  i.e. what is the option to unset this default, or what
>> would be the option to turn it on if I don't --enable-static-pie?
>
> How about
>
> This option also implies that glibc programs and tests are created as
> dynamic position independent executable (PIE) by default.

With s/executable/executables/, LGTM.

>> Unrelated: while I'm reading this text
>>
>>>  Static PIE is similar to static executable,
>>
>> This is missing an article.
[...]
> Can you submit a separate patch?

Sure thing.  Will try to find time to send one tonight.

Thanks,
Jonathan
diff mbox

Patch

diff --git a/INSTALL b/INSTALL
index 9a1404bd3c..cae574e5e3 100644
--- a/INSTALL
+++ b/INSTALL
@@ -93,7 +93,8 @@  will be used, and CFLAGS sets optimization options for the compiler.
      programs as well as static tests are built as static PIE, except
      for those marked with no-pie.  The resulting glibc can be used with
      the GCC option, -static-pie, which is available with GCC 8 or
-     above, to create static PIE.
+     above, to create static PIE. This option also implies that dynamic
+     position independent executable (PIE) is created by default.
 
 '--disable-profile'
      Don't build libraries with profiling information.  You may want to
diff --git a/manual/install.texi b/manual/install.texi
index fb956b5d6a..95eea19459 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -123,7 +123,8 @@  address without help from a dynamic linker.  All static programs as
 well as static tests are built as static PIE, except for those marked
 with no-pie.  The resulting glibc can be used with the GCC option,
 -static-pie, which is available with GCC 8 or above, to create static
-PIE.
+PIE.  This option also implies that dynamic position independent
+executable (PIE) is created by default.
 
 @item --disable-profile
 Don't build libraries with profiling information.  You may want to use