[OpenWrt-Devel,1/6] buildsystem: Make PIE ASLR option tristate
diff mbox series

Message ID 20191027174438.25795-2-hauke@hauke-m.de
State Under Review
Delegated to: Hauke Mehrtens
Headers show
Series
  • buildsystem: Activate PIE ASLR for some packages
Related show

Commit Message

Hauke Mehrtens Oct. 27, 2019, 5:44 p.m. UTC
This tristate choose allows to select to build only some applications
with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
is activated for the, which is a huge increase.

Network exposed applications like dnsmasq should then be build with PIE
enabled, but some applications which are normally not parsing data from
the network do not have it activated. The regular option should give a
good trade off between extra flash and RAM memory usage and security.

This changes the default from building no applications with PIE to build
some specifically marked applications with PIE enabled. This option is
only activated for targets with bigger flash and RAM to not consume
extra memory on the very small targets. On SDK builds the Regular option
should always be selected, because some tiny targets share the
applications with big targets and only the images for the tiny targets
should contain the none PIE applications, but the images for the normal
targets should use PIE. The shared packages should always use PIE when
it should be normally activated.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---

I hope this !SDK option works. I haven't fully tested this.
I want to make sure this is activated on the targets which are not 
small, but not activate it in the tiny images. For extra installed 
packages it should be activated.


 config/Config-build.in | 22 ++++++++++++++++++----
 include/hardening.mk   |  9 ++++++++-
 2 files changed, 26 insertions(+), 5 deletions(-)

Comments

Rosen Penev Oct. 27, 2019, 7:05 p.m. UTC | #1
On Sun, Oct 27, 2019 at 10:46 AM Hauke Mehrtens <hauke@hauke-m.de> wrote:
>
> This tristate choose allows to select to build only some applications
> with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
> is activated for the, which is a huge increase.
Some of the size increase can be mitigated with extra compile-time options:

TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto
TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed

LTO sometimes causes problems but the others should be safe.

PKG_ASLR_PIE applies $(FPIC) to both C and LDFLAGS. I've noticed that
applying it only to the former increases the size but not as much as
with both. No idea why.
>
> Network exposed applications like dnsmasq should then be build with PIE
> enabled, but some applications which are normally not parsing data from
> the network do not have it activated. The regular option should give a
> good trade off between extra flash and RAM memory usage and security.
>
> This changes the default from building no applications with PIE to build
> some specifically marked applications with PIE enabled. This option is
> only activated for targets with bigger flash and RAM to not consume
> extra memory on the very small targets. On SDK builds the Regular option
> should always be selected, because some tiny targets share the
> applications with big targets and only the images for the tiny targets
> should contain the none PIE applications, but the images for the normal
> targets should use PIE. The shared packages should always use PIE when
> it should be normally activated.
>
> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
> ---
>
> I hope this !SDK option works. I haven't fully tested this.
> I want to make sure this is activated on the targets which are not
> small, but not activate it in the tiny images. For extra installed
> packages it should be activated.
>
>
>  config/Config-build.in | 22 ++++++++++++++++++----
>  include/hardening.mk   |  9 ++++++++-
>  2 files changed, 26 insertions(+), 5 deletions(-)
>
> diff --git a/config/Config-build.in b/config/Config-build.in
> index 872e5c12ab..aa05e34f56 100644
> --- a/config/Config-build.in
> +++ b/config/Config-build.in
> @@ -212,11 +212,10 @@ menu "Global build settings"
>                   this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
>                   Makefile.
>
> -       config PKG_ASLR_PIE
> -               bool
> +       choice
>                 prompt "User space ASLR PIE compilation"
> -               select BUSYBOX_DEFAULT_PIE
> -               default n
> +               default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
> +               default PKG_ASLR_PIE_REGULAR
>                 help
>                   Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
>                   This enables package build as Position Independent Executables (PIE)
> @@ -227,6 +226,21 @@ menu "Global build settings"
>                   to predict when an attacker is attempting a memory-corruption exploit.
>                   You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
>                   Makefile.
> +                 Be ware that ASLR increases the binary size.
> +               config PKG_ASLR_PIE_NONE
> +                       bool "None"
> +                       help
> +                         PIE is deactivated for all applications
> +               config PKG_ASLR_PIE_REGULAR
> +                       bool "Regular"
> +                       help
> +                         PIE is activated for some binaries, mostly network exposed applications
> +               config PKG_ASLR_PIE_ALL
> +                       bool "All"
> +                       select BUSYBOX_DEFAULT_PIE
> +                       help
> +                         PIE is activated for all applications
> +       endchoice
>
>         choice
>                 prompt "User space Stack-Smashing Protection"
> diff --git a/include/hardening.mk b/include/hardening.mk
> index 60f39428e8..4e49e6b1b9 100644
> --- a/include/hardening.mk
> +++ b/include/hardening.mk
> @@ -7,6 +7,7 @@
>
>  PKG_CHECK_FORMAT_SECURITY ?= 1
>  PKG_ASLR_PIE ?= 1
> +PKG_ASLR_PIE_REGULAR ?= 0
>  PKG_SSP ?= 1
>  PKG_FORTIFY_SOURCE ?= 1
>  PKG_RELRO ?= 1
> @@ -16,12 +17,18 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
>      TARGET_CFLAGS += -Wformat -Werror=format-security
>    endif
>  endif
> -ifdef CONFIG_PKG_ASLR_PIE
> +ifdef CONFIG_PKG_ASLR_PIE_ALL
>    ifeq ($(strip $(PKG_ASLR_PIE)),1)
>      TARGET_CFLAGS += $(FPIC)
>      TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
>    endif
>  endif
> +ifdef CONFIG_PKG_ASLR_PIE_REGULAR
> +  ifeq ($(strip $(PKG_ASLR_PIE_REGULAR)),1)
> +    TARGET_CFLAGS += $(FPIC)
> +    TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
> +  endif
> +endif
>  ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
>    ifeq ($(strip $(PKG_SSP)),1)
>      TARGET_CFLAGS += -fstack-protector
> --
> 2.20.1
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Hauke Mehrtens Oct. 27, 2019, 8:32 p.m. UTC | #2
On 10/27/19 8:05 PM, Rosen Penev wrote:
> On Sun, Oct 27, 2019 at 10:46 AM Hauke Mehrtens <hauke@hauke-m.de> wrote:
>>
>> This tristate choose allows to select to build only some applications
>> with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
>> is activated for the, which is a huge increase.
> Some of the size increase can be mitigated with extra compile-time options:
> 
> TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto
> TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed
> 
> LTO sometimes causes problems but the others should be safe.
> 
> PKG_ASLR_PIE applies $(FPIC) to both C and LDFLAGS. I've noticed that
> applying it only to the former increases the size but not as much as
> with both. No idea why.

Hi Rosen,

Thank you for the hints.

I activated -flto for dnsmasq and the size was decreased by 8% which is
nice. I will test this a little bit and then send a patch to the mailing
list.

The GCC documentation says the following about -pie:
---------------------------------------------------------------------
-pie
    Produce a dynamically linked position independent executable on
targets that support it. For predictable results, you must also specify
the same set of options used for compilation (-fpie, -fPIE, or model
suboptions) when you specify this linker option.
---------------------------------------------------------------------
https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html#Link-Options

So we should set it for compiling and linking.

GCC can activate -flto also when only some of the compile units used
LTO, but it should also be set for both steps.

Hauke
Rosen Penev Oct. 27, 2019, 8:43 p.m. UTC | #3
On Sun, Oct 27, 2019 at 1:32 PM Hauke Mehrtens <hauke@hauke-m.de> wrote:
>
> On 10/27/19 8:05 PM, Rosen Penev wrote:
> > On Sun, Oct 27, 2019 at 10:46 AM Hauke Mehrtens <hauke@hauke-m.de> wrote:
> >>
> >> This tristate choose allows to select to build only some applications
> >> with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
> >> is activated for the, which is a huge increase.
> > Some of the size increase can be mitigated with extra compile-time options:
> >
> > TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto
> > TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed
> >
> > LTO sometimes causes problems but the others should be safe.
> >
> > PKG_ASLR_PIE applies $(FPIC) to both C and LDFLAGS. I've noticed that
> > applying it only to the former increases the size but not as much as
> > with both. No idea why.
>
> Hi Rosen,
>
> Thank you for the hints.
>
> I activated -flto for dnsmasq and the size was decreased by 8% which is
> nice. I will test this a little bit and then send a patch to the mailing
> list.
>
> The GCC documentation says the following about -pie:
> ---------------------------------------------------------------------
> -pie
>     Produce a dynamically linked position independent executable on
> targets that support it. For predictable results, you must also specify
> the same set of options used for compilation (-fpie, -fPIE, or model
> suboptions) when you specify this linker option.
> ---------------------------------------------------------------------
> https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html#Link-Options
>
> So we should set it for compiling and linking.
>
> GCC can activate -flto also when only some of the compile units used
> LTO, but it should also be set for both steps.]
In my experience, setting -flto is LDFLAGS usually does nothing.
CFLAGS is where it makes the difference. But yes, I agree.
>
> Hauke
>

Patch
diff mbox series

diff --git a/config/Config-build.in b/config/Config-build.in
index 872e5c12ab..aa05e34f56 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -212,11 +212,10 @@  menu "Global build settings"
 		  this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
 		  Makefile.
 
-	config PKG_ASLR_PIE
-		bool
+	choice
 		prompt "User space ASLR PIE compilation"
-		select BUSYBOX_DEFAULT_PIE
-		default n
+		default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
+		default PKG_ASLR_PIE_REGULAR
 		help
 		  Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
 		  This enables package build as Position Independent Executables (PIE)
@@ -227,6 +226,21 @@  menu "Global build settings"
 		  to predict when an attacker is attempting a memory-corruption exploit.
 		  You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
 		  Makefile.
+		  Be ware that ASLR increases the binary size.
+		config PKG_ASLR_PIE_NONE
+			bool "None"
+			help
+			  PIE is deactivated for all applications
+		config PKG_ASLR_PIE_REGULAR
+			bool "Regular"
+			help
+			  PIE is activated for some binaries, mostly network exposed applications
+		config PKG_ASLR_PIE_ALL
+			bool "All"
+			select BUSYBOX_DEFAULT_PIE
+			help
+			  PIE is activated for all applications
+	endchoice
 
 	choice
 		prompt "User space Stack-Smashing Protection"
diff --git a/include/hardening.mk b/include/hardening.mk
index 60f39428e8..4e49e6b1b9 100644
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -7,6 +7,7 @@ 
 
 PKG_CHECK_FORMAT_SECURITY ?= 1
 PKG_ASLR_PIE ?= 1
+PKG_ASLR_PIE_REGULAR ?= 0
 PKG_SSP ?= 1
 PKG_FORTIFY_SOURCE ?= 1
 PKG_RELRO ?= 1
@@ -16,12 +17,18 @@  ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
     TARGET_CFLAGS += -Wformat -Werror=format-security
   endif
 endif
-ifdef CONFIG_PKG_ASLR_PIE
+ifdef CONFIG_PKG_ASLR_PIE_ALL
   ifeq ($(strip $(PKG_ASLR_PIE)),1)
     TARGET_CFLAGS += $(FPIC)
     TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
   endif
 endif
+ifdef CONFIG_PKG_ASLR_PIE_REGULAR
+  ifeq ($(strip $(PKG_ASLR_PIE_REGULAR)),1)
+    TARGET_CFLAGS += $(FPIC)
+    TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
+  endif
+endif
 ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
   ifeq ($(strip $(PKG_SSP)),1)
     TARGET_CFLAGS += -fstack-protector