| View previous topic :: View next topic |
| Author |
Message |
CaptainBlood
Advocate
Joined: 24 Jan 2010
Posts: 3641
|
 Posted: Sat May 04, 2024 10:37 pm Post subject: sys-devel/gcc-13.2.1_p20240503: not defaulted 2 forced USEs |
 |
|
| Code: | mrgp -v sys-devel/gcc
These are the packages that would be merged, in reverse order:
Calculating dependencies ... done!
Dependency resolution took 26.55 s (backtrack: 0/20).
[ebuild R ~] sys-devel/gcc-13.2.1_p20240503:13::gentoo USE="-ada -cet (-custom-cflags) (cxx) -d -debug -default-stack-clash-protection* -default-znow* -doc (-fixed-point) fortran -go graphite -hardened (-ieee-long-double) jit (-libssp) lto -modula2 (multilib) -nls -objc -objc++ -objc-gc openmp (-pch) pgo (pie) sanitize -ssp -systemtap -test -valgrind -vanilla vtv zstd" 82 485 KiB |
Plz note new USE="default-stack-clash-protection default-znow"
Let's bisect them a little: | Code: | - + default-stack-clash-protection : Build packages with stack clash protection on by default as a
hardening measure. This enables -fstack-clash-protection by default
which protects against large memory allocations allowing stack
smashing. May cause slightly increased codesize, but modern compilers
have been adapted to optimize well for this case, as this mitigation
is now quite common. See https://developers.redhat.com/blog/2020/05/2
2/stack-clash-mitigation-in-gcc-part-3 and
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt. |
This is clear: This will impact code size if no counter measure is taken.
| Code: | - + default-znow : Request full relocation on start from ld.so by default. This sets the
-z,now (BIND_NOW) flag by default on all linker invocations. By
resolving all dynamic symbols at application startup, parts of the
program can be made read-only as a hardening measure. This is closely
related to RELRO which is also separately enabled by default. In some
applications with many unresolved symbols (heavily plugin based, for
example), startup time may be impacted. |
My understanding is that this affects generated code too. Unsure how code size is affected.
We also learn that RELRO feature seems already activated by default. I'm glad to be aware.
I may have missed its initial notification.
Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. "
Last edited by CaptainBlood on Sat May 04, 2024 11:57 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21752
|
| Posted: Sat May 04, 2024 11:12 pm Post subject: |
|
|
Stack clash may impact code size, depending on whether the compiler is forced to emit special instructions just to implement the protection versus whether it can use the instructions it already needed for other purposes to get clash protection for free.
BIND_NOW does not affect code generation. It is a linker option, which affects how the dynamic loader handles loading programs with the flag set. The Gentoo hardened profiles have set this option for many years. It may only be a recent addition to the non-hardened profiles.
These flags are not forced via package.use.force, probably because they do not affect correctness of the code, only its relative security posture. Your compiler will build fine with or without these options, and the programs it builds will in turn run fine with or without them. |
|
| Back to top |
|
|
CaptainBlood
Advocate
Joined: 24 Jan 2010
Posts: 3641
|
| Posted: Sun May 05, 2024 12:13 am Post subject: |
|
|
| Hu wrote: | | These flags are not forced via package.use.force, probably because they do not affect correctness of the code, only its relative security posture. Your compiler will build fine with or without these options, and the programs it builds will in turn run fine with or without them. |
 | Code: | grep -r default-stack-clash-protection /var/db/repos/gentoo
/var/db/repos/gentoo/dev-lang/gnat-gpl/metadata.xml: <flag name="default-stack-clash-protection">Build packages with stack clash protection on by default</flag>
/var/db/repos/gentoo/eclass/toolchain.eclass: tc_version_is_at_least 12.2.1_p20221203 ${PV} && IUSE+=" default-stack-clash-protection"
/var/db/repos/gentoo/eclass/toolchain.eclass: if _tc_use_if_iuse default-stack-clash-protection ; then
/var/db/repos/gentoo/profiles/use.local.desc:dev-lang/gnat-gpl:default-stack-clash-protection - Build packages with stack clash protection on by default
/var/db/repos/gentoo/profiles/use.local.desc:sys-devel/gcc:default-stack-clash-protection - Build packages with stack clash protection on by default as a hardening measure. This enables -fstack-clash-protection by default which protects against large memory allocations allowing stack smashing. May cause slightly increased codesize, but modern compilers have been adapted to optimize well for this case, as this mitigation is now quite common. See https://developers.redhat.com/blog/2020/05/22/stack-clash-mitigation-in-gcc-part-3 and https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt.
/var/db/repos/gentoo/profiles/arch/hppa/package.use.force:sys-devel/gcc -default-stack-clash-protection
/var/db/repos/gentoo/profiles/arch/hppa/package.use.mask:sys-devel/gcc default-stack-clash-protection
/var/db/repos/gentoo/profiles/features/hardened/package.use.force:>=sys-devel/gcc-12.2 default-znow default-stack-clash-protection
/var/db/repos/gentoo/profiles/releases/23.0/package.use.force:>=sys-devel/gcc-12.2 default-znow default-stack-clash-protection <=============================================
/var/db/repos/gentoo/metadata/md5-cache/dev-lang/gnat-gpl-2021-r5:IUSE=+ada +bootstrap test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ +openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd default-znow default-stack-clash-protection modula2 rust
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-14.0.1_pre20240430:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection modula2 rust
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-13.3.9999:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection modula2
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-12.4.9999:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ +openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-13.2.1_p20240426:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection modula2
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-13.2.1_p20240210:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection modula2
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-14.0.9999:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection modula2 rust
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-13.2.1_p20240503:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection modula2
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-12.3.1_p20240209:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ +openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-12.3.1_p20240502:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ +openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-15.0.0_pre20240428:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection modula2 rust
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-14.0.1_pre20240503:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection modula2 rust
/var/db/repos/gentoo/metadata/md5-cache/sys-devel/gcc-15.0.9999:IUSE=test vanilla +nls debug +cxx +fortran doc hardened multilib objc pgo objc-gc libssp objc++ openmp fixed-point go +sanitize graphite ada vtv jit +pie +ssp pch systemtap d lto cet zstd valgrind custom-cflags ieee-long-double default-znow default-stack-clash-protection modula2 rust
/var/db/repos/gentoo/sys-devel/gcc/metadata.xml: <flag name="default-stack-clash-protection"> |
I'd rather decide by myself instead of someone else's secret agenda.
Thks 4 ur attention, interest & support.
_________________
USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21752
|
| Posted: Sun May 05, 2024 3:02 am Post subject: |
|
|
This is not secret. It's right there in the Portage output, and its behavior is documented in the package metadata. There was a Wiki page about the change, and the news item for profile 23.0 pointed people to the Wiki page. What more needs to be done to make this known?
Your output shows the flags as not forced on your system. Is that because you are on a pre-23.0 profile or because you reversed the force locally? |
|
| Back to top |
|
|
sam_
Developer
Joined: 14 Aug 2020
Posts: 1693
|
| Posted: Wed May 15, 2024 2:14 pm Post subject: |
|
|
Unfortunately, apologies and clarification are rarely forthcoming from OP. Unlimited slander.
I should add that not only are these flags not specified in package.use.force, if they were, they wouldn't show up as +x in IUSE...
I would be much happier to answer these questions if you just asked where a default is being set, rather than suggesting anything nefarious. Especially given the change was very much publicised and the "agenda" is also obvious - to make users safer. |
|
| Back to top |
|
|
asturm
Developer
Joined: 05 Apr 2007
Posts: 8938
|
| Posted: Wed May 15, 2024 5:30 pm Post subject: |
|
|
| What a waste of time even opening this thread... |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3373
Location: Rasi, Finland
|
| Posted: Wed May 15, 2024 7:38 pm Post subject: |
|
|
@asturm: You reply seems to have only the purpose of provoking OP.
Let's be civil.
_________________
..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
asturm
Developer
Joined: 05 Apr 2007
Posts: 8938
|
| Posted: Wed May 15, 2024 8:10 pm Post subject: |
|
|
| Look at their posting history and say that again. |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3373
Location: Rasi, Finland
|
| Posted: Wed May 15, 2024 8:50 pm Post subject: |
|
|
| asturm wrote: | | Look at their posting history and say that again. |
Yes, I'm aware of that. And Sam is on point.
I refrain commenting any more in hope not to derail this topic.
_________________
..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21752
|
| Posted: Wed May 15, 2024 8:54 pm Post subject: |
|
|
In the hope of diverting this thread to a more productive path, I have a question about sam_'s comment: | sam_ wrote: | | I should add that not only are these flags not specified in package.use.force, if they were, they wouldn't show up as +x in IUSE... |
As I read git grep default-stack-clash-protect in the Gentoo repository, these are in package.use.force (albeit only in some profiles, not in the base profile), and are not default-enabled via IUSE: | Code: | eclass/toolchain.eclass:318: tc_version_is_at_least 12.2.1_p20221203 ${PV} && IUSE+=" default-stack-clash-protection"
profiles/features/hardened/package.use.force:6:>=sys-devel/gcc-12.2 default-znow default-stack-clash-protection
profiles/releases/23.0/package.use.force:4:>=sys-devel/gcc-12.2 default-znow default-stack-clash-protection |
As a longtime user of hardened, these flags have been force-enabled for me since their introduction there in 2022, and I have no objection to that. However, I am puzzled by sam_'s post, since I interpret that post to disagree with what I see in gentoo.git. Am I missing something? |
|
| Back to top |
|
|
sam_
Developer
Joined: 14 Aug 2020
Posts: 1693
|
| Posted: Wed May 15, 2024 9:23 pm Post subject: |
|
|
No, you're right, I didn't put them there and I assumed they were in package.use instead.
I don't think it's wrong for them to be, but I also don't think they need to be either. It's different from PIE where you get this weird "semi-ABI" issue with static libraries w/ PIC - I suspect it was done because PIE used to be in there.
(That said, I still don't think there's anything wrong with it, of course - just that as a matter of sort of philosophy, I think stuff should generally only be in force if the negation of it breaks stuff.) |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 21752
|
| Posted: Wed May 15, 2024 9:37 pm Post subject: |
|
|
| I see. That makes sense. |
|
| Back to top |
|
|
|
Other Things Gentoo
