Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
RELRO and bindnow support [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Tom_
Guru
Guru


Joined: 20 May 2004
Posts: 384
Location: France

PostPosted: Fri Nov 10, 2017 10:12 am    Post subject: RELRO and bindnow support [SOLVED] Reply with quote

Hello,

I've looking for information on relro and bindnow mecanisms.

As i use a ~amd64 toolchain with the hardened useflag, I ran sudo /usr/bin/checksec --proc-all to get an overview of the procs running on my system. See the results : https://paste.pound-python.org/show/Qxghpyou8bK9wC5t7lET/

It seems that I have a partial RELRO support by default and a full RELRO support for a few others (Chromium, Firefox ...).

How are RELRO and bindnow enabled on my system? Is it a default setting?

I read this link (https://wiki.gentoo.org/wiki/Hardened/Toolchain#RELRO) but as i don't have an hardened profile, i don't know if it applies here.

For firefox, I noticed that the full relro support is enabled thanks to the hardened flags :
Code:
# Add full relro support for hardened
    if use hardened; then
        append-ldflags "-Wl,-z,relro,-z,now"
        mozconfig_use_enable hardened hardening
    fi


By the way, do you have systems with full relro support ? Have you noticed anything particular?

Thank you


Last edited by Tom_ on Wed Nov 15, 2017 4:19 pm; edited 1 time in total
Back to top
View user's profile Send private message
Tom_
Guru
Guru


Joined: 20 May 2004
Posts: 384
Location: France

PostPosted: Sat Nov 11, 2017 10:50 am    Post subject: Reply with quote

Actually partial relro has been enabled in gentoo for quite a while! It is done through Binutils!
Reference : https://sourceware.org/ml/binutils/2015-09/msg00295.html
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6276

PostPosted: Sat Nov 11, 2017 11:11 am    Post subject: Reply with quote

I am using -relro and -now since ages. The only package which does not like the latter is xorg: xorg-server, mesa, x11-drivers/xf86-* need exceptions for -now.
(Maybe this is is fixed meanwhile in xorg; I haven't checked since ages... but I am afraid that this won't be fixed ever. It is one of the arguments why wayland should be used.)
Back to top
View user's profile Send private message
Tom_
Guru
Guru


Joined: 20 May 2004
Posts: 384
Location: France

PostPosted: Sat Nov 11, 2017 4:00 pm    Post subject: Reply with quote

Thank you for your reply.

You are right. -now seems to filtered in xorg but also Apache:
Code:
thomas@gentoo ~ % grep 'z,now' /usr/portage/eclass/*.eclass
/usr/portage/eclass/apache-2.eclass:    # 03_all_gentoo-apache-tools.patch injects -Wl,-z,now, which is not a good
/usr/portage/eclass/apache-2.eclass:                    sed -i -e 's/-Wl,-z,now/-Wl,-bind_at_load/g' \
/usr/portage/eclass/apache-2.eclass:                    sed -i -e 's/-Wl,-z,now//g' \
/usr/portage/eclass/x-modular.eclass:           filter-ldflags -Wl,-z,now


Even if partial relro seems to be the default behaviour, do you have both "Wl,-z,relro,-z,now" in your ldflags ?

Have you notice any performance issue with -now ? It seemed to have an impact on application loading times but i don't know if it is still accurate today with the SSD and fast CPU.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13509

PostPosted: Sat Nov 11, 2017 5:23 pm    Post subject: Reply with quote

As I understand it, -z,now will always have at least a small impact on startup performance because it requests that work be done at startup rather than deferred until when (or if) it is needed. Applications with -z,now will always do at least as much at-startup work as -z,lazy and likely much more. This can be a detriment for applications which link in large numbers of references, but frequently manage to exit without using them. For an absurd case, consider a program that depends on all the Qt libraries, but the most common use case is running program --help, and the program exits after printing the help message, without ever using any Qt functionality. With -z,now, you still pay the price of resolving the Qt references because the loader cannot prove you won't need them. With -z,lazy, you don't, because they were never needed.

On the other hand, once the application is loaded, -z,now ensures that it has resolved its references so you need not worry that it will stall later on when it runs code that needs those references resolved. In the lazy case, it would stall (briefly - possibly even immeasurably on modern systems) at that point to resolve the references just in time for their use.

The intended benefit of -z,now is that it makes -z,relro far more effective as a security feature. Deterministic resolution times is a side effect.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5593

PostPosted: Sat Nov 11, 2017 7:49 pm    Post subject: Reply with quote

I've had this line in my make.conf for a few years now:
Code:
LDFLAGS="-Wl,-O1,--sort-common,--hash-style=gnu,--as-needed,-z,combreloc,-z,relro,-z,now"

99.9% of software builds and runs fine with it (with one exception), but the hardening flags cause a bit of extra disk thrashing at startup.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6276

PostPosted: Sat Nov 11, 2017 8:56 pm    Post subject: Reply with quote

Tom_ wrote:
do you have both "Wl,-z,relro,-z,now" in your ldflags?

Yes. I never had any issues with relro.
Quote:
Have you notice any performance issue with -now?

No. I know that in theory startup might be slightly slower, but I never realized anything in practice even on slow machines. In fact, I am not even sure whether after loading the execution is perhaps even slightly faster with $LD_BIND_NOW (which BTW I also set in the environment), because there never has to be any checking whether symbols might still need to be resolved. However, both (startup delays and the mentioned effect) are probably only theoretical numbers which can perhaps be measured with tricky benchmarks but not observed in practice.
Quote:
with the SSD and fast CPU.

Pentium (first generation) and the first amd64 CPUs were already fast enough that I could not observe any difference. Maybe on 386, it was different; I did not use gentoo at that time.
Back to top
View user's profile Send private message
Tom_
Guru
Guru


Joined: 20 May 2004
Posts: 384
Location: France

PostPosted: Mon Nov 13, 2017 10:20 am    Post subject: Reply with quote

Thank you very much for your replies!

As partial relro is enabled by default in binutils, i suppose that this is no need to force it in /etc/portage/make.conf, isn't ? Is adding "-z,now" to my ldflags enough ?

I still haven't found how "bindnow" is enabled in hardened :(

Thomas
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6276

PostPosted: Wed Nov 15, 2017 6:08 am    Post subject: Reply with quote

Tom_ wrote:
Is adding "-z,now" to my ldflags enough?

I suppose so. I have it in my *FLAGS long before it was auto-enabled and never cared to remove it.
Quote:
I still haven't found how "bindnow" is enabled in hardened :(

The same way. Many of hardened patches were essentially just taken upstream (or in this case at least upstream gentoo).
Back to top
View user's profile Send private message
Tom_
Guru
Guru


Joined: 20 May 2004
Posts: 384
Location: France

PostPosted: Wed Nov 15, 2017 4:11 pm    Post subject: Reply with quote

Thank you mv ;)

I've just added bindnow to my make.conf. Full recompilation will be done later!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum