Disable PIE and SSP?

[OpenSourceAnarchist]

This is a question and not specifically related to this overlay, but I saw in the readme that @InBetweenNames disables PIE and SSP on their system.

I was wondering why this is (I have heard of performance penalties with SSP but not PIE), and how I could disable building packages with these features.

The last time I tried to convert my gentoo install over to non-pie and non-ssp, I pretty much borked it and ended up installing Arch.

Thanks for any info!

[Bfgeshka]

The best idea would be an aiming for non-pie system from the start. Changing it post factum is making your system way too fragile, eveg if it happen to look successfull.

Here's an example of benchmarking PIE: http://nebelwelt.net/publications/files/12TRpie.pdf

In my opinion, gentoo team is cranking default hardening to way too inadequate levels.

[OpenSourceAnarchist]

Thank you for the example, I did not believe PIE caused any performance penalties!

When you say to make it non-pie from the start, I agree. How do I make sure gcc has ssp and pie disabled before installing? I'm pretty sure changing CFLAGS in makepkg.conf is not enough. And if it is, what CFLAGS do I use?

[ionenwks]

If want to get rid of default pie on gcc, with gentoo you'll have to modify the profile files, the pie flag is forced and even doing a normal -pie won't work. But if you add sys-devel/gcc -pie to /etc/portage/profile/package.use.force, it should do the trick (Edit: this doesn't disable it but rather allows you to, so add -pie to package.use or something too)

There's a few packages that enable it anyway (don't use -fno-PIE because it also implies -fno-PIC which is a problem with libraries), if really want a 100% non-pie will have to patch a few things. There's also a handful that may fail without default pie, a side-effect of many distributions enabling it by default and in cases where -fPIC needs to be used it just gets forgotten because it's redundant with pie.

As for ssp, recently gentoo added a -ssp USE to disable it on glibc 2.29 which is handy. Disable it on gcc as well and "most" packages won't be using it. No harm in using -fno-stack-protector. Some packages still need some hoops, like explicitly passing --disable-hardened on firefox (which now made this default and passes the flag after yours).

On a related note, gentoo has a gcc patch which force -D_FORTIFY_SOURCE=2 on every single package, while not big it's still extra overhead (I disabled that patch with a reverse user patch).

Update: this is an old post and I generally don't recommend doing this, I don't do it anywhere either

[Kokokokoka]

Con you share your patches for D_FORTIFY_SOURCE and edited profile, please?

[ionenwks]

Con you share your patches for D_FORTIFY_SOURCE and edited profile, please?

Sure, it's just a reverse patch, and profile override file is just one line as stated. But anyway (if not used to this and assuming normal paths), the package.use.force goes at /etc/portage/profile/ and the patch at /etc/portage/patches/sys-devel/gcc/.

Again this just "allows" you to use -pie on gcc, so also add it to your package.use like normal.

no-default-pie-fortify.zip

[javashin]

I did this on a new install nomultilib and now gcc compiles in 80 minutes compared with my 4 hours 16 minutes on My gentoo multilib pie+ssp this great thank you 2

[javashin]

1 question when gcc dont have pie this mean nothing from now on is going to be compiled with pie ? and what about glibc ? on arch they enable static pie what abot gentoo they use --enable-static-pie too?

[javashin]

is there any other distro that dont use pie ? all major distros does ....

[ionenwks]

@javashin A few things will still use pie/ssp/fortify given a few packages enable it manually even if not a GCC default ("usually" packages with bigger security concerns, openssh, browsers, etc...), I'd say it's not worth the trouble of tracking them down (you can check binaries with file command to know for PIE). As mentioned before, if really want to be 100% pie-less may need to patch a few things or set extra flags for configure scripts (again, using -fno-PIE would break building shared libraries since it implies -fno-PIC, so use that with caution).

As far as I can see static-pie isn't used on gentoo in any situations, or at least right now. No reason to enable it if not going to use the feature.

That time difference on gcc is odd though, did you change anything else? like removing pgo? (using it doubles build time but it's a good thing to use it to speed up building everything else).

And no idea for distros, can't say I check many ("think" clear linux isn't but is planning to enable it later). Again the gains from not using PIE shouldn't be "that" big because shared libraries still (and generally have to) use position independent code (Edit: and of course also because it doesn't have a big impact in the first place either, the choice to make it default isn't so strange). But when using many security features at same time, it does start to add up.

[javashin]

@ionenwks thanks for reply i see no i do not compile gcc without pgo , i always compile it with pgo maybe im setting something wrong on my gentoo multilib pie+ssp like my cflags look out this are the flags used on my multilib system for gcc : last build in 4 hours and 16 minutes

sys-devel/gcc-8.3.0-r1::gentoo was built with the following: USE="cxx fortran graphite (multilib) nls nptl openmp pch pgo (pie) sanitize ssp vtv (-altivec) -debug -doc (-fixed-point) -go (-hardened) (-jit) (-libssp) -mpx -objc -objc++ -objc-gc -systemtap -test -vanilla" ABI_X86="(64)" CFLAGS="-march=native -mfpmath=both -funroll-loops -floop-block -floop-interchange -floop-strip-mine -falign-functions=32 -O3 -fgraphite-identity -floop-nest-optimize -fno-semantic-interposition -fuse-linker-plugin -pipe -Wl,-O2 -Wl,--as-needed -Wl,--hash-style=gnu" CXXFLAGS="-march=native -mfpmath=both -funroll-loops -floop-block -floop-interchange -floop-strip-mine -falign-functions=32 -O3 -fgraphite-identity -floop-nest-optimize -fno-semantic-interposition -fuse-linker-plugin -pipe -Wl,-O2 -Wl,--as-needed -Wl,--hash-style=gnu"

and this are the ones i used to compile gcc on the gentoo nomultilib : note this was the first build . i enabled graphite for it because the no multilib stage 3 dont come compiled with graphite ..... in 80 minutes sys-devel/gcc-8.3.0-r1::gentoo was built with the following: USE="cxx fortran graphite nls nptl openmp pch pgo sanitize vtv (-altivec) -debug -doc (-fixed-point) -go (-hardened) (-jit) (-libssp) -mpx (-multilib) -objc -objc++ -objc-gc (-pie) (-ssp) -systemtap -test -vanilla" ABI_X86="(64)" CFLAGS="-O3 -march=haswell -mtune=haswell -mfpmath=both -funroll-loops -falign-functions=32 -fno-semantic-interposition -fno-stack-protector -pipe -Wl,-O2 -Wl,--as-needed -Wl,--hash-style=gnu" CXXFLAGS="-O3 -march=haswell -mtune=haswell -mfpmath=both -funroll-loops -falign-functions=32 -fno-semantic-interposition -fno-stack-protector -pipe -Wl,-O2 -Wl,--as-needed -Wl,--hash-style=gnu"

[javashin]

ATM : now im compiling gcc for second time as part of emerge -e @system with this cflags on my new install nomultilib : CFLAGS="-O3 -march=native -mfpmath=both -funroll-loops -floop-block -floop-interchange -floop-strip-mine -falign-functions=32 -fgraphite-identity -floop-nest-optimize -fno-semantic-interposition -malign-data=cacheline -mtls-dialect=gnu2 -fno-stack-protector -pipe" CXXFLAGS="-O3 -march=native -mfpmath=both -funroll-loops -floop-block -floop-interchange -floop-strip-mine -falign-functions=32 -fgraphite-identity -floop-nest-optimize -fno-semantic-interposition -malign-data=cacheline -mtls-dialect=gnu2 -fno-stack-protector -pipe"

note that i added the graphite optimizations now , lets see how many time cost enabling graphite.

[javashin]

for some reason gcc failed with those flags Gcc cannot compile itself if use this flags cat /etc/portage/env/gcc-no-lto CFLAGS="-O3 -march=native -mfpmath=both -funroll-loops -floop-block -floop-interchange -floop-strip-mine -falign-functions=32 -fgraphite-identity -floop-nest-optimize -fno-semantic-interposition -malign-data=cacheline -mtls-dialect=gnu2 -fno-stack-protector -pipe" CXXFLAGS="-O3 -march=native -mfpmath=both -funroll-loops -floop-block -floop-interchange -floop-strip-mine -falign-functions=32 -fgraphite-identity -floop-nest-optimize -fno-semantic-interposition -malign-data=cacheline -mtls-dialect=gnu2 -fno-stack-protector -pipe" CPPFLAGS="-O3 -march=native -mfpmath=both -funroll-loops -floop-block -floop-interchange -floop-strip-mine -falign-functions=32 -fgraphite-identity -floop-nest-optimize -fno-semantic-interposition -malign-data=cacheline -mtls-dialect=gnu2 -fno-stack-protector -pipe" FFLAGS="-O3 -march=native -mfpmath=both -funroll-loops -floop-block -floop-interchange -floop-strip-mine -falign-functions=32 -fgraphite-identity -floop-nest-optimize -fno-semantic-interposition -malign-data=cacheline -mtls-dialect=gnu2 -fno-stack-protector -pipe" FCFLAGS="-O3 -march=native -mfpmath=both -funroll-loops -floop-block -floop-interchange -floop-strip-mine -falign-functions=32 -fgraphite-identity -floop-nest-optimize -fno-semantic-interposition -malign-data=cacheline -mtls-dialect=gnu2 -fno-stack-protector -pipe" F77FLAGS="-O3 -march=native -mfpmath=both -funroll-loops -floop-block -floop-interchange -floop-strip-mine -falign-functions=32 -fgraphite-identity -floop-nest-optimize -fno-semantic-interposition -malign-data=cacheline -mtls-dialect=gnu2 -fno-stack-protector -pipe" LDFLAGS="-Wl,-O2 -Wl,--as-needed -Wl,--hash-style=gnu"

checking for C compiler default output file name... configure: error: in /var/tmp/portage/sys-devel/gcc-8.3.0-r1/work/build/lto-plugin': configure: error: C compiler cannot create executables Seeconfig.log' for more details. make[2]: [Makefile:13218: configure-stageprofile-lto-plugin] Error 77 make[2]: Leaving directory '/var/tmp/portage/sys-devel/gcc-8.3.0-r1/work/build' make[1]: [Makefile:23737: stageprofile-bubble] Error 2 make[1]: Leaving directory '/var/tmp/portage/sys-devel/gcc-8.3.0-r1/work/build' make: *** [Makefile:23991: profiledbootstrap] Error 2

im reemoving -malign-data=cacheline -mtls-dialect=gnu2 to test

[javashin]

Good Read https://flameeyes.blog/2008/12/07/again-pic-and-executables-this-time/ https://flameeyes.blog/2009/11/02/the-pie-is-not-exactly-a-lie/

[javashin]

removing -malign-data=cacheline -mtls-dialect=gnu2 work :)

[javashin]

1 hour 26 minutes with -j2 and graphite cflags for gcc compilation

[javashin]

Well after use this audacious plugins refuses to install because for some reason -fPIC was not passed and i have to emerge with this LDFLAGS=-fPIC emerge -av1 media-plugins/audacious-plugins

[javashin]

Spotify dont Work

[ionenwks]

Yeah this is what I meant in an earlier post, since so many distributions are making pie default now, many stopped specifying -fPIC when they should and possibly other issues when it comes to asm code. I haven't tracked every packages that need attention myself. And since it's an enforced profile default on gentoo, it won't even be reconized as bugs that need fixing.

Not having default pie may become more and more of an annoyance over time.

[javashin]

this new system is slower than the other one i have with pie+ssb for me its a placebo effect i dont really see a huge performance boost at all , for real .

[javashin]

all the apps takes longer to start and mate desktop takes ages to start from the lightdm i cant say is faster but im sure is slower no real benefit .

[javashin]

Does Prelink Make Any Sense Now ? With pie As Default ?

i prelinked my no pie system and is still working , i tried to prelink archlinux and ended borking it . so prelink is working on gentoo no pie

[javashin]

time do do another try !!!!!!!! with no pie no ssp

[nivedita76]

@ionenwks

Edit: About PIE, may be worth noting that given so many things are driven by shared libraries, position independent code is still what will be primarily used either way. Which I believe is what drives the decision to leave it default. Should still have gains to get though, but I'm no expert on the subject.

Also, the overhead is much less on 64-bit compared to 32-bit systems.

[javashin]

Anything Else To Do To Disable Pie And SSp ? After This Open Issue ? Is Good Information For Anyone Who Wants To Disable Pie And Ssp

[javashin]

Hello Im Back Over Here SInce This IS A Issue About no pie etc ...

i found out that my kernel is compiled with CONFIG_FORTIFY_SOURCE=y CONFIG_HARDENED_USERCOPY_FALLBACK=y CONFIG_HARDENED_USERCOPY=y CONFIG_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_RETPOLINE=y

a Lot Of Mitigations what else i need to disable in kernel to not have mitigations of any kind in my system ?

[Kokokokoka]

there is mitigations=off option now

[barolo]

@Kokokokoka *from kernel ver. 5.2 onward

[Kokokokoka]

@barolo sorry, but you're wrong (and I'm assuming that you cite phoronix) As far as I know this patch was ported to LTS kernels and to the 5.1, 5.1.14 has this patch as in the /usr/src/linux-5.1.14-gentoo/Documentation/admin-guide/kernel-parameters.txt there is mitigations=off line

[barolo]

@Kokokokoka Thank you for letting me know then, I should've checked the patches

[InBetweenNames]

Thank you for the heads up!

[javashin]

i been using mitigations=off for long time now but i want my kernel libre of pests too . [ 0.000000] Linux version 5.1.16-zen1 (root@igloo-l440) (gcc version 9.1.0 (Gentoo 9.1.0-r1 p1.1)) #3 ZEN SMP PREEMPT Thu Jul 4 03:22:03 AST 2019 [ 0.000000] Command line: BOOT_IMAGE=/GENTOO/boot/vmlinuz-5.1.16-zen1 root=UUID=d4204da5-2f6c-4377-802b-9617e3607d0b resume=UUID=88fb0f40-003e-4d36-a7cf-4d68126afd05 rw dobtrfs rootflags=rw,noatime,compress-force=zstd,autodefrag,space_cache=v2,subvolid=257,subvol=/GENTOO rootfstype=btrfs psmouse.synaptics_intertouch=0 scsi_mod.use_blk_mq=0 libahci.ignore_sss=1 mitigations=off net.ifnames=0 ipv6.disable=1 audit=0 loglevel=2 zswap.enabled=1 zswap.compressor=lz4 zswap.max_pool_percent=20 zswap.zpool=z3fold zram.num_devices=4 zram_num.devices=4 i915.fastboot=1 init=/lib/systemd/systemd

[javashin]

i have the kernel with mitigations=off and the kernel compiled without any of this options : CONFIG_FORTIFY_SOURCE=y CONFIG_HARDENED_USERCOPY_FALLBACK=y CONFIG_HARDENED_USERCOPY=y CONFIG_STACKPROTECTOR_STRONG=y CONFIG_STACKPROTECTOR=y CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_RETPOLINE=y

https://gist.github.com/javashin/528b8713d20fcd436b8d9bc643a90457

and spectre-meltdown-checker still shows some on mitigations

[elsandosgrande]

Also, the overhead is much less on 64-bit compared to 32-bit systems.

Yeah, that paper was talking about Ubuntu 11.10, so I would say that it might be somewhat out of date. Sure, PIE still probably does incur a performance penalty, but considering that the paper talks about registers being the bottleneck, I would say that it is not worth the effort to modify things if you are running Gentoo on a 64-bit processor.

Also, @javashin , what sorcery did you use to trim 4+ hours down to less than one and a half?

[javashin]

4+ on multilib gcc compiled X2 32bit + 64bits and less than 1 and half on no-multilib X1 only 64bits

[InBetweenNames]

@elsandosgrande the paper is still relevant as the x86-64 ABI hasn't changed really. The difference in performance is likely within a percent or two when comparing PIE-on and PIE-off. However, for those of us who prelink, having PIE offers no benefit in the first place (full ASLR is disabled or performed weekly with prelink -ar), so there's no reason for us to pay the cost.

[javashin]

dont eat pie

[elsandosgrande]

@InBetweenNames Good point. I do not use Prelink, so I had no idea about that, sorry.

@javashin Try doing that last test, but with multilib. My guess would be that multilib (a requirement of Steam) makes up most of the compilation time in that test, though I do not understand what you compiled in the first place (pardon my ignorance if it mentioned somewhere above, but I only gave half of the comments anything more than a cursory glance).