aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarcin Wojtas <mw@FreeBSD.org>2021-01-22 12:13:03 +0000
committerMarcin Wojtas <mw@FreeBSD.org>2021-02-24 23:26:11 +0000
commit9a227a2fd642ec057a0ec70d67d5699d65553294 (patch)
tree75a2faa11f6b60ebd43366f5f75d5d256bc379be
parent3aa023643e9db78f4da314ff9bfb1643533c004f (diff)
downloadsrc-9a227a2fd642ec057a0ec70d67d5699d65553294.tar.gz
src-9a227a2fd642ec057a0ec70d67d5699d65553294.zip
Enable PIE by default on 64-bit architectures
This patch adds Position Independent Executables (PIE) flags for building OS. It allows to enable the ASLR feature based only on the sysctl knobs, without need to rebuild the image. Tests showed that no problems with stability / performance degradation were seen when using PIEs with ASLR disabled. The change is limited only for 64-bit architectures. Use bsd.opts.mk instead of the src.opts.mk in order to satisfy all build dependencies related to MK_PIE. Reviewed by: emaste, imp Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D28328
-rw-r--r--share/mk/bsd.opts.mk16
1 files changed, 15 insertions, 1 deletions
diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk
index 88c73cc6bfe4..9f9889d0a0f0 100644
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@@ -75,7 +75,6 @@ __DEFAULT_NO_OPTIONS = \
INIT_ALL_PATTERN \
INIT_ALL_ZERO \
INSTALL_AS_USER \
- PIE \
RETPOLINE \
STALE_STAGED
@@ -85,6 +84,21 @@ __DEFAULT_DEPENDENT_OPTIONS = \
STAGING_PROG/STAGING \
STALE_STAGED/STAGING \
+#
+# Default to disabling PIE on 32-bit architectures. The small address space
+# means that ASLR is of limited effectiveness, and it may cause issues with
+# some memory-hungry workloads.
+#
+.if ${MACHINE_ARCH} == "armv6" || ${MACHINE_ARCH} == "armv7" \
+ || ${MACHINE_ARCH} == "i386" || ${MACHINE_ARCH} == "mips" \
+ || ${MACHINE_ARCH} == "mipsel" || ${MACHINE_ARCH} == "mipselhf" \
+ || ${MACHINE_ARCH} == "mipshf" || ${MACHINE_ARCH} == "mipsn32" \
+ || ${MACHINE_ARCH} == "mipsn32el" || ${MACHINE_ARCH} == "powerpc" \
+ || ${MACHINE_ARCH} == "powerpcspe"
+__DEFAULT_NO_OPTIONS+= PIE
+.else
+__DEFAULT_YES_OPTIONS+=PIE
+.endif
.include <bsd.mkopt.mk>