RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc

To: port-powerpc%NetBSD.org@localhost
Subject: RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc
From: Martin Husemann <martin%duskware.de@localhost>
Date: Wed, 28 May 2025 16:59:49 +0200

As Greg pointed out we should take a more global view, so I added a bit more
data and did more testing...

I noticed we do not have PAX enabled in GENERIC, so I added these two lines
to my kernel config:

options         PAX_MPROTECT=1          # PaX mprotect(2) restrictions
options         PAX_ASLR=1              # PaX Address Space Layout Randomization

The resulting kernel works and "sysctl security.pax" confirms that aslr and
mprotect are enabled.

To make aslr more efficient we need to have relocatable binaries, so I also
enabled MKPIE=yes. This causes the binaries to grow slightly. I compared
totals (size -t) over all binaries in /bin:

   text	   data	    bss	    dec	    hex
1380714	  40580	 197387	1618681	 18b2f9	/bin/* current
1551487	  84968	 188399	1824854	 1bd856	/bin/* pic

			+12.7%

Overall the size of the sets does not grow that much, and strangely the
debug set shrinks seriously (I am not quite sure why). This comparision
is slightly unfair, I used my localy build sets and the latest build
from the releng auto builds and extracted the uncompressed tar size. My
local builds are NOT reproducable (build.sh -P), so there is some minor
variation in stored paths (the releng sets are reproducable), but it
certainly does not explain this huge debug difference.

I left out all unchanged sets (etc, fonts, ...). First results are:

size of		PIC		current		difference %
base.tgz:	244561920	231342080	5.71
comp.tgz:	481413120	459796480	4.70
debug.tgz:	418058240	566272000	-26.17
games.tgz:	9072640		8704000		4.24
misc.tgz:	15165440	15165440	0.00
rescue.tgz:	9994240		9564160		4.50
tests.tgz:	85032960	78100480	8.88
text.tgz:	12328960	11417600	7.98
xbase.tgz:	31959040	30935040	3.31
xcomp.tgz:	53063680	52090880	1.87
xdebug.tgz:	81643520	81582080	0.08
xserver.tgz:	28928000	27904000	3.67

total:		1471221760	1572874240	-6.46

So for my own machines (where I always install debug sets) this is a net
win. Leaving out the debug sets this becomes:

size of		PIC		current		difference %
base.tgz:	244561920	231342080	5.71
comp.tgz:	481413120	459796480	4.70
games.tgz:	9072640		8704000		4.24
misc.tgz:	15165440	15165440	0.00
rescue.tgz:	9994240		9564160		4.50
tests.tgz:	85032960	78100480	8.88
text.tgz:	12328960	11417600	7.98
xbase.tgz:	31959040	30935040	3.31
xcomp.tgz:	53063680	52090880	1.87
xserver.tgz:	28928000	27904000	3.67

total:		971520000	925020160	5.03

(all sizes in byte and uncompressed, basically what the .tgz would extract
to as a .tar)

Not too bad overall IMHO.

I did a full atf test run with the PIE-updated system and there were no
regressions (https://www.netbsd.org/~martin/macppc-atf/). Besides
spurious differences one (most likely slightly broken) test program did not
fail for the PIE version, so less failures overall in this run.


I propose to:

 a) add aslr and mprotect options the macppc GENERIC (and maybe other
    ppc kernels), see above for the exact config lines.
 b) enable MKPIE=yes by default for all ppc architectures

And do all this soonish (like in a week or so) before we branch for netbsd-11.

Martin

Follow-Ups:
- Re: RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc
  - From: Frank Wille
- re: RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc
  - From: matthew green

References:
- Turn on MKPIE for ppc?
  - From: Martin Husemann

Prev by Date: Re: Turn on MKPIE for ppc?
Next by Date: re: RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc
Previous by Thread: Re: Turn on MKPIE for ppc?
Next by Thread: re: RFC: enable PAX aslr/mprotected and MKPIE=yes for ppc
Indexes:

Home | Main Index | Thread Index | Old Index