PIENotes

Differences between revisions 5 and 6
Revision 5 as of 2015-11-20 18:58:30
Size: 6883
Editor: sbeattie
Comment:
Revision 6 as of 2015-11-20 19:17:33
Size: 8025
Editor: sbeattie
Comment: finish list of build failures
Deletions are marked like this. Additions are marked like this.
Line 45: Line 45:
 * golang (both, https://github.com/golang/go/issues/13114)  * golang (both)
   *
https://github.com/golang/go/issues/13114
Line 55: Line 56:
 * hardening-wrapper ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8317371 | amd64]], needs to know about pie by default and no-pie)  * hardening-wrapper ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8317371 | amd64]])
   * fails in no-hardening testcase
, needs to know about pie by default and no-pie
Line 89: Line 91:
 * qtbase-opensource-src ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8315122 | amd64]], Fails in mimetype test because it's looking for an executable type, but the pie binaries look like shared libraries)  * qtbase-opensource-src ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8315122 | amd64]])
   * Fails in mimetype test because it's looking for an executable type
, but the pie binaries look like shared libraries
Line 91: Line 94:
 * qtsensors-opensource-src ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8320715 | amd64]])
 * qtsvg-opensource-src (both)
 * rpm ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8321414 | amd64]])
 * sendmail (both)
 * shadow ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8308281 | amd64]])
 * shim ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8312005 | amd64]])
 * sosreport (both)
 * subversion (both)
 * swedish ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8317810 | amd64]])
 * syslinux (both)
 * systemtap ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8321058 | amd64]])
 * telepathy-glib (i386)
 * totem (i386)
 * ubuntu-app-launch (both)
 * ubuntu-drivers-common (both)
 * unity (i386)
 * util-linux ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8323813 | amd64]])
 * whois (both)
 * xfsprogs ([[https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8320607 | amd64]])

Notes about enabling PIE by default in gcc for amd64

The following is my notes about landing PIE in 16.04.

In the gcc-5, there are two additional patches added to enable this, the first is applying the patch H.J. Lu landed in gcc trunk (https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=223796), which allows gcc to be configured with -pie on by default (and adds the disabling option -no-pie). The second patch changes the arguments passed to the linker (ld) to enable -z now (aka Immediate Binding) when -pie is enabled on amd64.

Build Testing

A first round of building testing was done in the gcc-pie-amd64 PPA, attempting to build most of main that has architecture specific components (i.e. build architecture 'all' or 'amd64'). The vast majority of packages succeeded to build.

(I also enabled the ppa in a xenial desktop VM and basic testing showed no problems.)

I'll capture the failures I see and the solutions to them

raw list of build failures (w/arches)

  • aalib (amd64)

  • camlp5 (amd64)

  • cdebconf-terminal (amd64))

  • checkbox (both)
  • click (both)
  • cloog-ppl (amd64)

  • cmake (amd64)

  • corosync (i386)
  • cwidget (amd64)

  • dbus-c++ (amd64)

  • ecryptfs-utils (amd64)

  • elfutils (amd64)

  • emacs24 (amd64)

  • erlang (amd64)

  • evolution (i386, dependency issue)
  • evolution-data-server (amd64)

  • fcitx-qt5 (both)
  • findlib (amd64)

  • firefox (amd64)

  • git (amd64)

  • glade (amd64)

  • gnome-control-center (i386, dependency issue on libgnome-desktop-3-dev)
  • gnome-desktop3 (amd64)

  • gnome-settings-daemon (i386)
  • gnome-vfs (amd64)

  • golang (both)
  • golang-race-detector-runtime (amd64)

  • gparted (both)
  • grantlee (both)
  • graphviz (amd64)

  • grep (i386)
  • grub2 (amd64)

  • gtk+2.0 (amd64)

  • gtkmm2.4 (amd64)

  • gtkspell (amd64)

  • hardening-wrapper (amd64)

    • fails in no-hardening testcase, needs to know about pie by default and no-pie
  • ibus (both)
  • icu (amd64)

  • indent (amd64)

  • jack-audio-connection-kit (amd64)

  • keyutils (amd64)

  • libbit-vector-perl (amd64)

  • libcmis (both)
  • libhybris (amd64)

  • liblangtag (amd64)

  • libmnl (amd64)

  • libprelude (both)
  • libreoffice (both)
  • librevenge (amd64)

  • libunwind (amd64)

  • libvigraimpex (both)
  • libxdmcp (both)
  • libxfont (both)
  • libxi (both)
  • libxml-libxml-perl (amd64)

  • lxd (amd64)

  • mir (i386)
  • mono (amd64)

  • nautilus (i386)
  • netcfg (amd64)

  • nmap (amd64)

  • openipmi (amd64)

  • oxide-qt (i386)
  • p11-kit (amd64)

  • phonon-backend-gstreamer (both)
  • pidgin (amd64)

  • procps (both)
  • python-cryptography (amd64)

  • qemu (amd64)

  • qtbase-opensource-src (amd64)

    • Fails in mimetype test because it's looking for an executable type, but the pie binaries look like shared libraries
  • qtgraphicaleffects-opensource-src (amd64)

  • qtsensors-opensource-src (amd64)

  • qtsvg-opensource-src (both)
  • rpm (amd64)

  • sendmail (both)
  • shadow (amd64)

  • shim (amd64)

  • sosreport (both)
  • subversion (both)
  • swedish (amd64)

  • syslinux (both)
  • systemtap (amd64)

  • telepathy-glib (i386)
  • totem (i386)
  • ubuntu-app-launch (both)
  • ubuntu-drivers-common (both)
  • unity (i386)
  • util-linux (amd64)

  • whois (both)
  • xfsprogs (amd64)

SteveBeattie/PIENotes (last edited 2015-12-03 09:15:31 by sbeattie)