[pkg-golang-devel] Bug#821454: [pkg-go] Bug#821454: dh-golang: Position-independent executables (PIE)
michael.hudson at canonical.com
Fri Apr 29 01:17:51 UTC 2016
On 29 April 2016 at 12:40, Peter Colberg <peter at colberg.org> wrote:
> Hi Michael,
> On Wed, Apr 27, 2016 at 01:35:30PM +1200, Michael Hudson-Doyle wrote:
>> I think only pie, bindnow and relro make sense for Go.
> I figured out how to link with BINDNOW and RELRO using -extldflags:
> # Pass hardening flags to linker
> GO_LDFLAGS += -extldflags=-Wl,-z,now,-z,relro
Ah yes, makes sense. TBH, I wonder about changing Go to always pass
> # hardening-check acmetool
> Position Independent Executable: yes
> Stack protected: no, not found!
> Fortify Source functions: no, only unprotected functions found!
> Read-only relocations: yes
> Immediate binding: yes
>> If you use -pkgdir, the standard library is rebuilt whatever you do.
> I think -pkgdir is not needed at all for building with -buildmode=pie.
So long as we add the golang-std-pie-dev flag, yeah.
> I suggest the following path going forward:
> * Ship the -buildmode=pie std library in a separate package
> golang-std-pie-dev as part of the golang source package.
> * Extend dh-golang to translate the dpkg hardening flags into
> -buildmode=pie and -extldflags=-Wl,-z,now,-z,relro as needed.
> I am filing a separate bug to implement the first change.
> The second change need not happen right away; since it only affects
> packages that build executables, which are very few among the many
> golang packages, this can also be implemented on a case-by-case
> basis for now.
So we'll leave this bug for that bit?
>> The performance and binary size hit of PIE on i386 in particular is
>> likely to be large. Do you care at all about that?
> I noticed for amd64 that the size of the stripped acmetool executable
> increases from 10 to 15 MB, which is significant but not dramatic
> compared to the overall bloat of Go executables. The size of the
> compressed Debian package increases from 2.2 to 2.7 MB. (That is
> a compression ratio of 5:1 in both cases.)
That's not too bad. It will be better in Go 1.7!
> Is this not a general issue that affects all Debian packages compiled
> with hardening flags? Or do you potentially see Go-specific size and
> performance issues?
Well, I mentioned i386 for a reason: the PIE code gen for Go on 386 is
extremely stupid (I should know, I wrote it). For other architectures
it should not be nearly so bad. So if you care about performance at
all on 386, you might not want to build PIE there. But I'm not sure
anyone does any more?
More information about the pkg-golang-devel