Ubuntu Wiki

This page notes the results of testing building the archive on amd64 and perhaps other architectures with -fPIE and hardening-wrapper used on building the archive.

Rational

Position independent code and executables make stack smash attacks extremely difficult since PIE binaries can be loaded freely within a randomized address space, at the cost of speed. Kees: Feel free to extend this

Setup

1. Configure schroot with hardening-wrapper properly installed in place, with -fPIE set on be default.
2. Configure buildd and wanna-build so the building can be load distributed. In addition, with buildd running, signing packages can be done via email, and build failure logs are clearly visible.
3. Configure dak (or some other repo software), to accept the binaries, and then attempt to install it from debootstrap and measure performance differences and various other issues. It may be desirable to allow general user to use and test software for more reasonable use cases, so a server with good bandwidth should be used to host the dak server.

Progress

Glibc with a PIE hard-on compiler results in the following (note that glibc must be built with -nopie, and -fPIC enabled) during test suite regressions.

*************** Encountered regressions that don't match expected failures: bug-atexit3-lib.os, Error 127 c++-types-check.out, Error 1 # fixing these! They are listed here for the purpose of # regression testing during builds. # Testsuite failures, someone should be working towards tst-cancel24.o, Error 127 tst-chk4.o, Error 127 tst-chk5.o, Error 127 tst-chk6.o, Error 127 tst-lfschk4.o, Error 127 tst-lfschk5.o, Error 127 tst-lfschk6.o, Error 127