From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:47771)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1RQKSU-0001Ar-3b
	for qemu-devel@nongnu.org; Tue, 15 Nov 2011 09:58:05 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1RQKSP-00063b-W7
	for qemu-devel@nongnu.org; Tue, 15 Nov 2011 09:57:57 -0500
Received: from mail-vx0-f173.google.com ([209.85.220.173]:57314)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1RQKSP-00063T-R4
	for qemu-devel@nongnu.org; Tue, 15 Nov 2011 09:57:53 -0500
Received: by vcbfo13 with SMTP id fo13so4754028vcb.4
	for <qemu-devel@nongnu.org>; Tue, 15 Nov 2011 06:57:53 -0800 (PST)
Message-ID: <4EC27DEE.1020206@redhat.com>
Date: Tue, 15 Nov 2011 08:57:50 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
References: <1321349691-19099-1-git-send-email-avi@redhat.com>
	<CAFEAcA_faLFJ3AtdC-4F99gn6YMqQLt1ZsyKadc3Ve8HAgCACg@mail.gmail.com>
In-Reply-To: <CAFEAcA_faLFJ3AtdC-4F99gn6YMqQLt1ZsyKadc3Ve8HAgCACg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH v7 1.0] configure: build position
 independent executables on x86 hosts
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Blue Swirl <blauwirbel@gmail.com>, Paul Moore <pmoore@redhat.com>, Avi Kivity <avi@redhat.com>, qemu-devel@nongnu.org

On 11/15/2011 05:25 AM, Peter Maydell wrote:
> On 15 November 2011 09:34, Avi Kivity<avi@redhat.com>  wrote:
>> Change the default on x86 hosts to building PIE (position independent
>> executables); instead of restricting the option to user-only targets,
>> apply it to all targets.
>>
>> In addition, set the relocation sections to read-only (relro) when available;
>> this reduces the attack surface by disallowing changes to relocation tables
>> at runtime.
>>
>> While PIE reduces performance and relro increases load time, it greatly
>> improves security, with the potential to reduce a code execution vulnerability
>> to a self denial of service.
>>
>> Non-x86 are not changed, as they require TCG changes.
>>
>> Signed-off-by: Avi Kivity<avi@redhat.com>
>
> Reviewed-by: Peter Maydell<peter.maydell@linaro.org>
>
> ...as far as the technical content of the patch is concerned.
> I'm still rather dubious about the merits of putting this patch
> in this late in the release cycle.

How about we limit this to be enabled by default on x86 Linux hosts?

That would make me a lot more comfortable for 1.0 since I expect we can test 
that exhaustively.

Regards,

Anthony Liguori

>
> -- PMM
>
>