FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 02-16-2012, 06:42 AM
Pavel Labushev
 
Default Firefox won't compile on hardened profile

16.02.2012 04:38, Radek Madej wrote:

> 2) As suggested, disabling JIT will do the trick and it seems like recent
> versions of Firefox can actually have it disabled properly. So the ebuild for
> icecat/firefox will work for you, you just need this in src_configure() :
>
> if use pax_kernel; then
> mozconfig_annotate ' --disable-methodjit
> mozconfig_annotate ' --disable-tracejit
> fi

Here's the hack I use not to modify the ebuilds:

# cat /etc/portage/bashrc
LC_ALL="C"

if [ X"$EBUILD_PHASE" != "X" ]; then
if [ -f "/etc/portage/bashrc.d/${CATEGORY}/${PF}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${PF}"
elif [ -f "/etc/portage/bashrc.d/${CATEGORY}/${P}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${P}"
elif [ -f "/etc/portage/bashrc.d/${CATEGORY}/${PN}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${PN}"
fi

if [ -f "/etc/portage/bashrc.d/${CATEGORY}/${PF}.${EBUILD_PHASE}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${PF}.${EBUILD_PHASE}"
elif [ -f "/etc/portage/bashrc.d/${CATEGORY}/${P}.${EBUILD_PHASE}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${P}.${EBUILD_PHASE}"
elif [ -f "/etc/portage/bashrc.d/${CATEGORY}/${PN}.${EBUILD_PHASE}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${PN}.${EBUILD_PHASE}"
fi
fi

# cat /etc/portage/bashrc.d/www-client/firefox.compile
disable_unsafe_options() {
[ -f "$S"/.mozconfig ] || die
sed -i 's/ac_add_options.*--enable-.*jit.*//' "$S"/.mozconfig
sed -i 's/ac_add_options.*--enable-jemalloc.*//' "$S"/.mozconfig
echo >> "$S"/.mozconfig
local OPTIONS
OPTIONS="$OPTIONS --disable-jemalloc"
OPTIONS="$OPTIONS --disable-ctypes"
OPTIONS="$OPTIONS --disable-tracejit"
OPTIONS="$OPTIONS --disable-methodjit"
OPTIONS="$OPTIONS --disable-jit"
local O
for O in $OPTIONS ; do
echo "ac_add_options $O # fortify" >> "$S"/.mozconfig
done
}

disable_unsafe_options
 
Old 02-16-2012, 03:51 PM
Grant
 
Default Firefox won't compile on hardened profile

>> > I don't get it then. *Does anyone know why I can't compile Firefox
>> > as described in the link above? *This sums it up:
>> >
>> > "firefox-9.0 ebuild stalls at the install phase while xpcshell
>> > command tops CPU usage for hours."
>> >
>> > Although xpcshell doesn't use any CPU for me. *It just sits there
>> > and the install phase doesn't proceed.
>> >
>> > - Grant
>>
>> I can compile Icecat with a customized ebuild. since it's basically
>> the same as Firefox, maybe that helps. Basically it disables jit.
>>
>
> You can't compile it on a grsec kernel because of this bug:
> https://bugs.gentoo.org/show_bug.cgi?id=396275
>
> It's odd that it hangs at xpcshell for you as it's already paxmarked in the
> ebuild...
>
> Anyway, I'd suggest:
>
> 1) keyword firefox so you can get the latest one, which currently is the
> 10.0.1. I'm not sure if the security patches between 9.0.1 and 10.0.1 have
> been backported. AFAIK, Firefox-10.0.1 from the ebuild in portage tree will
> compile just fine on hardened.

9.0.1 and 10.0 have both failed to emerge on my system, but I haven't
tried 10.0.1. I'll do that right away.

> 2) As suggested, disabling JIT will do the trick and it seems like recent
> versions of Firefox can actually have it disabled properly. So the ebuild for
> icecat/firefox will work for you, you just need this in src_configure() :
>
> * * * *if use pax_kernel; then
> * * * * * * * * * * * *mozconfig_annotate ' --disable-methodjit
> * * * * * * * * * * * *mozconfig_annotate ' --disable-tracejit
> * * * *fi
>
> 3) the other benefit of disabling jit completely is that you can now disable
> the paxmarking turning MPROTECT off and benefit from properfly enforced W^X pages
> Unless you want to use FF for flash or java that is...

So I need to use paxctl -m if I want to use flash or java?

- Grant
 
Old 02-17-2012, 01:53 PM
Grant
 
Default Firefox won't compile on hardened profile

>> > I don't get it then. *Does anyone know why I can't compile Firefox
>> > as described in the link above? *This sums it up:
>> >
>> > "firefox-9.0 ebuild stalls at the install phase while xpcshell
>> > command tops CPU usage for hours."
>> >
>> > Although xpcshell doesn't use any CPU for me. *It just sits there
>> > and the install phase doesn't proceed.
>> >
>> > - Grant
>>
>> I can compile Icecat with a customized ebuild. since it's basically
>> the same as Firefox, maybe that helps. Basically it disables jit.
>>
>
> You can't compile it on a grsec kernel because of this bug:
> https://bugs.gentoo.org/show_bug.cgi?id=396275
>
> It's odd that it hangs at xpcshell for you as it's already paxmarked in the
> ebuild...
>
> Anyway, I'd suggest:
>
> 1) keyword firefox so you can get the latest one, which currently is the
> 10.0.1. I'm not sure if the security patches between 9.0.1 and 10.0.1 have
> been backported. AFAIK, Firefox-10.0.1 from the ebuild in portage tree will
> compile just fine on hardened.

10.0.1 fails the same way unfortunately.

- Grant


> 2) As suggested, disabling JIT will do the trick and it seems like recent
> versions of Firefox can actually have it disabled properly. So the ebuild for
> icecat/firefox will work for you, you just need this in src_configure() :
>
> * * * *if use pax_kernel; then
> * * * * * * * * * * * *mozconfig_annotate ' --disable-methodjit
> * * * * * * * * * * * *mozconfig_annotate ' --disable-tracejit
> * * * *fi
>
> 3) the other benefit of disabling jit completely is that you can now disable
> the paxmarking turning MPROTECT off and benefit from properfly enforced W^X pages
> Unless you want to use FF for flash or java that is...
 
Old 02-19-2012, 05:01 PM
"Tóth Attila"
 
Default Firefox won't compile on hardened profile

There's a snippet in your ebuild:
"append-flags -mno-avx"

What is the problem with avx? Is it an option counteracting with security?

Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Február 15.(Sze) 18:10 időpontban Hinnerk van Bruinehsen ezt *rta:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15.02.2012 17:39, Grant wrote:
>>>>>> Firefox won't compile on my system due to the issue
>>>>>> described here:
>>>>>>
>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>>
>>>>>
>>>>>>
> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>>> grsec/pax enabled.
>>>>
>>>> To confirm, you aren't on a hardened profile?
>>>
>>> I am on a hardened profile, currently using
>>> hardened/linux/amd64/no-multilib/selinux profile, only running
>>> stable software.
>>
>> I don't get it then. Does anyone know why I can't compile Firefox
>> as described in the link above? This sums it up:
>>
>> "firefox-9.0 ebuild stalls at the install phase while xpcshell
>> command tops CPU usage for hours."
>>
>> Although xpcshell doesn't use any CPU for me. It just sits there
>> and the install phase doesn't proceed.
>>
>> - Grant
>>
>
> I can compile Icecat with a customized ebuild. since it's basically
> the same as Firefox, maybe that helps. Basically it disables jit.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.18 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPO+caAAoJEJwwOFaNFkYcuugH/jTv4dy6tQ6PnC6ZqHioUOiK
> U6xdXra8jxS1Wi9y6iVr1mRmycXZZv8GD5ZLjs4BJl3Uofyfoq LmjTt0R+myn5R9
> 1ovZD9y1tTYIRRnA+HI7d7ZuNLwTULLcCmmXL7/TIg/1spi7K5JCKmbTGLPvcAJ+
> MyrLSeiyCTK6iI384legi13Mw7B7k4G6Y0ZS1izZah/zno0uiPawLjcIE6LJPsMP
> UhOMiW4YY5Xn+jdNqaHWN/87E3+Y+OUWCLqrP+8itK2afQoj5l4zs9b8JUcdEHPs
> Y5JgI5dtGrWndkJMklerzSXQ20/8EKg1lJCxmHS7Ii85Icd3RxF3xwE2PjAVI1U=
> =zfn0
> -----END PGP SIGNATURE-----
>
 
Old 02-19-2012, 05:32 PM
Grant
 
Default Firefox won't compile on hardened profile

> There's a snippet in your ebuild:
> "append-flags -mno-avx"
>
> What is the problem with avx? Is it an option counteracting with security?

I'm sorry but I'm not sure what you mean. I should change the firefox ebuild?

- Grant


>>>>>>> Firefox won't compile on my system due to the issue
>>>>>>> described here:
>>>>>>>
>>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>>>
>>>>>>
>>>>>>>
>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>>>> grsec/pax enabled.
>>>>>
>>>>> To confirm, you aren't on a hardened profile?
>>>>
>>>> I am on a hardened profile, currently using
>>>> hardened/linux/amd64/no-multilib/selinux profile, only running
>>>> stable software.
>>>
>>> I don't get it then. *Does anyone know why I can't compile Firefox
>>> as described in the link above? *This sums it up:
>>>
>>> "firefox-9.0 ebuild stalls at the install phase while xpcshell
>>> command tops CPU usage for hours."
>>>
>>> Although xpcshell doesn't use any CPU for me. *It just sits there
>>> and the install phase doesn't proceed.
>>>
>>> - Grant
>>>
>>
>> I can compile Icecat with a customized ebuild. since it's basically
>> the same as Firefox, maybe that helps. Basically it disables jit.
 
Old 02-19-2012, 06:06 PM
"Tóth Attila"
 
Default Firefox won't compile on hardened profile

The email I replied to was originally posted by "Hinnerk van Bruinehsen".

Let's see my question in details, that might clarify it. Here is the part
of the ebuild I'm asking questions about:

"
if [[ $(gcc-major-version) -lt 4 ]]; then
append-cxxflags -fno-stack-protector
elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
]]; then
if use amd64 || use x86; then
append-flags -mno-avx
fi
fi
"

Break it down:

"
if [[ $(gcc-major-version) -lt 4 ]]; then
append-cxxflags -fno-stack-protector
"
The first part is a historical remnant from times before Zorry. We used
gcc-3.4.6 for a long time. It used a different implementation for SSP.

"
elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
]]; then
if use amd64 || use x86; then
append-flags -mno-avx
fi
fi
"

The second part disables avx optimisations if the gcc version is newer
than 4.3. However avx support isn't around so long and it's not mature.
Avx is an instruction set extension, that is getting some attention
lately. I'm lucky to have a system, with a capable processor. The block
disabling the optimisations resides right besides the stack-protector
statement. That's why I thought some hardened floks put it there. And I'm
curious about the reason.

Of course it might be simply there, because enabling avx optimizations can
actually decrease performance. Like you can see it here:
http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1

Security is more important for me compared to speed. That's why I'm
interested in any security effect of a compiler option (like creating
textrels or so). If it's a security problem, I won't use corei7-avx, but
rather go for simple corei7.

Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Február 19.(V) 19:32 időpontban Grant ezt *rta:
>> There's a snippet in your ebuild:
>> "append-flags -mno-avx"
>>
>> What is the problem with avx? Is it an option counteracting with
>> security?
>
> I'm sorry but I'm not sure what you mean. I should change the firefox
> ebuild?
>
> - Grant
>
>
>>>>>>>> Firefox won't compile on my system due to the issue
>>>>>>>> described here:
>>>>>>>>
>>>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>>>>
>>>>>>>
>>>>>>>>
>>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>>>>> grsec/pax enabled.
>>>>>>
>>>>>> To confirm, you aren't on a hardened profile?
>>>>>
>>>>> I am on a hardened profile, currently using
>>>>> hardened/linux/amd64/no-multilib/selinux profile, only running
>>>>> stable software.
>>>>
>>>> I don't get it then. *Does anyone know why I can't compile Firefox
>>>> as described in the link above? *This sums it up:
>>>>
>>>> "firefox-9.0 ebuild stalls at the install phase while xpcshell
>>>> command tops CPU usage for hours."
>>>>
>>>> Although xpcshell doesn't use any CPU for me. *It just sits there
>>>> and the install phase doesn't proceed.
>>>>
>>>> - Grant
>>>>
>>>
>>> I can compile Icecat with a customized ebuild. since it's basically
>>> the same as Firefox, maybe that helps. Basically it disables jit.
>
>
 
Old 02-19-2012, 06:19 PM
Grant
 
Default Firefox won't compile on hardened profile

> The email I replied to was originally posted by "Hinnerk van Bruinehsen".

Crazy, gmail is acting like it was in response to my message about
compiling firefox. Sorry about that.

- Grant


> Let's see my question in details, that might clarify it. Here is the part
> of the ebuild I'm asking questions about:
>
> "
> * * * *if [[ $(gcc-major-version) -lt 4 ]]; then
> * * * * * * * *append-cxxflags -fno-stack-protector
> * * * *elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
> ]]; then
> * * * * * * * *if use amd64 || use x86; then
> * * * * * * * * * * * *append-flags -mno-avx
> * * * * * * * *fi
> * * * *fi
> "
>
> Break it down:
>
> "
> * * * *if [[ $(gcc-major-version) -lt 4 ]]; then
> * * * * * * * *append-cxxflags -fno-stack-protector
> "
> The first part is a historical remnant from times before Zorry. We used
> gcc-3.4.6 for a long time. It used a different implementation for SSP.
>
> "
> * * * *elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
> ]]; then
> * * * * * * * *if use amd64 || use x86; then
> * * * * * * * * * * * *append-flags -mno-avx
> * * * * * * * *fi
> * * * *fi
> "
>
> The second part disables avx optimisations if the gcc version is newer
> than 4.3. However avx support isn't around so long and it's not mature.
> Avx is an instruction set extension, that is getting some attention
> lately. I'm lucky to have a system, with a capable processor. The block
> disabling the optimisations resides right besides the stack-protector
> statement. That's why I thought some hardened floks put it there. And I'm
> curious about the reason.
>
> Of course it might be simply there, because enabling avx optimizations can
> actually decrease performance. Like you can see it here:
> http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1
>
> Security is more important for me compared to speed. That's why I'm
> interested in any security effect of a compiler option (like creating
> textrels or so). If it's a security problem, I won't use corei7-avx, but
> rather go for simple corei7.
>
> Regards:
> Dw.
> --
> dr Tóth Attila, Radiológus, 06-20-825-8057
> Attila Toth MD, Radiologist, +36-20-825-8057
>
> 2012.Február 19.(V) 19:32 időpontban Grant ezt *rta:
>>> There's a snippet in your ebuild:
>>> "append-flags -mno-avx"
>>>
>>> What is the problem with avx? Is it an option counteracting with
>>> security?
>>
>> I'm sorry but I'm not sure what you mean. *I should change the firefox
>> ebuild?
>>
>> - Grant
>>
>>
>>>>>>>>> Firefox won't compile on my system due to the issue
>>>>>>>>> described here:
>>>>>>>>>
>>>>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>>>>>> grsec/pax enabled.
>>>>>>>
>>>>>>> To confirm, you aren't on a hardened profile?
>>>>>>
>>>>>> I am on a hardened profile, currently using
>>>>>> hardened/linux/amd64/no-multilib/selinux profile, only running
>>>>>> stable software.
>>>>>
>>>>> I don't get it then. *Does anyone know why I can't compile Firefox
>>>>> as described in the link above? *This sums it up:
>>>>>
>>>>> "firefox-9.0 ebuild stalls at the install phase while xpcshell
>>>>> command tops CPU usage for hours."
>>>>>
>>>>> Although xpcshell doesn't use any CPU for me. *It just sits there
>>>>> and the install phase doesn't proceed.
>>>>>
>>>>> - Grant
>>>>>
>>>>
>>>> I can compile Icecat with a customized ebuild. since it's basically
>>>> the same as Firefox, maybe that helps. Basically it disables jit.
 
Old 02-19-2012, 08:22 PM
Hinnerk van Bruinehsen
 
Default Firefox won't compile on hardened profile

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19.02.2012 20:06, "Tth Attila" wrote:
> The email I replied to was originally posted by "Hinnerk van
> Bruinehsen".
>
> Let's see my question in details, that might clarify it. Here is
> the part of the ebuild I'm asking questions about:
>
> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
> -fno-stack-protector elif [[ $(gcc-major-version) -gt 4 ||
> $(gcc-minor-version) -gt 3 ]]; then if use amd64 || use x86; then
> append-flags -mno-avx fi fi "
>
> Break it down:
>
> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
> -fno-stack-protector " The first part is a historical remnant from
> times before Zorry. We used gcc-3.4.6 for a long time. It used a
> different implementation for SSP.
>
> " elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
> ]]; then if use amd64 || use x86; then append-flags -mno-avx fi fi
> "
>
> The second part disables avx optimisations if the gcc version is
> newer than 4.3. However avx support isn't around so long and it's
> not mature. Avx is an instruction set extension, that is getting
> some attention lately. I'm lucky to have a system, with a capable
> processor. The block disabling the optimisations resides right
> besides the stack-protector statement. That's why I thought some
> hardened floks put it there. And I'm curious about the reason.
>
> Of course it might be simply there, because enabling avx
> optimizations can actually decrease performance. Like you can see
> it here:
> http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1
>
> Security is more important for me compared to speed. That's why
> I'm interested in any security effect of a compiler option (like
> creating textrels or so). If it's a security problem, I won't use
> corei7-avx, but rather go for simple corei7.
>
> Regards: Dw.

Hi,

that part is in the normal icecat-ebuild in the tree. It's also within
the firefox ebuild.
I don't know if it's needed, but mozilla herd as maintainers may be
the right people to ask.

Regards,

Hinnerk

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPQWgMAAoJEJwwOFaNFkYc1UMH/3kAIY4TaptxnzmgcPMKswJS
GxkLqsLxYcO3WJpSpW6+U/fCfVdZko6Tz/qG5P6kiLNSdFTwz6gesH/DJnnNcBq5
wSh4k6MSyPw26ifdTBlp4Inhi2Gmn/ZhtpUQVKXjX3z7zHXXgj4TwBpGvojGbglO
pbSUxGhYy+qEDdufvqR50Ti67Gaxgcf7VYitfhUgDyMWMuGZIx RYeqQFpMI0jO9L
vIoD4fey0ZIEdTdiJpW6ONXvE76d3CJ86TFAqTUMyxqqUNBoPs tH2Zh+btp5c03C
Pn6XGscSOxcpKLxbeBxRZHv9EfUqoCs9pc7gn/T6+r1s2t74hcHF+K5c/13Df+k=
=+Ef/
-----END PGP SIGNATURE-----
 
Old 02-19-2012, 09:01 PM
Hinnerk van Bruinehsen
 
Default Firefox won't compile on hardened profile

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19.02.2012 20:06, "Tth Attila" wrote:
> The email I replied to was originally posted by "Hinnerk van
> Bruinehsen".
>
> Let's see my question in details, that might clarify it. Here is
> the part of the ebuild I'm asking questions about:
>
> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
> -fno-stack-protector elif [[ $(gcc-major-version) -gt 4 ||
> $(gcc-minor-version) -gt 3 ]]; then if use amd64 || use x86; then
> append-flags -mno-avx fi fi "
>
> Break it down:
>
> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
> -fno-stack-protector " The first part is a historical remnant from
> times before Zorry. We used gcc-3.4.6 for a long time. It used a
> different implementation for SSP.
>
> " elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
> ]]; then if use amd64 || use x86; then append-flags -mno-avx fi fi
> "
>
> The second part disables avx optimisations if the gcc version is
> newer than 4.3. However avx support isn't around so long and it's
> not mature. Avx is an instruction set extension, that is getting
> some attention lately. I'm lucky to have a system, with a capable
> processor. The block disabling the optimisations resides right
> besides the stack-protector statement. That's why I thought some
> hardened floks put it there. And I'm curious about the reason.
>
> Of course it might be simply there, because enabling avx
> optimizations can actually decrease performance. Like you can see
> it here:
> http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1
>
> Security is more important for me compared to speed. That's why
> I'm interested in any security effect of a compiler option (like
> creating textrels or so). If it's a security problem, I won't use
> corei7-avx, but rather go for simple corei7.
>
> Regards: Dw.

Update: according to [1] it's not security related, but a bug with
mozilla and the avx-extensions. It simply doesn't work together. Since
I have no Sandy Bridge CPU I'm not able to test anythin else...




[1] http://forums.gentoo.org/viewtopic-t-893300-start-0.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPQXFVAAoJEJwwOFaNFkYclboIAI4QIEs8IM 8jQ8VU7b625qE8
q+G8kMyJR20V/0Etywv2uM54/gUuwNR/mP0YgEW9Bj7yuvAbpXKQPp1R7kXjFzyq
xNWRYNm6vMlByuakFoYzoB6w7CqqTFVG3dbnujdiVZJVG/+fDM0y/y0MWXIwl6VM
Ng5R5kfzTll/yyp4nYPuAoUinLEAgZy20UOgQJqU33y+AoDdoG4YwqFIrO9FkB Fe
ewRLfrwuKpr/+KCm6hvEqavfv32bg5NJMPSAusYIfFSlftNzqoxoxSvVnzanp5 09
pde3CaSrMjUux5u6kR/IjJlnKP0lgwVr5kntkErSG3edV8YFXRRfFVrIF6chlvM=
=o5MX
-----END PGP SIGNATURE-----
 
Old 02-19-2012, 10:24 PM
"Tóth Attila"
 
Default Firefox won't compile on hardened profile

Thanks for the link! It's clear now. You need a recent CPU and a recent
gcc to trigger this.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Február 19.(V) 23:01 időpontban Hinnerk van Bruinehsen ezt *rta:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 19.02.2012 20:06, "Tóth Attila" wrote:
>> The email I replied to was originally posted by "Hinnerk van
>> Bruinehsen".
>>
>> Let's see my question in details, that might clarify it. Here is
>> the part of the ebuild I'm asking questions about:
>>
>> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
>> -fno-stack-protector elif [[ $(gcc-major-version) -gt 4 ||
>> $(gcc-minor-version) -gt 3 ]]; then if use amd64 || use x86; then
>> append-flags -mno-avx fi fi "
>>
>> Break it down:
>>
>> " if [[ $(gcc-major-version) -lt 4 ]]; then append-cxxflags
>> -fno-stack-protector " The first part is a historical remnant from
>> times before Zorry. We used gcc-3.4.6 for a long time. It used a
>> different implementation for SSP.
>>
>> " elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
>> ]]; then if use amd64 || use x86; then append-flags -mno-avx fi fi
>> "
>>
>> The second part disables avx optimisations if the gcc version is
>> newer than 4.3. However avx support isn't around so long and it's
>> not mature. Avx is an instruction set extension, that is getting
>> some attention lately. I'm lucky to have a system, with a capable
>> processor. The block disabling the optimisations resides right
>> besides the stack-protector statement. That's why I thought some
>> hardened floks put it there. And I'm curious about the reason.
>>
>> Of course it might be simply there, because enabling avx
>> optimizations can actually decrease performance. Like you can see
>> it here:
>> http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1
>>
>> Security is more important for me compared to speed. That's why
>> I'm interested in any security effect of a compiler option (like
>> creating textrels or so). If it's a security problem, I won't use
>> corei7-avx, but rather go for simple corei7.
>>
>> Regards: Dw.
>
> Update: according to [1] it's not security related, but a bug with
> mozilla and the avx-extensions. It simply doesn't work together. Since
> I have no Sandy Bridge CPU I'm not able to test anythin else...
>
>
>
>
> [1] http://forums.gentoo.org/viewtopic-t-893300-start-0.html
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.18 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPQXFVAAoJEJwwOFaNFkYclboIAI4QIEs8IM 8jQ8VU7b625qE8
> q+G8kMyJR20V/0Etywv2uM54/gUuwNR/mP0YgEW9Bj7yuvAbpXKQPp1R7kXjFzyq
> xNWRYNm6vMlByuakFoYzoB6w7CqqTFVG3dbnujdiVZJVG/+fDM0y/y0MWXIwl6VM
> Ng5R5kfzTll/yyp4nYPuAoUinLEAgZy20UOgQJqU33y+AoDdoG4YwqFIrO9FkB Fe
> ewRLfrwuKpr/+KCm6hvEqavfv32bg5NJMPSAusYIfFSlftNzqoxoxSvVnzanp5 09
> pde3CaSrMjUux5u6kR/IjJlnKP0lgwVr5kntkErSG3edV8YFXRRfFVrIF6chlvM=
> =o5MX
> -----END PGP SIGNATURE-----
>
>
 

Thread Tools




All times are GMT. The time now is 09:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org