[OpenWrt-Devel] [PATCH 0/6] buildsystem: Activate PIE ASLR for some packages
Daniel Engberg
daniel.engberg.lists at pyret.net
Mon Oct 28 05:14:38 EDT 2019
On 2019-10-27 18:44, Hauke Mehrtens wrote:
> This is a follow up patch on this discussion on the mailing list:
> https://patchwork.ozlabs.org/patch/1041647/
>
> This allows to activate PIE only for some packages where we thing it is
> necessary and not only globally for all of them.
>
> Hauke Mehrtens (6):
> buildsystem: Make PIE ASLR option tristate
> dnsmasq: Activate PIE by default
> dropbear: Activate PIE by default
> hostapd: Activate PIE by default
> uhttpd: Activate PIE by default
> lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
>
> config/Config-build.in | 22 ++++++++++++++++----
> include/hardening.mk | 9 +++++++-
> package/kernel/lantiq/ltq-adsl/Makefile | 1 -
> package/kernel/lantiq/ltq-ifxos/Makefile | 1 -
> package/kernel/lantiq/ltq-tapi/Makefile | 1 -
> package/kernel/lantiq/ltq-vdsl-mei/Makefile | 2 --
> package/kernel/lantiq/ltq-vdsl/Makefile | 1 -
> package/kernel/lantiq/ltq-vmmc/Makefile | 1 -
> package/network/config/ltq-vdsl-app/Makefile | 1 -
> package/network/services/dnsmasq/Makefile | 1 +
> package/network/services/dropbear/Makefile | 1 +
> package/network/services/hostapd/Makefile | 1 +
> package/network/services/uhttpd/Makefile | 1 +
> 13 files changed, 30 insertions(+), 13 deletions(-)
I think ASLRs value needs to be evaluated especially due to the
performance penalty (hostapd mainly in that regard) and not to forget
size increase depending on for how long OpenWrt intends to keep 8Mbyte
devices around as 4Mbyte devices are more or less unsupported by now.
It's probably a better idea to only enable it on aarch64 and x86-64
where size isn't as much of a concern and where it probably(?) receives
most exposure to avoid uncessary breakage.
http://intx0x80.blogspot.com/2018/04/bypass-aslrnx-part-1.html
https://svnweb.freebsd.org/base?view=revision&revision=343964
Might also be worth taking into consideration.
Best regards,
Daniel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list