Re: [poky] [PATCH] local.conf.sample: disable prelink
|
On 22/07/2021 22:05, Alexander Kanavin wrote:
PIE is nowadays more or less the only available option and is expected for improved security; Yocto does not even test non-PIE builds or provide an off the shelf way to turn it off.I am worried about those libraries, which are non-PIE libraries by default. My theory is, that they are non-PIE since prelink is able to operate on them. So prelink can "at least" be used a PIE detector. They are: lib/libdl-2.33.so is prelinked lib/ld-2.33.so is prelinked lib/libpthread-2.33.so is prelinked lib/libc-2.33.so is prelinked Is there are rational explanation why they are not compiled in PIE mode and/or if they are compiled in PIE mode how cross-prelink can operate on them? If cross-prelink can operate on them why not on the others? I also have to note that prelink does show higher RAM consumption in your tests as well (MemFree column). On the constrained systems which would benefit most from improved prelink timings that might be a bigger loss than not prelinking.I guess we agree that MemFree shows free physical memory (user and kernel space). My experiments show, that non-PIE and no prelink leaves the biggest amount of free physical memory. They also show that non-PIE and prelink leave the smallest amount of free physical memory ;) The difference is significant prelinked-no-pie/no-prelink-no-pie: 4552 (kB) If we leave things are they are: prelinked-no-pie/prelinked-with-pie: 3972 (kB) If we disable prelink (as you suggest - and I tend to agree since it does not make sense as it is right now) prelinked-no-pie/no-prelink-with-pie: 4120 (kB) ... but if you look at the next line MemAvailable kB things looks a bit differently. My interpretation of MemAvailable is, that it is an estimate of virtual memory available after reclaimable parts of memory (caches, buffer, slab,...) have been reclaimed without getting swap involved. I see this: MemAvailable kB prelinked-with-pie 939412 no-prelink-with-pie 939696 prelinked-no-pie 940344 no-prelink-no-pie 941216 Which means, that our current default setting is the worst possible solution ;) no-prelink-no-pie would (theoretically) be the best. I will try to update my second article and try to explain a bit more my interpretation of the results and maybe also try to see what bootchart says to all this. Don't get me wrong. I am neither pro nor con prelink. I just would like to understand what it does, if it does something ;) I spent quite some time on this - also discussing with most of you offline. If you ask me, we should use your patch, since people didn't even notice that prelink can not prelink on PIE binaries for a couple of years. So there does not seem to be much demand for it ;) We can keep a "placebo" in for the homeopaths who think they use prelink in their images since PIE was enabled ;) But yes, there is a timing benefit visible in the tests: 0.01s vs 0.1s.Also less CPU usage can be seen. I hope I'll find time to run some test with bootchart. Maybe then we can also see boot time, memory, CPU,... Regards, Robert Alex |
|
|