Ask Your Question

Revision history [back]

pie and full relro for tboot

The following website mentions that all packages are built with pie and full relro, however I found some packages does not have these features such as tboot.(/usr/sbin/acminfo), I want to confirm whether fedora found that or had other problem if we add pie and relro for tboot

I get the package from https://kojipkgs.fedoraproject.org//packages/tboot/1.9.8/2.fc28/x86_64/tboot-1.9.8-2.fc28.x86_64.rpm

https://fedoraproject.org/wiki/Security_Features_Matrix#Built_as_PIE

🔗 Built as PIE All programs built as Position Independent Executables (PIE) with "-fPIE -pie" can take advantage of the exec ASLR. This protects against "return-to-text" and generally frustrates memory corruption attacks. This requires centralized changes to the compiler options when building the entire archive. PIE has a large (5-10%) performance penalty on architectures with small numbers of general registers (e.g. x86), so it should only be used for a select number of security-critical packages. PIE on x86_64 does not have the same penalties, and will eventually be made the default, but more testing is required. See this paper and this FESCo ticket for more information.

In Fedora 23 and later, all packages are built with PIE and Full RELRO. See this page for details.