Ask Your Question

pie and full relro for tboot

asked 2019-04-16 22:31:43 -0500

The following website mentions that all packages are built with pie and full relro, however I found some packages does not have these features such as tboot.(/usr/sbin/acminfo), I want to confirm whether fedora found that or had other problem if we add pie and relro for tboot

I get the package from

🔗 Built as PIE All programs built as Position Independent Executables (PIE) with "-fPIE -pie" can take advantage of the exec ASLR. This protects against "return-to-text" and generally frustrates memory corruption attacks. This requires centralized changes to the compiler options when building the entire archive. PIE has a large (5-10%) performance penalty on architectures with small numbers of general registers (e.g. x86), so it should only be used for a select number of security-critical packages. PIE on x86_64 does not have the same penalties, and will eventually be made the default, but more testing is required. See this paper and this FESCo ticket for more information.

In Fedora 23 and later, all packages are built with PIE and Full RELRO. See this page for details.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2019-04-17 05:33:06 -0500

fcomida gravatar image
edit flag offensive delete link more


I found this in your link: “However, some ELF binaries are still built and linked without these hardening features. Sometimes, this is due to package maintainer preferences. Sometimes, there are technical reasons which preclude the use of BIND_NOW because the way the application is written, it relies on lazy binding."

I wonder whether your have the exact package lists for both types.

For example, I can change the cflags in tboot.spec to add full relro and pie, but I don't know it belongs to which reason that fedora did't add these two security compile options. Could you please explain this?

fireshen gravatar imagefireshen ( 2019-04-17 09:16:20 -0500 )edit

I am not aware that such list exists. The accepted proposal is infact for adding additional hardening for those packages that does not enable PIE for some reason. You'd better discuss the issue with the relevant package maintainer.

fcomida gravatar imagefcomida ( 2019-04-24 12:22:32 -0500 )edit

Question Tools

1 follower


Asked: 2019-04-16 22:31:43 -0500

Seen: 45 times

Last updated: Apr 17 '19