test-sec-flags is a small collection of scripts intended to automate testing the
performance impact of various security-oriented compilation and linking flags. The goal
is to determine if the performance impact is small enough to allow for using these
flags as the default flags for all Arch Linux packages.
A huge thank you to everyone who contributed to this effort. As per Allan's post on the mailing list, we will be implementing these flags in Arch.
Please follow the mailing list for news on future developments.
For the xz and unixbench test suites:
Please take a look at the usage section
- ffmpeg requires all of the deps and makedeps as outlined in the ffmpeg PKGBUILD
Make sure that your $PATH does not contain any gcc wrappers like ccache or colorgcc before executing the test suites, as it may result in problems like unbounded loops. We highly recommend to use this test suite inside a clean chroot or a clean virtual machine image to avoid interfering setups.
git clone https://github.com/pid1/test-sec-flags.git --recursive
- cd into the project directory:
- Setup everything that is needed:
- Run the script:
Run a specific test case:
- Pass the test case number to the script:
- Invoke all tests of all suites:
- Invoke all test cases of a suite:
- Invoke specific test cases of a suite:
Raw results from each test are output to
results in a timestamped file. Summary results for other users can be viewed at https://github.com/pid1/test-sec-flags/wiki. Please add your results to the wiki as well, preferably maintaining the same format as the results already there.
To plot your results, compile the system summaries as per the formats in
datasets/<user>[_<device].txt and run
python plot.py <results file>.
If you encounter bugs, please open an issue on the bugtracker. Ensure that you have installed all of the necessary dependencies and makedeps, and that you are running this in a clean chroot or virtual machine.
Feature Requests and Enhancements
Feature requests and suggested enhancements should be added to https://github.com/pid1/test-sec-flags/wiki/Feature-Requests
On an firstname.lastname@example.orgGHz, about 30-45 minutes per test, 4-6 hours total
On an Atom N450, about 1 hour per test, 8 hours total
On an email@example.comGHz, about 5 minutes per run, 40 minutes total
On an Atom N450, about 22 minutes per test, 3 hours total
On an firstname.lastname@example.orgGHz, about 3 minutes per run, 20 minutes total
On an Atom N450, about 1 hour per run, 8 hours total