Verify security hardening features are turned on #1064
Conversation
|
ACK, but see #915 (comment) . |
|
I just did a rebuild with --disable-hardening, and the test catches the basic stuff but it still said FORTIFY_SOURCE was on. I think that's because it didn't completely rebuild everything, so the symbols it looks for to check that were still in there. I'm trying again with a full rebuild (after |
| if "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "FORTIFY_SOURCE support available.*Yes" && | ||
| "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "Binary compiled with FORTIFY_SOURCE support.*Yes"; then | ||
| if { "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "FORTIFY_SOURCE support available.*Yes"; } && | ||
| { "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "Binary compiled with FORTIFY_SOURCE support.*Yes"; } then |
There was a problem hiding this comment.
I think this line should strictly speaking end in }; then. } then is accepted and apparently works, but I can find no documentation guaranteeing that it will work.
|
ACK. |
|
Still concerned about #915 (comment) though. |
|
Is this still WIP or can it be reviewed? |
|
I pulled in upstream's stuff, here's a TODO list:
|
defuse
force-pushed
the
t915-enable-security-hardening
branch
from
ef0f257
to
a8cdc16
Compare
|
force pushed |
| test_fortify_source "${REPOROOT}/src/zcash-gtest" | ||
| test_fortify_source "${REPOROOT}/src/bitcoin-tx" | ||
| test_fortify_source "${REPOROOT}/src/test/test_bitcoin" | ||
| test_fortify_source "${REPOROOT}/src/zcash/GenerateParams" |
There was a problem hiding this comment.
I'm a bit worried if we add another binary we'll forget to put it here, but I don't know of a better practical alternative.
|
What's the story with the CXXFLAGS we give libzcash? |
|
@ebfull haven't got to that yet |
|
Something is really wrong with our build system, here's a command from the output showing a build in libzcash: Notice there's |
| @@ -415,7 +415,7 @@ libzcash_a_SOURCES = \ | |||
| zcash/prf.cpp \ | |||
| zcash/util.cpp | |||
|
|
|||
| libzcash_a_CPPFLAGS = -DMULTICORE -fopenmp -fPIC -DBINARY_OUTPUT -DCURVE_ALT_BN128 -DBOOST_SPIRIT_THREADSAFE -DHAVE_BUILD_INFO -D__STDC_FORMAT_MACROS $(HARDENED_CPPFLAGS) -pipe -O2 -O0 -g -Wstack-protector -fstack-protector-all -fPIE -fvisibility=hidden -DSTATIC $(BITCOIN_INCLUDES) | |||
| libzcash_a_CPPFLAGS = -DMULTICORE -fopenmp -fPIC -DBINARY_OUTPUT -DCURVE_ALT_BN128 -DBOOST_SPIRIT_THREADSAFE -DHAVE_BUILD_INFO -D__STDC_FORMAT_MACROS $(HARDENED_CPPFLAGS) $(HARDENED_CXXFLAGS) $(HARDENED_LDFLAGS) -pipe -O2 -O0 -g -Wstack-protector -fstack-protector-all -fPIE -fvisibility=hidden -DSTATIC $(BITCOIN_INCLUDES) | |||
There was a problem hiding this comment.
Not related to this change: How did we end up with -O2 -O0 right beside each other?!?
There was a problem hiding this comment.
Also I don't even know if CXXFLAGS will be effective when given to CPPFLAGS... if I add a libzcash_a_CXXFLAGS = ... will it magically put that in the appropriate build commands? What about LDFLAGS?
There was a problem hiding this comment.
How did we end up with -O2 -O0 right beside each other?!?
Not sure, we should get rid of it.
will it magically put that in the appropriate build commands
Yes.
What about LDFLAGS?
Yes. And we should.
There was a problem hiding this comment.
How did we end up with -O2 -O0 right beside each other?!?
Not sure, we should get rid of it.
Hypothesis: Someone cut and pasted flags from a command executed by Make that appeared in their build output.
I've seen -O2 -O0 -g before in the commands issued by Make due to different variable expansions, but I've never seen those flags defined next to eachother (which is nonsensical). It may be that someone cut and pasted a command?
(BTW: g++ documents that it always uses the last occurring -O value.)
defuse
force-pushed
the
t915-enable-security-hardening
branch
from
2d04fae
to
be0d1e1
Compare
|
force pushed again, doing some cleanup |
defuse
force-pushed
the
t915-enable-security-hardening
branch
from
be0d1e1
to
73537eb
Compare
defuse
changed the title
|
Ok, this is ready for review. Rant: But even though I've read more than the first half of a whole book about it, I don't understand the configure/autoconf/magic-variable-name-interpretation crap so I don't have much confidence that the security stuff is really enabled for everything. #1064 (comment) demonstrates there is at least something wrong with our build (prior to the work in this PR). |
defuse
added
the
S-waiting-on-review
|
On Thu, Jul 21, 2016 at 12:45:14PM -0700, Taylor Hornby wrote:
I probably missed earlier discussion somewhere, but why do you prefer -O1? I think going with -O1 may actually hurt security, not to mention performance. How about "-O2 -fno-strict-aliasing -fwrapv"? That's for production builds; for development, we should also test with pure -O2 or even -O3, and ensure we receive no strict aliasing violation warnings, etc. (which are not printed in the -fno-strict-aliasing mode). |
|
I prefer |
|
ACK but my complaints on #1064 (comment) may be relevant. |
|
This can be merged I believe! Let's merge it soon so we can see the performance impact! |
nathan-at-least
modified the milestones:
z8 release - core (excl. RPC) audit freeze, functional PoW,
z9 Release - RPC, Audit tasks, Testing improvements
|
There might be an issue. I just performed a build and I can see both -O1 and -O2 flags are being used: -DBOOST_SPIRIT_THREADSAFE -DHAVE_BUILD_INFO -D__STDC_FORMAT_MACROS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -std=c++11 -pipe -O2 -Wno-deprecated-declarations -Wno-placement-new -Wno-terminate -Werror -O1 -g -Wstack-protector |
|
@defuse I think we just need a one line change. Here's the diff: https://gist.github.com/bitcartel/436ae915ce7873e374b55e158f04fa47 |
|
That change replaces Why do we have these options specified in so many different places? |
|
Optimization flags affect performance measurements, but are they a roadblock for this PR to satisfy "Verify security hardening features are turned on"? I think we can and should merge but will wait for feedback before doing so. In the meantime, I've opened #1168 as a reminder to review and fix optimization flags for the next release, z9. |
|
ACK after dicussion with @nathan-at-least. |
|
@zkbot r+ |
|
📌 Commit 73537eb has been approved by |
…ecurity-hardening, r=bitcartel Verify security hardening features are turned on
|
☀️ Test successful - zcash |
Continuation of zcash#1064 and related to zcash#1168.
No description provided.