New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify security hardening features are turned on #1064
Verify security hardening features are turned on #1064
Conversation
ACK, but see #915 (comment) . |
I just did a rebuild with --disable-hardening, and the test catches the basic stuff but it still said FORTIFY_SOURCE was on. I think that's because it didn't completely rebuild everything, so the symbols it looks for to check that were still in there. I'm trying again with a full rebuild (after |
if "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "FORTIFY_SOURCE support available.*Yes" && | ||
"${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "Binary compiled with FORTIFY_SOURCE support.*Yes"; then | ||
if { "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "FORTIFY_SOURCE support available.*Yes"; } && | ||
{ "${REPOROOT}/qa/zcash/checksec.sh" --fortify-file "$1" | grep -q "Binary compiled with FORTIFY_SOURCE support.*Yes"; } then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this line should strictly speaking end in }; then
. } then
is accepted and apparently works, but I can find no documentation guaranteeing that it will work.
ACK. |
Still concerned about #915 (comment) though. |
Is this still WIP or can it be reviewed? |
I pulled in upstream's stuff, here's a TODO list:
|
ef0f257
to
a8cdc16
Compare
force pushed |
test_fortify_source "${REPOROOT}/src/zcash-gtest" | ||
test_fortify_source "${REPOROOT}/src/bitcoin-tx" | ||
test_fortify_source "${REPOROOT}/src/test/test_bitcoin" | ||
test_fortify_source "${REPOROOT}/src/zcash/GenerateParams" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a bit worried if we add another binary we'll forget to put it here, but I don't know of a better practical alternative.
What's the story with the CXXFLAGS we give libzcash? |
@ebfull haven't got to that yet |
Something is really wrong with our build system, here's a command from the output showing a build in libzcash:
Notice there's |
@@ -415,7 +415,7 @@ libzcash_a_SOURCES = \ | |||
zcash/prf.cpp \ | |||
zcash/util.cpp | |||
|
|||
libzcash_a_CPPFLAGS = -DMULTICORE -fopenmp -fPIC -DBINARY_OUTPUT -DCURVE_ALT_BN128 -DBOOST_SPIRIT_THREADSAFE -DHAVE_BUILD_INFO -D__STDC_FORMAT_MACROS $(HARDENED_CPPFLAGS) -pipe -O2 -O0 -g -Wstack-protector -fstack-protector-all -fPIE -fvisibility=hidden -DSTATIC $(BITCOIN_INCLUDES) | |||
libzcash_a_CPPFLAGS = -DMULTICORE -fopenmp -fPIC -DBINARY_OUTPUT -DCURVE_ALT_BN128 -DBOOST_SPIRIT_THREADSAFE -DHAVE_BUILD_INFO -D__STDC_FORMAT_MACROS $(HARDENED_CPPFLAGS) $(HARDENED_CXXFLAGS) $(HARDENED_LDFLAGS) -pipe -O2 -O0 -g -Wstack-protector -fstack-protector-all -fPIE -fvisibility=hidden -DSTATIC $(BITCOIN_INCLUDES) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not related to this change: How did we end up with -O2 -O0
right beside each other?!?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also I don't even know if CXXFLAGS will be effective when given to CPPFLAGS... if I add a libzcash_a_CXXFLAGS = ...
will it magically put that in the appropriate build commands? What about LDFLAGS?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How did we end up with -O2 -O0 right beside each other?!?
Not sure, we should get rid of it.
will it magically put that in the appropriate build commands
Yes.
What about LDFLAGS?
Yes. And we should.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How did we end up with -O2 -O0 right beside each other?!?
Not sure, we should get rid of it.
Hypothesis: Someone cut and pasted flags from a command executed by Make that appeared in their build output.
I've seen -O2 -O0 -g
before in the commands issued by Make due to different variable expansions, but I've never seen those flags defined next to eachother (which is nonsensical). It may be that someone cut and pasted a command?
(BTW: g++ documents that it always uses the last occurring -O
value.)
2d04fae
to
be0d1e1
Compare
force pushed again, doing some cleanup |
be0d1e1
to
73537eb
Compare
Ok, this is ready for review. Rant: But even though I've read more than the first half of a whole book about it, I don't understand the configure/autoconf/magic-variable-name-interpretation crap so I don't have much confidence that the security stuff is really enabled for everything. #1064 (comment) demonstrates there is at least something wrong with our build (prior to the work in this PR). |
On Thu, Jul 21, 2016 at 12:45:14PM -0700, Taylor Hornby wrote:
I probably missed earlier discussion somewhere, but why do you prefer -O1? I think going with -O1 may actually hurt security, not to mention performance. How about "-O2 -fno-strict-aliasing -fwrapv"? That's for production builds; for development, we should also test with pure -O2 or even -O3, and ensure we receive no strict aliasing violation warnings, etc. (which are not printed in the -fno-strict-aliasing mode). |
I prefer |
ACK but my complaints on #1064 (comment) may be relevant. |
This can be merged I believe! Let's merge it soon so we can see the performance impact! |
There might be an issue. I just performed a build and I can see both -O1 and -O2 flags are being used: -DBOOST_SPIRIT_THREADSAFE -DHAVE_BUILD_INFO -D__STDC_FORMAT_MACROS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -std=c++11 -pipe -O2 -Wno-deprecated-declarations -Wno-placement-new -Wno-terminate -Werror -O1 -g -Wstack-protector |
@defuse I think we just need a one line change. Here's the diff: https://gist.github.com/bitcartel/436ae915ce7873e374b55e158f04fa47 |
That change replaces Why do we have these options specified in so many different places? |
Optimization flags affect performance measurements, but are they a roadblock for this PR to satisfy "Verify security hardening features are turned on"? I think we can and should merge but will wait for feedback before doing so. In the meantime, I've opened #1168 as a reminder to review and fix optimization flags for the next release, z9. |
ACK after dicussion with @nathan-at-least. |
@zkbot r+ |
📌 Commit 73537eb has been approved by |
…ecurity-hardening, r=bitcartel Verify security hardening features are turned on
☀️ Test successful - zcash |
Continuation of zcash#1064 and related to zcash#1168.
No description provided.