[RFC] Merging Cross-DSO CFI work into HardenedBSD -CURRENT
5 views
Skip to first unread message
Shawn Webb
Aug 16, 2023, 2:46:33 PM8/16/23
to HardenedBSD Users
Hey all,
I want full Cross-DSO CFI support in HardenedBSD 15-STABLE. FreeBSD
14-CURRENT is about to become 14-STABLE soon-ish, thus flipping the
main development branch to 15-CURRENT.
I think I want to merge my current Cross-DSO CFI work into 15-CURRENT
shortly after FreeBSD promotes -CURRENT to 15.
So, we would have Cross-DSO CFI enabled in base in 15-CURRENT.
14-STABLE and 13-STABLE would follow the current limit of applying CFI
to applications only.
Problem: Ports and packages. Of the 34,000+ packages, less than a few
thousand build with a Cross-DSO CFI world. The 15-CURRENT package
repo would be (mostly) useless until a significant number of ports are
fixed.
Does the community have any thoughts? Should we push the envelope and
enable Cross-DSO CFI for 15-CURRENT? Or should we be conservative and
only merge Cross-DSO CFI when a sufficient number of ports
successfully build into packages?
Perhaps pushing the envelope will encourage more community
contributions?
I value your input. If you have any thoughts to share, please do.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
I want full Cross-DSO CFI support in HardenedBSD 15-STABLE. FreeBSD
14-CURRENT is about to become 14-STABLE soon-ish, thus flipping the
main development branch to 15-CURRENT.
I think I want to merge my current Cross-DSO CFI work into 15-CURRENT
shortly after FreeBSD promotes -CURRENT to 15.
So, we would have Cross-DSO CFI enabled in base in 15-CURRENT.
14-STABLE and 13-STABLE would follow the current limit of applying CFI
to applications only.
Problem: Ports and packages. Of the 34,000+ packages, less than a few
thousand build with a Cross-DSO CFI world. The 15-CURRENT package
repo would be (mostly) useless until a significant number of ports are
fixed.
Does the community have any thoughts? Should we push the envelope and
enable Cross-DSO CFI for 15-CURRENT? Or should we be conservative and
only merge Cross-DSO CFI when a sufficient number of ports
successfully build into packages?
Perhaps pushing the envelope will encourage more community
contributions?
I value your input. If you have any thoughts to share, please do.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Reply all
Reply to author
Forward
0 new messages