Enable PIE by default on 64-bit architectures

This patch adds Position Independent Executables (PIE) flags for building OS. It allows to enable the ASLR feature based only on the sysctl knobs, without need to rebuild the image. Tests showed that no problems with stability / performance degradation were seen when using PIEs with ASLR disabled. The change is limited only for 64-bit architectures. Use bsd.opts.mk instead of the src.opts.mk in order to satisfy all build dependencies related to MK_PIE. Reviewed by: emaste, imp Obtained from: Semihalf Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D28328 (cherry picked from commit 9a227a2fd6)
2026-06-09 08:43:19 -04:00 · 2021-01-22 13:13:03 +01:00 · 2021-01-22 13:13:03 +01:00 · 396e9f259d
commit 396e9f259d
parent 408c698b13
1 changed files with 15 additions and 1 deletions
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@ -75,7 +75,6 @@ __DEFAULT_NO_OPTIONS = \
    INIT_ALL_PATTERN \
    INIT_ALL_ZERO \
    INSTALL_AS_USER \
-    PIE \
    MANSPLITPKG \
    RETPOLINE \
    STALE_STAGED
@ -86,6 +85,21 @@ __DEFAULT_DEPENDENT_OPTIONS = \
    STAGING_PROG/STAGING \
    STALE_STAGED/STAGING \

+#
+# Default to disabling PIE on 32-bit architectures. The small address space
+# means that ASLR is of limited effectiveness, and it may cause issues with
+# some memory-hungry workloads.
+#
+.if ${MACHINE_ARCH} == "armv6" || ${MACHINE_ARCH} == "armv7" \
+    || ${MACHINE_ARCH} == "i386" || ${MACHINE_ARCH} == "mips" \
+    || ${MACHINE_ARCH} == "mipsel" || ${MACHINE_ARCH} == "mipselhf" \
+    || ${MACHINE_ARCH} == "mipshf" || ${MACHINE_ARCH} == "mipsn32" \
+    || ${MACHINE_ARCH} == "mipsn32el" || ${MACHINE_ARCH} == "powerpc" \
+    || ${MACHINE_ARCH} == "powerpcspe"
+__DEFAULT_NO_OPTIONS+= PIE
+.else
+__DEFAULT_YES_OPTIONS+=PIE
+.endif

 .include <bsd.mkopt.mk>