The email I replied to was originally posted by "Hinnerk van Bruinehsen".
Let's see my question in details, that might clarify it. Here is the part
of the ebuild I'm asking questions about:
"
if [[ $(gcc-major-version) -lt 4 ]]; then
append-cxxflags -fno-stack-protector
elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
]]; then
if use amd64 || use x86; then
append-flags -mno-avx
fi
fi
"
Break it down:
"
if [[ $(gcc-major-version) -lt 4 ]]; then
append-cxxflags -fno-stack-protector
"
The first part is a historical remnant from times before Zorry. We used
gcc-3.4.6 for a long time. It used a different implementation for SSP.
"
elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3
]]; then
if use amd64 || use x86; then
append-flags -mno-avx
fi
fi
"
The second part disables avx optimisations if the gcc version is newer
than 4.3. However avx support isn't around so long and it's not mature.
Avx is an instruction set extension, that is getting some attention
lately. I'm lucky to have a system, with a capable processor. The block
disabling the optimisations resides right besides the stack-protector
statement. That's why I thought some hardened floks put it there. And I'm
curious about the reason.
Of course it might be simply there, because enabling avx optimizations can
actually decrease performance. Like you can see it here:
http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1
Security is more important for me compared to speed. That's why I'm
interested in any security effect of a compiler option (like creating
textrels or so). If it's a security problem, I won't use corei7-avx, but
rather go for simple corei7.
Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
2012.Február 19.(V) 19:32 időpontban Grant ezt írta:
>> There's a snippet in your ebuild:
>> "append-flags -mno-avx"
>>
>> What is the problem with avx? Is it an option counteracting with
>> security?
>
> I'm sorry but I'm not sure what you mean. I should change the firefox
> ebuild?
>
> - Grant
>
>
>>>>>>>> Firefox won't compile on my system due to the issue
>>>>>>>> described here:
>>>>>>>>
>>>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060
>>>>>>>
>>>>>>>
>>>>>>>>
>>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system
>>>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3,
>>>>>>> grsec/pax enabled.
>>>>>>
>>>>>> To confirm, you aren't on a hardened profile?
>>>>>
>>>>> I am on a hardened profile, currently using
>>>>> hardened/linux/amd64/no-multilib/selinux profile, only running
>>>>> stable software.
>>>>
>>>> I don't get it then. Does anyone know why I can't compile Firefox
>>>> as described in the link above? This sums it up:
>>>>
>>>> "firefox-9.0 ebuild stalls at the install phase while xpcshell
>>>> command tops CPU usage for hours."
>>>>
>>>> Although xpcshell doesn't use any CPU for me. It just sits there
>>>> and the install phase doesn't proceed.
>>>>
>>>> - Grant
>>>>
>>>
>>> I can compile Icecat with a customized ebuild. since it's basically
>>> the same as Firefox, maybe that helps. Basically it disables jit.
>
>
