On 15 November 2011 09:34, Avi Kivity <a...@redhat.com> wrote: > Change the default on x86 hosts to building PIE (position independent > executables); instead of restricting the option to user-only targets, > apply it to all targets. > > In addition, set the relocation sections to read-only (relro) when available; > this reduces the attack surface by disallowing changes to relocation tables > at runtime. > > While PIE reduces performance and relro increases load time, it greatly > improves security, with the potential to reduce a code execution vulnerability > to a self denial of service. > > Non-x86 are not changed, as they require TCG changes. > > Signed-off-by: Avi Kivity <a...@redhat.com>
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org> ...as far as the technical content of the patch is concerned. I'm still rather dubious about the merits of putting this patch in this late in the release cycle. -- PMM
