Static Library guideline changes

Summary

Add the following as the second bullet point under Packaging:Guidelines#Packaging_Static_Libraries_2:

• Static libraries (.a files) must be built as PIC objects.

Add the following section before Packaging:Guidelines#Staticly_Linking_Executables:

Building Static Libraries

Typically all that's needed to build a library PIC is to add -fPIC to CFLAGS, and checking that -fPIC is present on the compiler command lines is sufficient to determine that a library is PIC. If a library contains assembly code, adding -fPIC won't make the assembly magically become PIC; code changes will be necessary in this case.

Autotools-based projects can usually force PIC static libraries by configuring with --with-pic.

The remainder of this document is rationale and explanation, which are probably not appropriate for inclusion in the main guidelines but may be useful in a separate page linked from the above sections.

Definitions

PIC

Position-independent code (PIC) is machine instruction code that executes properly regardless of where in memory it resides. PIC is commonly used for shared libraries, so that the same library code can be loaded in a location in each program address space where it won't overlap any other uses of memory (for example, other shared libraries). Position-independent code can be copied to any memory location and executed without modification. This differs from relocatable code, which requires special processing by a link editor or program loader to make it suitable for execution at a given location. Position independent code must adhere to a specific set of semantics in the source code, and compiler support is required. Instructions that refer to specific memory addresses, such as absolute branches, must be replaced with equivalent program counter relative instructions.

PIE

Position-independent executables (PIE) are executable binaries made entirely from position-independent code. PIE binaries are used in Fedora to allow Exec Shield to use address space layout randomization to prevent attackers from knowing where existing executable code is during an exploit that relies on knowing the offset of the executable code in the binary, such as return-to-libc attacks.

Rationale

Some architectures (including i386, but not including x86_64) permit non-position-independent code. A static library may, through subsequent linking, be included in any of another static library, an application, or a shared library.

On architectures that permit it, non-PIC code comes with a tradeoff. Since the load address is assumed, the compiler has an additional register to use, which can be a - usually small - performance benefit. However, any otherwise relocatable object (shared library or PIE executable) that the non-PIC code is linked into will require text relocations. Text relocations impose a performance penalty on executable startup, and effectively make the code unshareable, thus negating the benefits of making the code into a shared library in the first place.

In general, it is preferable to err on the side of PIC. Text relocations are incompatible with some of the security measures in Fedora, and the performance benefit of actually being able to share your shared library code in memory outweighs any performance benefit from the additional register. Static libraries in particular should be built PIC, since if not their non-PIC-ness effectively poisons any shared libraries in which they are included.