Go: all: stop using direct syscalls on OpenBSD

with some exceptions, for example, a static binary

But Go fits squarely within that exception. Or are you worried about nonstandard build modes?

That exception exists specifically for Go. https://lwn.net/Articles/806863/

I think this move to make kernels callable only though a blessed C library is a bad idea, in particular for all users of programming languages that are not C-like. It introduces a performance overhead for every kernel call that could be avoided by direct kernel calls. The security benefits are debatable, fix the kernel, not hide the flaws and incompatibilities behind a C library.

Kernels should do like Linux does, and provide a safe, stable, kernel API, and not try to shift the interface to C libraries. And even then, graphic on Linux is a disaster because they exactly did that, provide most functionality in a C library, not in the kernel itself. We should protest at least once to mr. De Raadt. against this debatable decision.

@randall77 - in many cases Go on OpenBSD will generate a dynamically linked executable, unless cgo is disabled:

$ cat n.go
package main

import (
        "fmt"
        "net"
)

func main() {
        fmt.Println(net.IPv4len)
}
$ go build -o n n.go 
$ ldd n              
n:
        Start            End              Type  Open Ref GrpRef Name
        0000000000010000 00000000001d3000 exe   2    0   0      n
        0000000453cfd000 0000000453d3e000 rlib  0    1   0      /usr/lib/libpthread.so.26.1
        000000048614c000 000000048624c000 rlib  0    1   0      /usr/lib/libc.so.95.1
        0000000497c90000 0000000497c90000 ld.so 0    1   0      /usr/libexec/ld.so
$ CGO_ENABLED=0 go build -o n n.go
ldd n
$ ldd n
n:
not a dynamic executable

This would mean that we'd have to drop cgo support and only support statically compiled Go executables.

@FiloSottile you're correct in that there is currently an exception for dynamically linked executables to allow syscalls from both libc.so and the main text segment, so that Go continues to work. However, in addition to this there will always likely be an exception for static binaries, since in that case there is no libc.so and parts of libc.a have likely been linked into the main text segment (otherwise a static binary could not make syscalls).

@4a6f656c why does it generate dynamically linked executable in the first place?

Change https://golang.org/cl/234381 mentions this issue: runtime, syscall: correct openbsd/arm and openbsd/arm64 syscalls for OpenBSD 6.7

Moving to backlog milestone.

I would like to work on this. After a brief look, Solaris seems to be a good role model for OpenBSD. What would be the best strategy here? OpenBSD seems to share definitions with the other BSD platforms, which result in conflicting definitions when I try to hook it into mksyscall_libc.pl.
Or should I try to do things more like MacOS? Is that an easier way? How should I proceed?

I don't think there is any fundamental difference between the Solaris approach and the macOS approach. Following the Solaris approach seems fine if that is easier.

Yes, you will undoubtedly have to shuffle the build tags to separate openbsd from the other BSD systems in some cases.

Well, I started. My WIP commits will be pushed here, if anyone is interested in them: https://github.com/bw-86/go

Currently, nothing is building, of course. I am chasing from one linking error to the next one while imitating what Solaris does. I will notify you when I'm getting somewhere (or when I have questions I cannot answer myself).

EDIT: I changed the default branch of my fork to 4a6f656c's work. My branch is openbsd-syscalls (plural), if anyone wants to see what I tried myself.

Does that mean Go will always use dynamic linking or raw syscalls will still be used when linking statically?

I agree with @beoran and iirc OpenBSD will not enforce libc.so stubs if you won't play their security theater, so you don't have to sacrifice both efficiency and actual security.

I would like to work on this. After a brief look, Solaris seems to be a good role model for OpenBSD. What would be the best strategy here? OpenBSD seems to share definitions with the other BSD platforms, which result in conflicting definitions when I try to hook it into mksyscall_libc.pl.
Or should I try to do things more like MacOS? Is that an easier way? How should I proceed?

@bw-86, the git repo referenced in the first comment contains a full implementation for openbsd/amd64:

https://github.com/4a6f656c/go/tree/openbsd-syscall

I've since rebased and cleaned some aspects of this up, but need to push a new branch.

As noted, there is still work required to complete the migration for openbsd/386, openbsd/arm and openbsd/arm64. There are also some issues relating to the linker that impact this work (see https://github.com/golang/go/issues/39257 and https://github.com/golang/go/issues/39256). Aside from the remaining architectures, most of the remaining work is around being able to split this up to merge upstream and I have some concerns about cross-compiling and bootstrapping that I've not yet had time to investigate.

Does that mean Go will always use dynamic linking or raw syscalls will still be used when linking statically?

Go will always use dynamic linking (and possibly always external linking) - it would be a significant amount of effort to maintain both libc based syscalls and raw syscalls and switch between to two. Any Go binary on OpenBSD that pulls in the net package is already going to result in a dynamic cgo-based binary (unless cgo is explicitly disabled - see https://github.com/golang/go/issues/36435#issuecomment-572138195).

I agree with @beoran and iirc OpenBSD will not enforce libc.so stubs if you won't play their security theater, so you don't have to sacrifice both efficiency and actual security.

If you do not want OpenBSD's "security theater" then I would suggest not using OpenBSD. Additionally, have you actually measured the performance difference? Both Solaris and macOS already both use libc-style syscalls and IIRC the switch on macOS resulted in a minimal performance impact.

Heh, how could I miss that? Well, at least I learned something by trying to do it myself.

@4a6f656c: Can I do something to accelerate this? Should I try to adapt your work to i386? I have a system here were I could develop and test it.

@4a6f656c it's not only about performance, it's also about usability and general efficiency which includes security, but what you overengineers do is simply making stuff overcomplicated and that's really bad for security you care about so much. Go is not a C-like language, so please don't mix it with C when possible.

I don't remember the article so I can't find it, but it states that on Solaris just because of libc stubs Go can't manage the stack sanely, it even has to allocate much larger stack than it would without libc stubs just to avoid crashes because it's become hard to scale, so security has actually lowered.

Also dynamic linking itself is a great mistake, it's bad for both security, performance and stability, again it's an overengineered virus.

Heh, how could I miss that? Well, at least I learned something by trying to do it myself.

That's always a good thing :)

@4a6f656c: Can I do something to accelerate this? Should I try to adapt your work to i386? I have a system here were I could develop and test it.

Getting it working on openbsd/386 would be great!

I've just pushed an update to that repo that is based on Go -tip.

Does that mean Go will always use dynamic linking or raw syscalls will still be used when linking statically?

Go will always use dynamic linking (and possibly always external linking) - it would be a significant amount of effort to maintain both libc based syscalls and raw syscalls and switch between to two. Any Go binary on OpenBSD that pulls in the net package is already going to result in a dynamic cgo-based binary (unless cgo is explicitly disabled - see #36435 (comment)).

Actually, there is another thing that I need to investigate - in many cases we should be able to statically link against libc.a, which would actually allow us to produce static Go binaries in more cases then we currently do on OpenBSD.

I can chime in as both an OpenBSD user and someone who works on a project that builds releases for OpenBSD. I am happy with this change but hope that cross compiling to OpenBSD and reproducible builds remain possible. This probably negates requiring the external linker and having libc.a available.

The current behavior for macOS is ideal in this case. When cross compiling, it is still able to create a dynamically linked executable, and does so reproducibly, without depending on the external macOS linker.

$ uname
OpenBSD
$ cat importnet.go                                                             
package main

import _ "net"

func main() {}
$ CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build importnet.go 
$ echo put importnet | sftp machost
Connected to machost.
sftp> put importnet
Uploading importnet to /Users/jrick/importnet
importnet                                     100% 2047KB   2.6MB/s   00:00    
$ ssh machost './importnet && otool -L importnet'
importnet:
        /usr/lib/libSystem.B.dylib (compatibility version 0.0.0, current version 0.0.0)
        /System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 0.0.0, current version 0.0.0)
        /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 0.0.0, current version 0.0.0)

I have to admit defeat for the moment. I pushed some minor work to my repository; feel free to take it.
I will have to learn some more assembly and more about the calling conventions of Go and OpenBSD before I can tackle this. To be precise, I don't know how to write the syscall functions (syscall6, syscall9, ...).

So, can someone help me with this one? If I had just one of them, I might adapt it for the other use cases.

Change https://golang.org/cl/250180 mentions this issue: cmd/dist,cmd/link,runtime: switch openbsd/amd64 to pthreads

Change https://golang.org/cl/250181 mentions this issue: cmd/link/internal/arm64: handle calls to SDYNIMPORT with internal linking

Change https://golang.org/cl/250182 mentions this issue: runtime: switch openbsd/arm64 to pthreads

Change https://golang.org/cl/250577 mentions this issue: runtime: switch openbsd/386 to pthreads

@4a6f656c please read this: https://utcc.utoronto.ca/~cks/space/blog/programming/GoCLibraryAPIIssues
and this: https://utcc.utoronto.ca/~cks/space/blog/unix/CLibraryAPIRequiresC

@randall77 @ianlancetaylor - I've been informed that OpenBSD will be removing the direct syscall exception for Go binaries in March 2021, prior to the OpenBSD 6.9 release in May 2021. Unfortunately, this means that as things currently stand, Go 1.16 (released February 2021) will not work on OpenBSD 6.9 (released May 2021). Presuming patches land, Go 1.17 would resume working on OpenBSD 6.9, but this would not be released until August 2021. I'm not sure if a freeze exception would be considered to avoid this situation.

Here, I agree with @iceiceleo that OpenBSD (as wel as Solaris, Windows, etc) are in the wrong. A kernel should have a stable programming language-neutral direct syscall interface. It's unfortunate that we have to hurry a patch for Go for this.

I think it would be reasonable to have a freeze-exception for changes specific to OpenBSD code and build tags. But the code would need to get it quite soon. I see that some CLs were already sent above; are more CLs needed? Is anybody reviewing those CLs?

I think it would be reasonable to have a freeze-exception for changes specific to OpenBSD code and build tags. But the code would need to get it quite soon.

The bulk of it is OpenBSD specific code in runtime and syscall - there may be a few additional linker related parts, but they likely fall under the bug fix category.

I see that some CLs were already sent above; are more CLs needed?

Yes - I had sent the first set and was avoiding flooding the rest of the CLs. I can get things prepped and mailed out.

Is anybody reviewing those CLs?

With the exception of the library version deduplication CL, not as far as I am aware.

Change https://golang.org/cl/249978 mentions this issue: cmd/link/internal/ld: dedup shared libraries on openbsd

@4a6f656c also please read this https://en.wikipedia.org/wiki/Return-to-libc_attack and ask theo: "this syscalls through libc enforcements lowered security. what are you trying to protect against?"

Folks, please keep it on-topic. This is not the forum to debate the decisions and security of the OpenBSD project, but only Go's compatibility with current and upcoming OpenBSD versions. Thank you.

Change https://golang.org/cl/270377 mentions this issue: cmd/link: emit export for SDYNIMPORT with external linking

Change https://golang.org/cl/270378 mentions this issue: runtime: convert openbsd/amd64 locking to pthreads

Change https://golang.org/cl/270380 mentions this issue: runtime,syscall: convert syscall on openbsd/amd64 to libc

Change https://golang.org/cl/270379 mentions this issue: runtime: switch runtime to libc for openbsd/amd64

@ianlancetaylor I've mailed out the full set of changes needed to convert openbsd/amd64 to libc based syscalls - I'll mail changes for the remaining architectures, however they will be somewhat smaller due to code shared with openbsd/amd64.

There are two outstanding linker issues that I do not yet have fixes for - one is https://github.com/golang/go/issues/41121 (arm), the other is what appears to be an incorrect 4 byte offset in 386 PLTs (I'll try to find a reproducer for this).

one is #41121 (arm)

This only affects linking very large binaries. It is probably fine to do it later.

one is #41121 (arm)

This only affects linking very large binaries. It is probably fine to do it later.

Agreed, although we'll have to disable some tests in the interim.

@FiloSottile then there is no need for double standards, you (google) should simply drop openbsd compatibility like you already don't care in chromium about compatibility with anything besides mainstream platforms, it's openbsd's responsibility to maintain working ports, not yours, and they are doing it great on their own