Index: share/mk/bsd.opts.mk
===================================================================
--- share/mk/bsd.opts.mk
+++ share/mk/bsd.opts.mk
@@ -61,6 +61,7 @@
     NIS \
     NLS \
     OPENSSH \
+    PIE	\
     PROFILE \
     SSP \
     TESTS \
@@ -74,7 +75,6 @@
     INIT_ALL_PATTERN \
     INIT_ALL_ZERO \
     INSTALL_AS_USER \
-    PIE \
     RETPOLINE \
     STALE_STAGED
 
Index: sys/kern/imgact_elf.c
===================================================================
--- sys/kern/imgact_elf.c
+++ sys/kern/imgact_elf.c
@@ -162,19 +162,43 @@
     "");
 #define	ASLR_NODE_OID	__CONCAT(__CONCAT(_kern_elf, __ELF_WORD_SIZE), _aslr)
 
+/*
+ * While for 64 bit machines ASLR is working properly, there are
+ * still some problems when using 32 bit architectures. For this
+ * reason ASLR is only enabled by default when running native
+ * 64 bit programs.
+ */
+#if __ELF_WORD_SIZE == 64
+static int __elfN(aslr_enabled) = 1;
+#else
 static int __elfN(aslr_enabled) = 0;
+#endif
 SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, enable, CTLFLAG_RWTUN,
     &__elfN(aslr_enabled), 0,
     __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE))
     ": enable address map randomization");
 
+#if __ELF_WORD_SIZE == 64
+static int __elfN(pie_aslr_enabled) = 1;
+#else
 static int __elfN(pie_aslr_enabled) = 0;
+#endif
 SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, pie_enable, CTLFLAG_RWTUN,
     &__elfN(pie_aslr_enabled), 0,
     __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE))
     ": enable address map randomization for PIE binaries");
 
+/*
+ * With this disabled the bss grow region can also be used for ASLR.
+ *
+ * Sbrk is now deprecated and it can be assumed, that in most
+ * cases it will not be used anyway.
+ */
+#if __ELF_WORD_SIZE == 64
+static int __elfN(aslr_honor_sbrk) = 0;
+#else
 static int __elfN(aslr_honor_sbrk) = 1;
+#endif
 SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, honor_sbrk, CTLFLAG_RW,
     &__elfN(aslr_honor_sbrk), 0,
     __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": assume sbrk is used");