[gentoo-dev] Making the hardened toolchain the default

[gentoo-dev] Making the hardened toolchain the default

[Travis Tilley]

...ok, once again not really, but i cant use that trick to get people's 
attention after today so i figured i might as well use it twice. :)

recent gcc ebuilds have been patched to recognise an environment 
variable, GCC_SPECS, that sets which specs-file should be used. the gcc 
3.4.2-r2 ebuild also builds both hardened and non-hardened specs files 
for all users (though it doesnt make hardened the default specs file for 
non-hardened users).

so, what does this mean? it means that everyone can now assist in fixing 
hardened toolchain related bugs in the packages they maintain without 
having to recompile gcc to get a hardened toolchain up. good stuff, eh? :)


ayanami root # gcc main.c -o main ; file main
main: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for 
GNU/Linux 2.4.1, dynamically linked (uses shared libs), not stripped

ayanami root # export 
GCC_SPECS=/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.2/hardened.specs

ayanami root # gcc main.c -o main ; file main
main: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), not 
stripped


so now, for anyone interested, helping with hardened now requires the 
absolute minimum effort possible and shouldnt be a pain for devs who 
dont want to have a full hardened install. go team! *high-fives Rob 
Holland for writing the patch*

patched ebuilds:
gcc-3.3.4-r2
gcc-3.4.1-r3
gcc-3.4.2-r2


Travis Tilley
Gentoo/AMD64

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Making the hardened toolchain the default

[Doug Goldstein]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Travis Tilley wrote:
| ...ok, once again not really, but i cant use that trick to get people's
| attention after today so i figured i might as well use it twice. :)
|
| recent gcc ebuilds have been patched to recognise an environment
| variable, GCC_SPECS, that sets which specs-file should be used. the gcc
| 3.4.2-r2 ebuild also builds both hardened and non-hardened specs files
| for all users (though it doesnt make hardened the default specs file for
| non-hardened users).
|
| so, what does this mean? it means that everyone can now assist in fixing
| hardened toolchain related bugs in the packages they maintain without
| having to recompile gcc to get a hardened toolchain up. good stuff, eh? :)
|
|
| ayanami root # gcc main.c -o main ; file main
| main: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for
| GNU/Linux 2.4.1, dynamically linked (uses shared libs), not stripped
|
| ayanami root # export
| GCC_SPECS=/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.2/hardened.specs
|
| ayanami root # gcc main.c -o main ; file main
| main: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), not
| stripped
|
|
| so now, for anyone interested, helping with hardened now requires the
| absolute minimum effort possible and shouldnt be a pain for devs who
| dont want to have a full hardened install. go team! *high-fives Rob
| Holland for writing the patch*
|
| patched ebuilds:
| gcc-3.3.4-r2
| gcc-3.4.1-r3
| gcc-3.4.2-r2
|
|
| Travis Tilley
| Gentoo/AMD64
|
| --
| gentoo-dev@gentoo.org mailing list
|
|
|
let's add support for this switching into gcc-config and that way people
won't have to remember the full path to the spec file... it'd know it
based on the profile info.

- --
Doug Goldstein
http://dev.gentoo.org/~cardoe

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x179106D0
Key fingerprint = 7001 5FBF BACE 9E66 3A1C  55E0 161C FF5C 1791 06D0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBXgveFhz/XBeRBtARAjn0AJ4wj1dH4XN23npP8BmsRMSfpJiPtgCfe4Pt
cqzx5S4OwwR87Rh6FI0BAbc=
=AE8D
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Making the hardened toolchain the default

[Travis Tilley]

Doug Goldstein wrote:
> let's add support for this switching into gcc-config and that way people
> won't have to remember the full path to the spec file... it'd know it
> based on the profile info.

i have some black magic in the amd64 cascading profile that lets you do 
USE_SPECS=hardened emerge blah, but that isnt quite how it should be 
done. ^^;

i think tigger was working on the gcc-config integration thing, so 
you'll have to poke at him a few times. :)


Travis Tilley
Gentoo/AMD64

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Making the hardened toolchain the default

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 396 bytes --]

On Fri, 2004-10-01 at 22:01, Doug Goldstein wrote:

[stuff]

> let's add support for this switching into gcc-config and that way people
> won't have to remember the full path to the spec file... it'd know it
> based on the profile info.

Sounds good. Where is your patch? :)



-- 
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Making the hardened toolchain the default

[Travis Tilley]

Doug Goldstein wrote:
> let's add support for this switching into gcc-config and that way people
> won't have to remember the full path to the spec file... it'd know it
> based on the profile info.

ask.. and ye -shall- receive! BEHOLD!

ayanami gcc # gcc-config -l
[1] x86_64-pc-linux-gnu-3.4.2
[2] x86_64-pc-linux-gnu-3.4.2-hardenednossp
[3] x86_64-pc-linux-gnu-3.4.2-vanilla

^_^
this is with a USE=hardened gcc. if you're not installing with 
USE=hardened, replace that vanilla option with a hardened option. and 
bam... the promise in the subject of this e-mail is fulfilled.

hardened specs file logic is now installed by default for all gcc 
3.4.2-r2 installs, it's just not enabled by default unless hardened is 
in USE. next step... world domination. oh yeah. :)

at some point we need to see if upstream would even consider integrating 
some of our less invasive gentoo-specific patches, like the GCC_SPECS 
support and some of the pie logic cleanups.


Travis Tilley
Gentoo/AMD64/toolchain/hardened?/other

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Making the hardened toolchain the default

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 1568 bytes --]

On Mon, 2004-10-04 at 00:36, Travis Tilley wrote:
> Doug Goldstein wrote:
> > let's add support for this switching into gcc-config and that way people
> > won't have to remember the full path to the spec file... it'd know it
> > based on the profile info.
> 
> ask.. and ye -shall- receive! BEHOLD!
> 
> ayanami gcc # gcc-config -l
> [1] x86_64-pc-linux-gnu-3.4.2
> [2] x86_64-pc-linux-gnu-3.4.2-hardenednossp
> [3] x86_64-pc-linux-gnu-3.4.2-vanilla
> 
> ^_^
> this is with a USE=hardened gcc. if you're not installing with 
> USE=hardened, replace that vanilla option with a hardened option. and 
> bam... the promise in the subject of this e-mail is fulfilled.
> 
> hardened specs file logic is now installed by default for all gcc 
> 3.4.2-r2 installs, it's just not enabled by default unless hardened is 
> in USE. next step... world domination. oh yeah. :)
> 
> at some point we need to see if upstream would even consider integrating 
> some of our less invasive gentoo-specific patches, like the GCC_SPECS 
> support and some of the pie logic cleanups.

I have an aversion with dealing with redhat myself for just about
anything these days. But I can think of a few things that would be nice
to unload to avoid the patching nightmares. If your game or find out
somebody else that is then please let me know.

> 
> 
> Travis Tilley
> Gentoo/AMD64/toolchain/hardened?/other
> 
> --
> gentoo-dev@gentoo.org mailing list
-- 
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]