From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 15503139694 for ; Fri, 16 Jun 2017 00:05:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D1F5221C1BE; Fri, 16 Jun 2017 00:05:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 85BE621C1AC for ; Fri, 16 Jun 2017 00:05:16 +0000 (UTC) Received: from Anthonys-MacBook-Pro.local (cpe-67-247-195-186.buffalo.res.rr.com [67.247.195.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: blueness) by smtp.gentoo.org (Postfix) with ESMTPSA id 07AE933BF43 for ; Fri, 16 Jun 2017 00:05:14 +0000 (UTC) Subject: Re: [gentoo-dev] Hardening a default profile To: gentoo-dev@lists.gentoo.org References: <878tktnupm.fsf@kestrel.kyomu.43-1.org> From: "Anthony G. Basile" Message-ID: <60680dd3-b243-cfe7-43ce-50361cd4c65e@gentoo.org> Date: Thu, 15 Jun 2017 20:05:11 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <878tktnupm.fsf@kestrel.kyomu.43-1.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Archives-Salt: 77c976cb-6d13-40ba-b419-625ce17bcb9d X-Archives-Hash: d6c456cf97a706733ea7ef946ec744f1 On 6/15/17 11:20 AM, Matthias Maier wrote: > Hi Michael, > > On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman wrote: > >> So I was just wondering if ~arch is ready for more secure defaults on >> the 17.0 profiles in the linker flags. There are several >> distributions which ship RELRO by default and I am not aware of any >> performance issues regarding this. > > We (i.e. toolchain) are in the process of enabling quite a number of > security hardening features on default profiles. In particular > > - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles > there should be a way of turning these off systematically. the advantage of the current hardened gcc specs is that one can switch between them using gcc-config. if these are forced on for the default profile then there will be no easy way to systematically turn them off. for those who don't used hardened, gcc-config -l on hardened profile gives: [1] x86_64-pc-linux-gnu-5.4.0 * [2] x86_64-pc-linux-gnu-5.4.0-hardenednopie [3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp [4] x86_64-pc-linux-gnu-5.4.0-hardenednossp [5] x86_64-pc-linux-gnu-5.4.0-vanilla while on the default profiles it gives: [1] x86_64-pc-linux-gnu-5.4.0 * [5] on the hardened profile is equivalent to [1] on the vanilla. maybe we should consider merging the hardened and default profiles? -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA