[gentoo-hardened] GCC4 (again...)

[gentoo-hardened] GCC4 (again...)

[Ed W]

Hi, I can find various posts on blogs referring to hardened working in 
at least a limited capacity with GCC4 right now?  There is even a 
(fairly old) note in the gentoo documentation about upgrading to 
GCC4.1.  However, I don't see any recent status updates on the list 
here, or any other official kind of notices?

Can someone please perhaps post a summary of where we are with regards 
to GCC4?  I think a lot of folks want hardened as a "nice to have", so 
even a partial implementation would be nice to have, although also it's 
important to understand exactly what you are getting

Anyone able to provide such a summary please?

FWIW: I'm largely interested in GCC4+hardened+uclibc, which may be 
better supported?

Thanks

Ed W

Re: [gentoo-hardened] GCC4 (again...)

[Marcel Kummerow]

[-- Attachment #1: Type: text/plain, Size: 493 bytes --]

2009/6/25 Ed W <lists@wildgooses.com>

> [..]
>
> Can someone please perhaps post a summary of where we are with regards to
> GCC4?  I think a lot of folks want hardened as a "nice to have", so even a
> partial implementation would be nice to have, although also it's important
> to understand exactly what you are getting
>
> Anyone able to provide such a summary please?
>
>
> Thanks
>
> Ed W
>


Hi, this Thread may be interesting for you:

http://forums.gentoo.org/viewtopic-t-705939.html

[-- Attachment #2: Type: text/html, Size: 910 bytes --]

Re: [gentoo-hardened] GCC4 (again...)

[Marcel Meyer]

[-- Attachment #1: Type: text/plain, Size: 530 bytes --]

Hi,

Am Donnerstag, 25. Juni 2009 schrieb Marcel Kummerow:
> 2009/6/25 Ed W <lists@wildgooses.com>
>
> > [..] hardened GCC4
> >
> > Anyone able to provide such a summary please?
>
> http://forums.gentoo.org/viewtopic-t-705939.html

what happens in the future when this overlay will no longer be provided? 
Will we be able to easily switch to "normal" hardened without overlay (in 
case it catched up with the overlay) or will this result in a worksome 
packet cleaning and reemerging by hand?

Thank you,
Marcel

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] GCC4 (again...)

[Kerin Millar]

2009/6/25 Marcel Meyer <meyerm@fs.tum.de>:
> Hi,
>
> Am Donnerstag, 25. Juni 2009 schrieb Marcel Kummerow:
>> 2009/6/25 Ed W <lists@wildgooses.com>
>>
>> > [..] hardened GCC4
>> >
>> > Anyone able to provide such a summary please?
>>
>> http://forums.gentoo.org/viewtopic-t-705939.html
>
> what happens in the future when this overlay will no longer be provided?

If you're just looking for PIE support, you don't need any overlays.
Just unmask gcc-4.3.3-r2:

echo "=sys-devel/gcc-4.3.3-r2" >> /etc/portage/package.keywords

Upon installing/upgrading the ebuild in question, you'll find that a
set of hardened specs are provided:

 [1] x86_64-pc-linux-gnu-4.3.3 *
 [2] x86_64-pc-linux-gnu-4.3.3-hardenednopie
 [3] x86_64-pc-linux-gnu-4.3.3-vanilla

If you're installing a system from scratch then, in my opinion, it is
a lot easier to rebuild a system seeded with a recent (vanilla)
autobuild stage than it is to use the hardened stages (which are still
based on gcc-3.4.6-r2 and usually stale in other respects).

Cheers,

--Kerin

Re: [gentoo-hardened] GCC4 (again...)

[klondike]

2009/6/25 Ed W <lists@wildgooses.com>:
> Hi, I can find various posts on blogs referring to hardened working in at
> least a limited capacity with GCC4 right now?  There is even a (fairly old)
> note in the gentoo documentation about upgrading to GCC4.1.  However, I
> don't see any recent status updates on the list here, or any other official
> kind of notices?
>
> Can someone please perhaps post a summary of where we are with regards to
> GCC4?  I think a lot of folks want hardened as a "nice to have", so even a
> partial implementation would be nice to have, although also it's important
> to understand exactly what you are getting
>
> Anyone able to provide such a summary please?
>
> FWIW: I'm largely interested in GCC4+hardened+uclibc, which may be better
> supported?
I wrote on my blog on that some time ago:
http://klondike.xiscosoft.es/klog/2009/03/07/gentoo-hardened-and-gcc-4x-i-installation/

As for now I keep using gcc4-x for desktop and server use without
major problems except a few packages who don't detected well the gcc
version (and which seem to have been fixed).

Re: [gentoo-hardened] GCC4 (again...)

[Ed W]

[-- Attachment #1: Type: text/plain, Size: 1420 bytes --]

klondike wrote:
> 2009/6/25 Ed W <lists@wildgooses.com>:
>   
>> Hi, I can find various posts on blogs referring to hardened working in at
>> least a limited capacity with GCC4 right now?  There is even a (fairly old)
>> note in the gentoo documentation about upgrading to GCC4.1.  However, I
>> don't see any recent status updates on the list here, or any other official
>> kind of notices?
>>
>> Can someone please perhaps post a summary of where we are with regards to
>> GCC4?  I think a lot of folks want hardened as a "nice to have", so even a
>> partial implementation would be nice to have, although also it's important
>> to understand exactly what you are getting
>>
>> Anyone able to provide such a summary please?
>>
>> FWIW: I'm largely interested in GCC4+hardened+uclibc, which may be better
>> supported?
>>     
> I wrote on my blog on that some time ago:
> http://klondike.xiscosoft.es/klog/2009/03/07/gentoo-hardened-and-gcc-4x-i-installation/
>
> As for now I keep using gcc4-x for desktop and server use without
> major problems except a few packages who don't detected well the gcc
> version (and which seem to have been fixed).
>
>   

Actually this was one of the posts I found already!

However, to be clear I think this achieves a PIE install with no SSP?  
Can anyone confirm this is correct?

Seems like SSP is desirable, but not really sure why it's not so 
straightforward to turn on?

Ed W

[-- Attachment #2: Type: text/html, Size: 2060 bytes --]

Re: [gentoo-hardened] GCC4 (again...)

[Kerin Millar]

2009/6/26 Ed W <lists@wildgooses.com>:

[snip]

> However, to be clear I think this achieves a PIE install with no SSP?  Can
> anyone confirm this is correct?

That's correct.

> Seems like SSP is desirable, but not really sure why it's not so
> straightforward to turn on?

The SSP implementation you are familiar with is largely the work of Dr
Hiroaki Etoh of IBM, Japan. As I understand it, the patch simply isn't
being maintained any more and, consequently, others (Red Hat?) have
picked up the baton and produced an implementation that it somewhat
different. By mere virtue of being different, there are unique
issues/bugs to be resolved before it can be enabled by default in the
gcc-4.x hardened specs without causing undue breakage and inducing
headaches throughout the hardened populace.

Cheers,

--Kerin

Re: [gentoo-hardened] GCC4 (again...)

[Kerin Millar]

2009/6/26 Kerin Millar <kerframil@gmail.com>:
> 2009/6/26 Ed W <lists@wildgooses.com>:
>
> [snip]
>
>> However, to be clear I think this achieves a PIE install with no SSP?  Can
>> anyone confirm this is correct?
>
> That's correct.

Apologies for replying to my own post, but I just realised that you
were posing the question in the context of klondike's blog post. I do
not know what the status of SSP is in the overlays and/or experimental
toolchains so I'll bow out and leave it to one of the toolchain gurus
to provide a credible response. My answer applies to the gcc ebuild in
the mainline tree.

Cheers,

--Kerin

Re: [gentoo-hardened] GCC4 (again...)

[atoth]

The new implementation is better than the original by Hirohi, IMHO.

Regards:
Dw.
-- 
dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962

On Pén, Június 26, 2009 03:43, Kerin Millar wrote:
> 2009/6/26 Ed W <lists@wildgooses.com>:
>
> [snip]
>
>> However, to be clear I think this achieves a PIE install with no SSP? 
>> Can
>> anyone confirm this is correct?
>
> That's correct.
>
>> Seems like SSP is desirable, but not really sure why it's not so
>> straightforward to turn on?
>
> The SSP implementation you are familiar with is largely the work of Dr
> Hiroaki Etoh of IBM, Japan. As I understand it, the patch simply isn't
> being maintained any more and, consequently, others (Red Hat?) have
> picked up the baton and produced an implementation that it somewhat
> different. By mere virtue of being different, there are unique
> issues/bugs to be resolved before it can be enabled by default in the
> gcc-4.x hardened specs without causing undue breakage and inducing
> headaches throughout the hardened populace.
>
> Cheers,
>
> --Kerin
>

Re: [gentoo-hardened] GCC4 (again...)

[klondike]

[-- Attachment #1: Type: text/plain, Size: 1148 bytes --]



2009/6/26 Kerin Millar <kerframil@gmail.com>:
> 2009/6/26 Kerin Millar <kerframil@gmail.com>:
>> 2009/6/26 Ed W <lists@wildgooses.com>:
>>
>> [snip]
>>
>>> However, to be clear I think this achieves a PIE install with no SSP?  Can
>>> anyone confirm this is correct?
>>
>> That's correct.
>
> Apologies for replying to my own post, but I just realised that you
> were posing the question in the context of klondike's blog post. I do
> not know what the status of SSP is in the overlays and/or experimental
> toolchains so I'll bow out and leave it to one of the toolchain gurus
> to provide a credible response. My answer applies to the gcc ebuild in
> the mainline tree.
Although I may be wrong, AFAIK SSP works nice with almost anything except libstdc++, also packages which need it to be disabled (ie thunderbird) usually do it without a problem of after pattching a bit the ebuild. Anyway, I think the best one to answer is Zorry or Xake as they maintain it.

Anyway, at least on the overlay uclibc is still not supported :( http://github.com/Xake/toolchain-overlay/blob/54581c25b74be5a5dc3d8c1de61dba55db7c639f/README

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] GCC4 (again...)

[Ed W]

klondike wrote:
>
>> Apologies for replying to my own post, but I just realised that you
>> were posing the question in the context of klondike's blog post. I do
>> not know what the status of SSP is in the overlays and/or experimental
>> toolchains so I'll bow out and leave it to one of the toolchain gurus
>> to provide a credible response. My answer applies to the gcc ebuild in
>> the mainline tree.
> Although I may be wrong, AFAIK SSP works nice with almost anything 
> except libstdc++, also packages which need it to be disabled (ie 
> thunderbird) usually do it without a problem of after pattching a bit 
> the ebuild. Anyway, I think the best one to answer is Zorry or Xake as 
> they maintain it.

So the Xake overlay is GCC 4.3.2 with the GCC 4 SSP enabled?

My limited understanding is that the GCC 4 (new) SSP implementation 
should be relatively benign and supported already by a modern toolchain 
with no further patches?  I would naively assume that since Redhat (and 
others) seem to be building their distros with it turned on that most 
packages would already be largely patched upstream to cope with it?  
(certainly I am more interested in server packages than desktop packages)

> Anyway, at least on the overlay uclibc is still not supported :( 
> http://github.com/Xake/toolchain-overlay/blob/54581c25b74be5a5dc3d8c1de61dba55db7c639f/README 
>

Does Xake hang out here?  Curious as to what the issues will be found in 
uclibc.  I'm not specially tied to uclibc, just that it seems to work 
nicely so far and I'm not desperately tight on drive space...

Ed W

Re: [gentoo-hardened] GCC4 (again...)

[klondike]

2009/6/26 Ed W <lists@wildgooses.com>:
> klondike wrote:
>>
>>> Apologies for replying to my own post, but I just realised that you
>>> were posing the question in the context of klondike's blog post. I do
>>> not know what the status of SSP is in the overlays and/or experimental
>>> toolchains so I'll bow out and leave it to one of the toolchain gurus
>>> to provide a credible response. My answer applies to the gcc ebuild in
>>> the mainline tree.
>>
>> Although I may be wrong, AFAIK SSP works nice with almost anything except
>> libstdc++, also packages which need it to be disabled (ie thunderbird)
>> usually do it without a problem of after pattching a bit the ebuild. Anyway,
>> I think the best one to answer is Zorry or Xake as they maintain it.
>
> So the Xake overlay is GCC 4.3.2 with the GCC 4 SSP enabled?
Mainly I could say it is.

> My limited understanding is that the GCC 4 (new) SSP implementation should
> be relatively benign and supported already by a modern toolchain with no
> further patches?  I would naively assume that since Redhat (and others) seem
> to be building their distros with it turned on that most packages would
> already be largely patched upstream to cope with it?  (certainly I am more
> interested in server packages than desktop packages)
I think Ubuntu has enabled it too. But I don't know how well or bad
are packages usually supported upstream.. I have run an apache2 server
and a verlihub server with the toolchain without issues, but I can't
gurantee you nothing as the server still hasn't had heavy load.

>> Anyway, at least on the overlay uclibc is still not supported :(
>> http://github.com/Xake/toolchain-overlay/blob/54581c25b74be5a5dc3d8c1de61dba55db7c639f/README
>
> Does Xake hang out here?  Curious as to what the issues will be found in
> uclibc.  I'm not specially tied to uclibc, just that it seems to work nicely
> so far and I'm not desperately tight on drive space...
I don't know the reasons for uclibc being not supported, but I think
it was because of some compilation problems. (Can't find the tickets,
sorry).

Re: [gentoo-hardened] GCC4 (again...)

[atoth]

> Mainly I could say it is.

gcc-4.3.3-r3 and SSP enabled.
New SSP works pretty well.

> I think Ubuntu has enabled it too. But I don't know how well or bad
> are packages usually supported upstream.. I have run an apache2 server
> and a verlihub server with the toolchain without issues, but I can't
> gurantee you nothing as the server still hasn't had heavy load.
https://wiki.ubuntu.com/HardenedUbuntu/Doc
https://wiki.ubuntu.com/GccSsp

Regards:
Dw.
-- 
dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962

Re: [gentoo-hardened] GCC4 (again...)

[Magnus Grenberg]

On Friday 26 June 2009 14.36.04 klondike wrote:
> 2009/6/26 Ed W <lists@wildgooses.com>:
> > klondike wrote:
> >>> Apologies for replying to my own post, but I just realised that you
> >>> were posing the question in the context of klondike's blog post. I do
> >>> not know what the status of SSP is in the overlays and/or experimental
> >>> toolchains so I'll bow out and leave it to one of the toolchain gurus
> >>> to provide a credible response. My answer applies to the gcc ebuild in
> >>> the mainline tree.
> >>
> >> Although I may be wrong, AFAIK SSP works nice with almost anything
> >> except libstdc++, also packages which need it to be disabled (ie
> >> thunderbird) usually do it without a problem of after pattching a bit
> >> the ebuild. Anyway, I think the best one to answer is Zorry or Xake as
> >> they maintain it.
> >
> > So the Xake overlay is GCC 4.3.2 with the GCC 4 SSP enabled?
>
> Mainly I could say it is.
>
> > My limited understanding is that the GCC 4 (new) SSP implementation
> > should be relatively benign and supported already by a modern toolchain
> > with no further patches?  I would naively assume that since Redhat (and
> > others) seem to be building their distros with it turned on that most
> > packages would already be largely patched upstream to cope with it?
> >  (certainly I am more interested in server packages than desktop
> > packages)
>
> I think Ubuntu has enabled it too. But I don't know how well or bad
> are packages usually supported upstream.. I have run an apache2 server
> and a verlihub server with the toolchain without issues, but I can't
> gurantee you nothing as the server still hasn't had heavy load.
>
> >> Anyway, at least on the overlay uclibc is still not supported :(
> >> http://github.com/Xake/toolchain-overlay/blob/54581c25b74be5a5dc3d8c1de6
> >>1dba55db7c639f/README
> >
> > Does Xake hang out here?  Curious as to what the issues will be found in
> > uclibc.  I'm not specially tied to uclibc, just that it seems to work
> > nicely so far and I'm not desperately tight on drive space...
>
> I don't know the reasons for uclibc being not supported, but I think
> it was because of some compilation problems. (Can't find the tickets,
> sorry).
The problem with uclibc is that it don't support TLS and GCC > 4.1 SSP use TLS
See bug #149292 and #267335 on bugs.gentoo.org
It may only need gcc4-stack-protector-uclibc-no-tls.patch but i can have wrong 
to. We are working hard to get GCC 4.4.0 with Hardened enabled and pass full 
gcc testsuite. I will try to get the patchset upstream in GCC 4.5 so we only 
need small patch to run it on Gentoo and it may get use by some more distros.
To get SSP as default with no CFLAGS or CXXFLAGS with -fstack-protector, GCC 
need patches and some stuff in GCC sources don't compile well with SSP on.
Gentoo's Hardened Toolchain for GCC 4.* have the SSP compile patches but don't 
have the needed spec and fixes in toolchain.eclass to use it as default and 
some packages in the tree don't have the GCC 4.* SSP support yet. A fix is to 
add -fstack-protector to the CFLAGS and CXXFLAGS but you can get PROBLEM TO.
The overlay have SSP and PIE enable by default but lacks some fixes for 
packages and we still fix bugs and it can be b0rked time to time. :)

Ubuntu and Debian use SSP as default with patched GCC source.
But only -fstack-protector is enable and we use -fstack-protector-all as 
default in the Hardened Toolchain so we may hit more bugs.

Xake do hang out her when he have time.
If more info needed ask in the forum or on irc #gentoo-hardened @ Freenode or 
the ml.

http://hardened.gentooexperimental.org/trac/secure/wiki
/Zorry