[gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[Gordon Malm]

Hello Hardened users, this is just a quick heads up.  GCC 4.3.4 will be going 
stable on hardened profiles shortly.  Unlike Hardened GCC 3.4.6, this version 
lacks default SSP building.  However, FORTIFY_SOURCE=2 
and -fno-strict-overflow are now enabled by default.  Other Hardened compiler 
features (ex. default relro, bind now & pic/pie building) remain enabled - no 
change from 3.4.6.

It is regretable this must be done before GCC4 is SSP-by-default enabled.  
However, more and more packages require the newer GCC.  The stable GCC on 
Hardened has been GCC 3.4.6 for a long time, but this has become an untenable 
situation.  GCC4 SSP-by-default works and will be added in a later revision - 
some GCC4+SSP bugs in grub and glibc also remain to be fixed.

Please follow '2. General Upgrade Instructions' in the 'Gentoo GCC Upgrade 
Guide' [1] when upgrading from GCC 3.4.x to GCC 4.3.x.  The upgrade should be 
relatively smooth, but if you run into upgrade troubles seek help via this 
mailing list, bugs.gentoo.org, or irc.freenode.net, #gentoo-hardened.

[1] http://www.gentoo.org/doc/en/gcc-upgrading.xml

Sincerely,
Gordon Malm (gengor)

Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[Michael Orlitzky]

Gordon Malm wrote:
> Hello Hardened users, this is just a quick heads up.  GCC 4.3.4 will be going 
> stable on hardened profiles shortly.  Unlike Hardened GCC 3.4.6, this version 
> lacks default SSP building.  However, FORTIFY_SOURCE=2 
> and -fno-strict-overflow are now enabled by default.  Other Hardened compiler 
> features (ex. default relro, bind now & pic/pie building) remain enabled - no 
> change from 3.4.6.

In your face, options 3, 4 and 5!

(http://forums.gentoo.org/viewtopic-t-668885-highlight-poll.html)

Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[Ed W]

Gordon Malm wrote:
> Hello Hardened users, this is just a quick heads up.  GCC 4.3.4 will be going 
> stable on hardened profiles shortly.  Unlike Hardened GCC 3.4.6, this version 
> lacks default SSP building.  However, FORTIFY_SOURCE=2 
> and -fno-strict-overflow are now enabled by default.  Other Hardened compiler 
> features (ex. default relro, bind now & pic/pie building) remain enabled - no 
> change from 3.4.6.
>
> It is regretable this must be done before GCC4 is SSP-by-default enabled.  
> However, more and more packages require the newer GCC.  The stable GCC on 
> Hardened has been GCC 3.4.6 for a long time, but this has become an untenable 
> situation.  GCC4 SSP-by-default works and will be added in a later revision - 
> some GCC4+SSP bugs in grub and glibc also remain to be fixed.
>
>   

Anyone got any empirical reports on upgrading a uclibc hardened system?  
Lack of TLS in uclibc appears to be a potential issue?

Natanael Copa has previously reported very widespread success using gcc 
4.4.1 + uclibc with apparently fairly minimal additional patches?
  I guess gcc 4.4 isn't yet stable on any profiles, but does gcc4.4 buy 
us anything generally in terms of getting hardened+ssp stable?

Cheers

Ed W

Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[basile]

[-- Attachment #1: Type: text/plain, Size: 2046 bytes --]

Ed W wrote:
> Gordon Malm wrote:
>> Hello Hardened users, this is just a quick heads up.  GCC 4.3.4 will
>> be going stable on hardened profiles shortly.  Unlike Hardened GCC
>> 3.4.6, this version lacks default SSP building.  However,
>> FORTIFY_SOURCE=2 and -fno-strict-overflow are now enabled by
>> default.  Other Hardened compiler features (ex. default relro, bind
>> now & pic/pie building) remain enabled - no change from 3.4.6.
>>
>> It is regretable this must be done before GCC4 is SSP-by-default
>> enabled.  However, more and more packages require the newer GCC.  The
>> stable GCC on Hardened has been GCC 3.4.6 for a long time, but this
>> has become an untenable situation.  GCC4 SSP-by-default works and
>> will be added in a later revision - some GCC4+SSP bugs in grub and
>> glibc also remain to be fixed.
>>
>>   
>
> Anyone got any empirical reports on upgrading a uclibc hardened
> system?  Lack of TLS in uclibc appears to be a potential issue?
>
> Natanael Copa has previously reported very widespread success using
> gcc 4.4.1 + uclibc with apparently fairly minimal additional patches?
>  I guess gcc 4.4 isn't yet stable on any profiles, but does gcc4.4 buy
> us anything generally in terms of getting hardened+ssp stable?
>
> Cheers
>
> Ed W

Yesterday I tried compiling gcc-4.3.2-r3 on a stock gentoo hardened
uclibc system (uclibc-0.9.28.3-r7) and hit all the bugs I remembered
hitting when I was helping Magnus with testing gcc-4* on uclibc. (Like
the fenv.h issue).

The best success I've had is using the toolchain from the hardened-dev
overlay.  This includes upgrading both gcc and uclibc: gcc-4.4.1-r2,
uclibc-0.9.30.1-r1, binutils-2.18-r3.  I can emerge -e world with only
two issue, sandbox and python.  Take a look at bug 275094 for some clues
on how to deal with python.  I haven't really tackled sandbox yet.

Hope this helps.

-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[Ed W]

basile wrote:
> Yesterday I tried compiling gcc-4.3.2-r3 on a stock gentoo hardened
> uclibc system (uclibc-0.9.28.3-r7) and hit all the bugs I remembered
> hitting when I was helping Magnus with testing gcc-4* on uclibc. (Like
> the fenv.h issue).
>
> The best success I've had is using the toolchain from the hardened-dev
> overlay.  This includes upgrading both gcc and uclibc: gcc-4.4.1-r2,
> uclibc-0.9.30.1-r1, binutils-2.18-r3.  I can emerge -e world with only
> two issue, sandbox and python.  Take a look at bug 275094 for some clues
> on how to deal with python.  I haven't really tackled sandbox yet.
>   

Yeah, Natanael Copa wrote to me:
> I have a hardened 4.4.1 working for x86 using the gentoo espf patches. I
> needed 3 more patches:
>
> 1. work around the TLS issue (patch from PSM i think)
> 2. work around the always-link-to-libgcc problem.
> 3. hack to fool tell configure script that we dont have
> _Unwind_getIPInfo

I'm not actually sure which patches he is referencing, but it's at least 
one other confirmation that 4.4.1 is the best way ahead.

Given we need to bump from 3.4.6, is it perhaps sensible to give a push 
towards 4.4.1 instead?  The logic being whether it actually breaks less 
stuff on average than going to 4.3?

Cheers

Ed W

Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[Gordon Malm]

On Thursday, October 15, 2009 11:10:42 Ed W wrote:
> I'm not actually sure which patches he is referencing, but it's at least
> one other confirmation that 4.4.1 is the best way ahead.
>
> Given we need to bump from 3.4.6, is it perhaps sensible to give a push
> towards 4.4.1 instead?  The logic being whether it actually breaks less
> stuff on average than going to 4.3?
>
> Cheers
>
> Ed W

GCC 4.4.x & hardened gcc + uclibc issues are being worked on by Magnus and 
crew of helpful people (tinhat folks have some representation too ;).  Feel 
free to come by #gentoo-hardened on irc.freenode.net and help hardened/uclibc 
along if you are able to contribute.

I must object to "instead" terminology.  GCC 4.3.x is current stable with the 
rest of Gentoo as well, many other packages still require GCC 4.4.x porting.  

It comes down to perspectives and goals.  Hardened has been active, but 
on "life support" for almost 2 years now.  Due to time+manpower constraints, 
the project has been forced to concentrate on our core which is the more 
mainstream/traditional x86-32 & x86-64 installations.  If you are very 
uclibc/embedded oriented then yeah, its broke (so come help :).

Gordon Malm (gengor)

Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[Kakou]

Hello all,

I have updated my gcc 3.4 profile (with SELinux) to gcc 4.3 profile  
(with a modified profile to support SELinux v2 policy).
After recompiling gcc+glibc, I obtain this :

gcc-config -l

  [1] i686-pc-linux-gnu-4.3.4 *
  [2] i686-pc-linux-gnu-4.3.4-hardenednopie
  [3] i686-pc-linux-gnu-4.3.4-vanilla

[2] does not support support pie and I don't have a -hardened config.
So my question is : "[1] is the gcc hardened profile ?"
(when I test with paxtest, all is randomized)

Thanks,

Kakou

Le 14 oct. 2009 à 01:02, Gordon Malm a écrit :

> Hello Hardened users, this is just a quick heads up.  GCC 4.3.4 will  
> be going
> stable on hardened profiles shortly.  Unlike Hardened GCC 3.4.6,  
> this version
> lacks default SSP building.  However, FORTIFY_SOURCE=2
> and -fno-strict-overflow are now enabled by default.  Other Hardened  
> compiler
> features (ex. default relro, bind now & pic/pie building) remain  
> enabled - no
> change from 3.4.6.
>
> It is regretable this must be done before GCC4 is SSP-by-default  
> enabled.
> However, more and more packages require the newer GCC.  The stable  
> GCC on
> Hardened has been GCC 3.4.6 for a long time, but this has become an  
> untenable
> situation.  GCC4 SSP-by-default works and will be added in a later  
> revision -
> some GCC4+SSP bugs in grub and glibc also remain to be fixed.
>
> Please follow '2. General Upgrade Instructions' in the 'Gentoo GCC  
> Upgrade
> Guide' [1] when upgrading from GCC 3.4.x to GCC 4.3.x.  The upgrade  
> should be
> relatively smooth, but if you run into upgrade troubles seek help  
> via this
> mailing list, bugs.gentoo.org, or irc.freenode.net, #gentoo-hardened.
>
> [1] http://www.gentoo.org/doc/en/gcc-upgrading.xml
>
> Sincerely,
> Gordon Malm (gengor)
>

Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[Ed W]

Kakou wrote:
> Hello all,
>
> I have updated my gcc 3.4 profile (with SELinux) to gcc 4.3 profile 
> (with a modified profile to support SELinux v2 policy).
> After recompiling gcc+glibc, I obtain this :
>
> gcc-config -l
>
>  [1] i686-pc-linux-gnu-4.3.4 *
>  [2] i686-pc-linux-gnu-4.3.4-hardenednopie
>  [3] i686-pc-linux-gnu-4.3.4-vanilla
>
> [2] does not support support pie and I don't have a -hardened config.
> So my question is : "[1] is the gcc hardened profile ?"
> (when I test with paxtest, all is randomized)

Yes - actually I think it was the same on the gcc-3.4 profile also - the 
hardened profile was just the short named option and the other options 
are the ones which gradually work towards the "vanilla" specs by 
disabling certain hardening features

Good luck

Ed W

Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[Kakou]

Le 24 oct. 2009 à 14:50, Ed W a écrit :

> Kakou wrote:
>> Hello all,
>>
>> I have updated my gcc 3.4 profile (with SELinux) to gcc 4.3 profile  
>> (with a modified profile to support SELinux v2 policy).
>> After recompiling gcc+glibc, I obtain this :
>>
>> gcc-config -l
>>
>> [1] i686-pc-linux-gnu-4.3.4 *
>> [2] i686-pc-linux-gnu-4.3.4-hardenednopie
>> [3] i686-pc-linux-gnu-4.3.4-vanilla
>>
>> [2] does not support support pie and I don't have a -hardened config.
>> So my question is : "[1] is the gcc hardened profile ?"
>> (when I test with paxtest, all is randomized)
>
> Yes - actually I think it was the same on the gcc-3.4 profile also -  
> the hardened profile was just the short named option and the other  
> options are the ones which gradually work towards the "vanilla"  
> specs by disabling certain hardening features

Ok I was confused with the howto (http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml 
) :

Code Listing 2.5: Select hardened gcc

gcc-config -l
gcc-config <new gcc>-hardened
source /etc/profile
-----

Now I try to use the gcc 4.4 version on the git hardened-development  
and I have 2 questions :
- espf is included in this version but not in gcc 4.3 version that are  
present in the portage tree ?
- espf is like ssp protection ?


>
> Good luck
>
> Ed W
>

Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[Magnus Granberg]

lördag 24 oktober 2009 14.57.30 skrev  Kakou:
> Le 24 oct. 2009 à 14:50, Ed W a écrit :
> > Kakou wrote:
> >> Hello all,
> >>
> >> I have updated my gcc 3.4 profile (with SELinux) to gcc 4.3 profile
> >> (with a modified profile to support SELinux v2 policy).
> >> After recompiling gcc+glibc, I obtain this :
> >>
> >> gcc-config -l
> >>
> >> [1] i686-pc-linux-gnu-4.3.4 *
> >> [2] i686-pc-linux-gnu-4.3.4-hardenednopie
> >> [3] i686-pc-linux-gnu-4.3.4-vanilla
> >>
> >> [2] does not support support pie and I don't have a -hardened config.
> >> So my question is : "[1] is the gcc hardened profile ?"
> >> (when I test with paxtest, all is randomized)
> >
> > Yes - actually I think it was the same on the gcc-3.4 profile also -
> > the hardened profile was just the short named option and the other
> > options are the ones which gradually work towards the "vanilla"
> > specs by disabling certain hardening features
> 
> Ok I was confused with the howto
>  (http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml ) :
> 
> Code Listing 2.5: Select hardened gcc
> 
> gcc-config -l
> gcc-config <new gcc>-hardened
> source /etc/profile
> -----
> 
> Now I try to use the gcc 4.4 version on the git hardened-development
> and I have 2 questions :
> - espf is included in this version but not in gcc 4.3 version that are
> present in the portage tree ?
> - espf is like ssp protection ?
> 
> > Good luck
> >
> > Ed W
> 
1. The espf is new version of the pie patchset that is in the tree
for it do more then only add Position independent executable (PIE) to GCC.
2. espf stand for Enable Stack smashing protection, Position independent 
executable and Fortify_sources.
Hope this help you.

Hardened-dev overlay
Magnus Granberg (Zorry)

Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened

[Ed W]

basile wrote:
> Yesterday I tried compiling gcc-4.3.2-r3 on a stock gentoo hardened
> uclibc system (uclibc-0.9.28.3-r7) and hit all the bugs I remembered
> hitting when I was helping Magnus with testing gcc-4* on uclibc. (Like
> the fenv.h issue).
>
> The best success I've had is using the toolchain from the hardened-dev
> overlay.  This includes upgrading both gcc and uclibc: gcc-4.4.1-r2,
> uclibc-0.9.30.1-r1, binutils-2.18-r3.  I can emerge -e world with only
> two issue, sandbox and python.  Take a look at bug 275094 for some clues
> on how to deal with python.  I haven't really tackled sandbox yet.
>
>   

Hi, Sandbox is fixed with sandbox-2.1 - the issue is/was a dodgy grep 
which then leads to some incorrect syntax in the config file - only 
fixed in 2.1
http://bugs.gentoo.org/show_bug.cgi?id=275725

However, I have had problems with sandbox violations using sandbox-2.1 
(e2fsprogs for example), so I reverted to 1.6-r3 and patched that up instead

I couldn't see any resolution for the Python compile issue other than 
commenting out the relevant includes as per comment 5:
http://bugs.gentoo.org/show_bug.cgi?id=275094

Apart from that it's looking pretty good (so far) with gcc-4.4.2-r1 + 
uclibc!

Thanks all

Ed W