guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hardening


From: Alex Vong
Subject: Re: hardening
Date: Wed, 31 Jan 2018 20:20:44 +0800
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

Hello,

address@hidden writes:

> Hi,
>
> as we've long talked and not really taken action on hardening builds
> I've started working on an opt-in way as last discussed in
> september 2016, modifying the gnu-build-system with a
> #:hardening-flags keyword.
>
> For my testing purposes I will use
>
>> CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2"
> LDFLAGS="-Wl,-z,now -Wl,-z,relro"
>
> which is used by Gentoo, but adjustments (wether to opt-in or
> opt-out) will be made.

The flags I use (suggested by Debian Wiki[0]) are:

  CPPFLAGS=-D_FORTIFY_SOURCE=2
  CFLAGS=-fstack-protector-strong
  CXXFLAGS=-fstack-protector-strong
  LDFLAGS=-Wl,-z,relro,-z,now,--as-needed

Also, should we use retpoline flags for all native binaries? This
article[1] suggests ``applying a software mitigation (e.g., Google's
Retpoline) to the hypervisor, operating system kernel, system programs
and libraries, and user applications''. I've sent a patch to do so when
bootstraping GCC 7 itself[2] but no reply are received yet (maybe I
should have open a new bug instead of changing the title of an old
bug).

[0]: https://wiki.debian.org/Hardening
[1]: 
https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
[2]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30111



reply via email to

[Prev in Thread] Current Thread [Next in Thread]