[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hardened toolchain

From: kiasoc5
Subject: Re: Hardened toolchain
Date: Thu, 14 Apr 2022 20:59:49 +0200 (CEST)

Mar 29, 2022, 10:15 by

> Hi,
> Maxim Cournoyer <> skribis:
>> Maxime Devos <> writes:
>>> zimoun schreef op ma 21-03-2022 om 14:34 [+0100]:
>>>> > * gcc can be compiled with `--enable-default-ssp --enable-default-
>>>> > pie`
>>>> > to enforce ssp and pic
>>>> You wrote [1]:
>>>> --8<---------------cut here---------------start------------->8---
>>>> (define-public gcc
>>>>   (package
>>>>     (inherit gcc)
>>>>     (arguments
>>>>      (substitute-keyword-arguments (package-arguments gcc)
>>>>      ((#:configure-flags flags
>>>>        `(append (list "--enable-default-ssp" "--enable-default-pie")
>>>>             ,flags)))))))
>>>> --8<---------------cut here---------------end--------------->8---
>>> I think it would be a lot simpler to just add this to the 'standard'
>>> gcc configure flags, in (gnu packages gcc), given that probably the
>>> idea is to do this hardening for all packages?  Needs a world-rebuild
>>> though.
>> +1.  The whole distribution can probably benefit from this hardening.
> That’s something worth trying in a branch off ‘core-updates’.
> Stack smashing protection (SSP) may incur measurable run-time overhead
> though so enabling that one by default may be less consensual.
We could do it like how NixOS does it [1]. There can be a `harden?` list in the 
build system that contains a default set of flags. Packages that need to have 
less hardening for performance or other reasons can modify that list. I believe 
this was discussed in an old email (not this thread).

> There are other things that could be done in this area, often with no or
> little overhead, such as building with -D_FORTIFY_SOURCE.  Doing that
> transparently (without changing build systems) is a bit of a challenge
> though.
> Ludo’.
Where and how should the default make and ldflags be set? I guess they could be 
set in the build-system/*.scm.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]