[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hardened toolchain
From: |
jbranso |
Subject: |
Re: Hardened toolchain |
Date: |
Fri, 15 Apr 2022 15:18:48 +0000 |
April 14, 2022 3:00 PM, "Development of GNU Guix and the GNU System
distribution."
<guix-devel@gnu.org> wrote:
> Mar 29, 2022, 10:15 by ludo@gnu.org:
>
>> Hi,
>>
>> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
> Maxime Devos <maximedevos@telenet.be> writes:
>> zimoun schreef op ma 21-03-2022 om 14:34 [+0100]:
>
> * gcc can be compiled with `--enable-default-ssp --enable-default-
> pie`
> to enforce ssp and pic
>> You wrote [1]:
>>
>> --8<---------------cut here---------------start------------->8---
>> (define-public gcc
>> (package
>> (inherit gcc)
>> (arguments
>> (substitute-keyword-arguments (package-arguments gcc)
>> ((#:configure-flags flags
>> `(append (list "--enable-default-ssp" "--enable-default-pie")
>> ,flags)))))))
>> --8<---------------cut here---------------end--------------->8---
>>
>> I think it would be a lot simpler to just add this to the 'standard'
>> gcc configure flags, in (gnu packages gcc), given that probably the
>> idea is to do this hardening for all packages? Needs a world-rebuild
>> though.
>
> +1. The whole distribution can probably benefit from this hardening.
>> That’s something worth trying in a branch off ‘core-updates’.
>>
>> Stack smashing protection (SSP) may incur measurable run-time overhead
>> though so enabling that one by default may be less consensual.
>
> We could do it like how NixOS does it [1]. There can be a `harden?` list in
> the build system that
> contains a default set of flags. Packages that need to have less hardening
> for performance or other
> reasons can modify that list. I believe this was discussed in an old email
> (not this thread).
I like this idea. I propose we make harden? default to #t. That way
practically most packages will be built with
hardened features. Let's face it, I am a bit lazy, if I submit a package to
guix, I am usually going to be it the easy way. If the easy way is harden? #f,
then that's is how I will submit it. :)
>
>> There are other things that could be done in this area, often with no or
>> little overhead, such as building with -D_FORTIFY_SOURCE. Doing that
>> transparently (without changing build systems) is a bit of a challenge
>> though.
>>
>> Ludo’.
>
> Where and how should the default make and ldflags be set? I guess they could
> be set in the
> build-system/*.scm.
>
> [1] https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html
- Re: Hardened toolchain, kiasoc5, 2022/04/14
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Hardened toolchain,
jbranso <=
- Re: Hardened toolchain, Zhu Zihao, 2022/04/15
- Re: Hardened toolchain, raingloom, 2022/04/15
- Re: Hardened toolchain, Katherine Cox-Buday, 2022/04/26
- Re: Hardened toolchain, Aurora, 2022/04/28
- Re: Hardened toolchain, Katherine Cox-Buday, 2022/04/28
- Re: Hardened toolchain, Aurora, 2022/04/28
- Re: Hardened toolchain, Vagrant Cascadian, 2022/04/28
- Re: Hardened toolchain, Aurora, 2022/04/28