Re: Hardened toolchain

[kiasoc5]

Apr 29, 2022, 10:31 by zimon.toutoune@gmail.com:

> Hi,
>
> On Tue, 29 Mar 2022 at 12:15, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> Stack smashing protection (SSP) may incur measurable run-time overhead
>> though so enabling that one by default may be less consensual.
>>
>
> That’s true and it could be an issue for HPC practitioners.  However,
> quoting Wikipedia [1], for what it is worth:
>
> --8<---------------cut here---------------start------------->8---
> All Fedora packages are compiled with -fstack-protector since Fedora
> Core 5, and -fstack-protector-strong since Fedora 20.[19][20] Most
> packages in Ubuntu are compiled with -fstack-protector since 6.10.[21]
> Every Arch Linux package is compiled with -fstack-protector since
> 2011.[22] All Arch Linux packages built since 4 May 2014 use
> -fstack-protector-strong.[23] Stack protection is only used for some
> packages in Debian,[24] and only for the FreeBSD base system since
> 8.0.[25] Stack protection is standard in certain operating systems,
> including OpenBSD,[26] Hardened Gentoo[27] and DragonFly BSD.
> --8<---------------cut here---------------end--------------->8---
>
>
Anaconda (science package distribution) compiles their packages with a variety 
of security flags. These include PIE, SSP, fortify, RELRO, NOW. 
https://www.anaconda.com/blog/improved-security-performance-in-anaconda-distribution-5


> Well, I miss if Guix is built using this ’-fstack-protector’ flag; or
> whether it is included by default.
>

Are /any/ build flags used by default? I  think right now only an empty list is 
used for makeflags by default. It also depends on the configuration for gcc and 
binutils, they can be set to enforce SSP and others by default.


> Cheers,
> simon
>
>
>
> 1: 
> <https://en.wikipedia.org/wiki/Buffer_overflow_protection#GNU_Compiler_Collection_(GCC)>
>