[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hardened toolchain
From: |
kiasoc5 |
Subject: |
Re: Hardened toolchain |
Date: |
Thu, 14 Apr 2022 20:59:49 +0200 (CEST) |
Mar 29, 2022, 10:15 by ludo@gnu.org:
> Hi,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> Maxime Devos <maximedevos@telenet.be> writes:
>>
>>> zimoun schreef op ma 21-03-2022 om 14:34 [+0100]:
>>>
>>>> > * gcc can be compiled with `--enable-default-ssp --enable-default-
>>>> > pie`
>>>> > to enforce ssp and pic
>>>>
>>>> You wrote [1]:
>>>>
>>>> --8<---------------cut here---------------start------------->8---
>>>> (define-public gcc
>>>> (package
>>>> (inherit gcc)
>>>> (arguments
>>>> (substitute-keyword-arguments (package-arguments gcc)
>>>> ((#:configure-flags flags
>>>> `(append (list "--enable-default-ssp" "--enable-default-pie")
>>>> ,flags)))))))
>>>> --8<---------------cut here---------------end--------------->8---
>>>>
>>>
>>> I think it would be a lot simpler to just add this to the 'standard'
>>> gcc configure flags, in (gnu packages gcc), given that probably the
>>> idea is to do this hardening for all packages? Needs a world-rebuild
>>> though.
>>>
>>
>> +1. The whole distribution can probably benefit from this hardening.
>>
>
> That’s something worth trying in a branch off ‘core-updates’.
>
> Stack smashing protection (SSP) may incur measurable run-time overhead
> though so enabling that one by default may be less consensual.
>
We could do it like how NixOS does it [1]. There can be a `harden?` list in the
build system that contains a default set of flags. Packages that need to have
less hardening for performance or other reasons can modify that list. I believe
this was discussed in an old email (not this thread).
> There are other things that could be done in this area, often with no or
> little overhead, such as building with -D_FORTIFY_SOURCE. Doing that
> transparently (without changing build systems) is a bit of a challenge
> though.
>
> Ludo’.
>
Where and how should the default make and ldflags be set? I guess they could be
set in the build-system/*.scm.
[1] https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html
- Re: Hardened toolchain,
kiasoc5 <=
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Hardened toolchain, jbranso, 2022/04/15
- Re: Hardened toolchain, Zhu Zihao, 2022/04/15
- Re: Hardened toolchain, raingloom, 2022/04/15
- Re: Hardened toolchain, Katherine Cox-Buday, 2022/04/26
- Re: Hardened toolchain, Aurora, 2022/04/28
- Re: Hardened toolchain, Katherine Cox-Buday, 2022/04/28
- Re: Hardened toolchain, Aurora, 2022/04/28
- Re: Hardened toolchain, Vagrant Cascadian, 2022/04/28
- Re: Hardened toolchain, Aurora, 2022/04/28