Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Hardened Gentoo on the EFIKA
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo on PPC
View previous topic :: View next topic  
Author Message
Napalm Llama
Guru
Guru


Joined: 04 Jun 2005
Posts: 520
Location: Swansea, UK

PostPosted: Sun Apr 29, 2007 10:48 pm    Post subject: Hardened Gentoo on the EFIKA Reply with quote

Hullo there. I've ordered one of those EFIKA boards that were mentioned in the GWN last December, (it should arrive sometime this coming week), and I'm trying to plan the system I'm going to load it up with.

My idea is to turn it into a server for my website, for VPN, and also for a couple of things around the house. Because it's going to be open to the internet at large, I've decided that I want to harden it with PaX, SSP, Grsecurity, et al. This is my first attempt at building a system with these features in place so I'm still very much at the base of the learning curve. My main concern is that as the EFIKA only has a 400MHz processor, my non-hardened x86 desktop PC is going to have to help it out quite a bit with the compiling. I understand that SSP needs a specially modified toolchain, however - how would I set up a cross-compiler to produce SSP-enabled PPC binaries?

I really need educating on this whole topic - there are articles in the Gentoo docs on cross compiling, and on hardened systems, but not on combining the two. Are there any decent HOWTOs out there? Does anybody have experience with this sort of thing?

Any help or hints would be appreciated :)

[edit:]
Do you think I'd be better off posting this in a busier forum? Networking and security perhaps? No replies after two days on this forum's front page isn't too promising...
_________________
splig: amd64; nForce3; sata; GeForce 6600gt agp
muttley: EFIKA 5200B - PPC SoC :)

Registered Linux User #381314
# killall humans
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1609
Location: U.S.A.

PostPosted: Fri May 04, 2007 2:31 am    Post subject: Reply with quote

I haven't done this. If you have a hardened toolchain on the compiling machine, it can produce pic binaries, etc. Isolating this should be no different than managing any other environment that is specifically for an external architecture (specific make settings, slotted toolchain components, etc.).

I suggest the following:

First set up the new box as you normally would, but stop after getting the base system installed (no X, nothing extraordinary beyond your major administrative utilities like logging, cron, etc.).

Then try cross-compiling normally (not hardened) from the other machine. Get that working.

Then convert the machine with the new board to hardened (toolchain first, then rebuild the sytem and world). Study first whether you are going to use the hardened profile (look at which packages are masked, paying special attention to gcc, glibc, etc.) or ppc profile (with pic and hardened USE flags). Personally, I did the latter and the sytem ran fine, paxtest showed most pax functions working normally. If this is going to be a production machine, you may want to use the profile and the older toolchain elements that are not currently masked. My take on that may be dated, so check the profile yourself.

Then, when you can validate the base system (hardened) is functioning and pax/grsec are configured and functioning, set the other machine up to be able to cross-compile with hardened. Do something small first.
Back to top
View user's profile Send private message
Napalm Llama
Guru
Guru


Joined: 04 Jun 2005
Posts: 520
Location: Swansea, UK

PostPosted: Fri May 04, 2007 7:55 am    Post subject: Reply with quote

Thanks for the advice. I'll come back once I've got crossdev working properly - I reckon I can just about do that on my own!
_________________
splig: amd64; nForce3; sata; GeForce 6600gt agp
muttley: EFIKA 5200B - PPC SoC :)

Registered Linux User #381314
# killall humans
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1609
Location: U.S.A.

PostPosted: Fri May 04, 2007 11:38 am    Post subject: Reply with quote

Sorry I couldn't be of more help. But since you were going without an answer, perhaps even my thoughts might be some use.

If you are serious, you may also want to consider OpenBSD, Fedora, and Suse -- all of which appear to my relatively uninformed eyes to have more fully-implemented pie/ssp.
Back to top
View user's profile Send private message
Napalm Llama
Guru
Guru


Joined: 04 Jun 2005
Posts: 520
Location: Swansea, UK

PostPosted: Fri May 04, 2007 11:53 am    Post subject: Reply with quote

There's no way I'm going with Fedora again, and Suse just seems too... beginnerish to me. That might just be because I was a beginner when I was using it, though :)

I like the flexibility of Gentoo, and the way it doesn't try to hide anything from you.

OpenBSD is a distinct possibility, however - but I haven't really ventured away from Linux since I abandoned Windows, so I don't have any experience with it. How do you think it compares with Gentoo for ease of maintenance/upgradability? Also for embedability, as I only have 400MHz of CPU and 128mb of RAM to work with :)

Playing with different operating systems isn't a problem for me at the moment because the machine is netbooting anyway - I can just make new "root" directories on my main PC and export them over NFS as required. Plus, I have a shiny new 500Gb hard drive, so storage isn't an issue either :D
_________________
splig: amd64; nForce3; sata; GeForce 6600gt agp
muttley: EFIKA 5200B - PPC SoC :)

Registered Linux User #381314
# killall humans
Back to top
View user's profile Send private message
gringo
Advocate
Advocate


Joined: 27 Apr 2003
Posts: 3793

PostPosted: Fri May 04, 2007 3:18 pm    Post subject: Reply with quote

don´t know if this fits your needs as i haven´t tried myself (yet) but maybe you want to have a look to gnap

cheers
_________________
Error: Failing not supported by current locale
Back to top
View user's profile Send private message
Napalm Llama
Guru
Guru


Joined: 04 Jun 2005
Posts: 520
Location: Swansea, UK

PostPosted: Fri May 04, 2007 3:29 pm    Post subject: Reply with quote

Hmm, that looks interesting. However I plan to buy a 2.5" hard disk at some point and turn my Efika into a fully-fledged server, and GNAP doesn't look flexible enough to make me happy... Also, I don't know if it's available on PPC (Efika is PPC).

I'll bear it in mind, though :D
_________________
splig: amd64; nForce3; sata; GeForce 6600gt agp
muttley: EFIKA 5200B - PPC SoC :)

Registered Linux User #381314
# killall humans
Back to top
View user's profile Send private message
gringo
Advocate
Advocate


Joined: 27 Apr 2003
Posts: 3793

PostPosted: Fri May 04, 2007 3:37 pm    Post subject: Reply with quote

Quote:
Also, I don't know if it's available on PPC (Efika is PPC)


oops, just checked and you´re right, it looks like it´s not available for ppc ... sorry :oops:

cheers
_________________
Error: Failing not supported by current locale
Back to top
View user's profile Send private message
Napalm Llama
Guru
Guru


Joined: 04 Jun 2005
Posts: 520
Location: Swansea, UK

PostPosted: Fri May 04, 2007 3:42 pm    Post subject: Reply with quote

No apology needed, it was a good idea!

Also, congratulations on your one thousand, three hundred and thirty seventh post :P
_________________
splig: amd64; nForce3; sata; GeForce 6600gt agp
muttley: EFIKA 5200B - PPC SoC :)

Registered Linux User #381314
# killall humans
Back to top
View user's profile Send private message
gringo
Advocate
Advocate


Joined: 27 Apr 2003
Posts: 3793

PostPosted: Fri May 04, 2007 3:58 pm    Post subject: Reply with quote

Quote:
Also, congratulations on your one thousand, three hundred and thirty seventh post


lol, thanks, didn´t realise that !

cheers ;)
_________________
Error: Failing not supported by current locale
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo on PPC All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum