Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] The Hardened GCC4 Toolchain Overlay Guide
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5673
Location: Removed by Neddy

PostPosted: Sun Jan 25, 2009 4:19 pm    Post subject: Reply with quote

couple of corrections needed (esp if you go for portage22)

1)
Code:

 gcc-config 2 && source /etc/profile


check the output of gcc-config -l first
Code:

gcc-config -l
 [1] i686-pc-linux-gnu-4.3.2 *
 [2] i686-pc-linux-gnu-4.3.2-nofortify
 [3] i686-pc-linux-gnu-4.3.2-nopie
 [4] i686-pc-linux-gnu-4.3.2-nossp_all
 [5] i686-pc-linux-gnu-4.3.2-vanilla

for me using hardened stage tarballs I would use gcc-config 1 for a fully hardened toolchain


2)
Code:

while read ebuild; do emerge -v1 "${ebuild}" || echo "${ebuild}" >>failed; done < <(emerge -ep --columns --color=n system| cut -d] -f2 | awk '{print$1}' | egrep -v "(glibc|/portage|binutils|gcc|linux-h)"|sed '1,4d')

Does not work with portage22 (don't know if it still works with portage21

Code:

while read ebuild; do emerge -v1 "$ebuild" || echo "$ebuild" >>failed; done < <(  emerge -ep  --color=n system| cut -d] -f2 | awk '{print "="$1}' | egrep -v "(glibc|/portage|binutils|gcc|linux-h)")



3)
Code:

# echo "=sys-apps/openrc-0.4*">>/etc/portage/package.keywords
# echo "=sys-apps/baselayout-2*">>/etc/portage/package.keywords


sysvinit > 2.86-r11 is needed

Code:

# echo "=sys-apps/openrc-0.4*">>/etc/portage/package.keywords
# echo "=sys-apps/baselayout-2*">>/etc/portage/package.keywords
# echo "=sys-apps/sysvinit-2.86*" >> /etc/portage/package.keywords




apart from that, this howto is valid for a new build
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 777
Location: Brooklyn, New York

PostPosted: Sun Jan 25, 2009 5:56 pm    Post subject: Reply with quote

Naib wrote:
couple of corrections needed....)


Thanks Naib, I will be implementing your corrections and will be updating the guide for use with the new stage3 tarball zorry build.
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5673
Location: Removed by Neddy

PostPosted: Sun Jan 25, 2009 6:11 pm    Post subject: Reply with quote

likewhoa wrote:
Naib wrote:
couple of corrections needed....)


Thanks Naib, I will be implementing your corrections and will be updating the guide for use with the new stage3 tarball zorry build.


sweet! its the new stage tarballs I am using right now :D
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 777
Location: Brooklyn, New York

PostPosted: Mon Jan 26, 2009 8:26 pm    Post subject: Reply with quote

ok guide has been updated & tested with new stage3 from zorry and official stages from gentoo.
Back to top
View user's profile Send private message
g0rg0n
n00b
n00b


Joined: 18 Feb 2006
Posts: 53

PostPosted: Fri Feb 13, 2009 4:12 am    Post subject: Reply with quote

thanks for the hard work!

i'm up to chapter 7 configuring kernel
and everything went smoothly so far!
_________________
DoTA, anyone?
Back to top
View user's profile Send private message
Darknight
Guru
Guru


Joined: 26 Jan 2004
Posts: 469
Location: Italy

PostPosted: Mon Mar 02, 2009 10:53 am    Post subject: Reply with quote

Very nice, thank you.
Back to top
View user's profile Send private message
jagdfalke
n00b
n00b


Joined: 09 Apr 2005
Posts: 5

PostPosted: Thu Mar 19, 2009 9:45 am    Post subject: Reply with quote

Hi,

with your howto I was able to convert a standard hardened stage3 based system into a GCC-4.3 based hardened system. Thanks a lot for your work!

I have the following suggestions:

1. Add
Code:

echo "=sys-libs/glibc-2.8*">>/etc/portage/package.unmask


as I got the following messages without it:

Code:

server64d ~ # emerge -p glibc
These are the packages that would be merged, in order:

Calculating dependencies ... done!
[ebuild     UD] sys-libs/glibc-2.6.1 [2.8_p20080602-r2]
server64d ~ #
server64d ~ # emerge -p =glibc-2.8\*
These are the packages that would be merged, in order:

Calculating dependencies ... done!

!!! All ebuilds that could satisfy "=sys-libs/glibc-2.8*" have been masked.
!!! One of the following masked packages is required to complete your request:
- sys-libs/glibc-2.8_p20080602-r2 (masked by: package.mask)
/usr/portage/profiles/hardened/linux/package.mask:
# sys-libs/glibc-2.8 is about to go stable and stable hardened may not be ready for it.
# 2009-02-11 gengor

- sys-libs/glibc-2.8_p20080602-r1 (masked by: package.mask)
- sys-libs/glibc-2.8_p20080602 (masked by: package.mask)

For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.

server64d ~ #


2. Add 69_all_gcc-43-pr39013.patch from https://bugs.gentoo.org/show_bug.cgi?id=254355 to the GCC ebuild (it is also included in the newer portage tree GCC patchset I think). Fixes compilation of netlib, for more information see there. (I haven't tried the patch myself so far, but it is reported to work.)
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia

PostPosted: Thu Mar 19, 2009 11:17 am    Post subject: Reply with quote

@jagfalke
Will update the gcc ebuild when the patch hit gcc's patchset.
If you reed the bug report so do the old patch brake stuff.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)
Back to top
View user's profile Send private message
Phacops
n00b
n00b


Joined: 05 Jan 2008
Posts: 8
Location: France

PostPosted: Fri Apr 24, 2009 10:34 pm    Post subject: Reply with quote

Code:
echo "=sys-boot/grub-0.97-r7" >>/etc/portage/package.keywords

Grub version should be 0.97-r10.

Thanks a lot for this guide.
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 777
Location: Brooklyn, New York

PostPosted: Sat Apr 25, 2009 7:26 am    Post subject: Reply with quote

Phacops wrote:
Code:
echo "=sys-boot/grub-0.97-r7" >>/etc/portage/package.keywords

Grub version should be 0.97-r10.

Thanks a lot for this guide.


Thanks.
Back to top
View user's profile Send private message
Herring42
Guru
Guru


Joined: 10 Mar 2004
Posts: 373
Location: Buckinghamshire

PostPosted: Mon Apr 27, 2009 6:07 am    Post subject: Reply with quote

Silly question:

How do I convert a running GCC 3.5 Hardened system to using a 4.3 compiler?

Cheers.
_________________
"The problem with quotes on the internet is that it is difficult
to determine whether or not they are genuine." -- Abraham Lincoln
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 777
Location: Brooklyn, New York

PostPosted: Mon Apr 27, 2009 6:31 am    Post subject: Reply with quote

Herring42 wrote:
Silly question:

How do I convert a running GCC 3.5 Hardened system to using a 4.3 compiler?

Cheers.


Follow this guide.
Back to top
View user's profile Send private message
Herring42
Guru
Guru


Joined: 10 Mar 2004
Posts: 373
Location: Buckinghamshire

PostPosted: Mon Apr 27, 2009 6:39 am    Post subject: Reply with quote

likewhoa wrote:
Herring42 wrote:
Silly question:

How do I convert a running GCC 3.5 Hardened system to using a 4.3 compiler?

Cheers.


Follow this guide.


Let me rephrase that. I'm running a hardened system. Do I need to start at the beginning, and boot off a hardened live CD, downloading a stage 3 etc, or can I save some time from starting further down the guide?
_________________
"The problem with quotes on the internet is that it is difficult
to determine whether or not they are genuine." -- Abraham Lincoln
Back to top
View user's profile Send private message
Herring42
Guru
Guru


Joined: 10 Mar 2004
Posts: 373
Location: Buckinghamshire

PostPosted: Mon Apr 27, 2009 9:47 am    Post subject: Reply with quote

Ok, Stated from the beginning!

Compiling GCC, I get this error:
Code:
config.status: creating auto-host.h
config.status: executing default commands
make[2]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.3-r2/work/build'
make[1]: *** [stage2-bubble] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.3-r2/work/build'
make: *** [bootstrap-lean] Error 2
 *
 * ERROR: sys-devel/gcc-4.3.3-r2 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_compile
 *             environment, line 4844:  Called toolchain_src_compile
 *             environment, line 5373:  Called gcc_src_compile
 *             environment, line 3018:  Called gcc_do_make
 *             environment, line 2822:  Called die
 * The specific snippet of code:
 *       emake LDFLAGS="${LDFLAGS}" STAGE1_CFLAGS="${STAGE1_CFLAGS}" LIBPATH="${LIBPATH}" BOOT_CFLAGS="${BOOT_CFLAGS}" ${GCC_MAKE_TARGET} || die "emake f
ailed with ${GCC_MAKE_TARGET}";
 *  The die message:
 *   emake failed with bootstrap-lean
 *
 * If you need support, post the topmost build error, and the call stack if relevant.
 * A complete build log is located at '/var/log/portage/sys-devel:gcc-4.3.3-r2:20090427-093333.log'.
 * The ebuild environment file is located at '/var/tmp/portage/sys-devel/gcc-4.3.3-r2/temp/environment'.
 * This ebuild used the following eclasses from overlays:
 *   /usr/portage/local/layman/xake-toolchain/eclass/toolchain.eclass
 *   /usr/portage/local/layman/xake-toolchain/eclass/toolchain-funcs.eclass
 *   /usr/portage/local/layman/xake-toolchain/eclass/flag-o-matic.eclass
 *   /usr/portage/local/layman/xake-toolchain/eclass/hardened-funcs.eclass
 * This ebuild is from a repository named 'secure'
 *


Any ideas?
_________________
"The problem with quotes on the internet is that it is difficult
to determine whether or not they are genuine." -- Abraham Lincoln
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 777
Location: Brooklyn, New York

PostPosted: Mon Apr 27, 2009 8:55 pm    Post subject: Reply with quote

Herring42 wrote:
Ok, Stated from the beginning!

Compiling GCC, I get this error:
Code:
config.status: creating auto-host.h
config.status: executing default commands
make[2]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.3-r2/work/build'
make[1]: *** [stage2-bubble] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.3-r2/work/build'
make: *** [bootstrap-lean] Error 2
 *
 * ERROR: sys-devel/gcc-4.3.3-r2 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_compile
 *             environment, line 4844:  Called toolchain_src_compile
 *             environment, line 5373:  Called gcc_src_compile
 *             environment, line 3018:  Called gcc_do_make
 *             environment, line 2822:  Called die
 * The specific snippet of code:
 *       emake LDFLAGS="${LDFLAGS}" STAGE1_CFLAGS="${STAGE1_CFLAGS}" LIBPATH="${LIBPATH}" BOOT_CFLAGS="${BOOT_CFLAGS}" ${GCC_MAKE_TARGET} || die "emake f
ailed with ${GCC_MAKE_TARGET}";
 *  The die message:
 *   emake failed with bootstrap-lean
 *
 * If you need support, post the topmost build error, and the call stack if relevant.
 * A complete build log is located at '/var/log/portage/sys-devel:gcc-4.3.3-r2:20090427-093333.log'.
 * The ebuild environment file is located at '/var/tmp/portage/sys-devel/gcc-4.3.3-r2/temp/environment'.
 * This ebuild used the following eclasses from overlays:
 *   /usr/portage/local/layman/xake-toolchain/eclass/toolchain.eclass
 *   /usr/portage/local/layman/xake-toolchain/eclass/toolchain-funcs.eclass
 *   /usr/portage/local/layman/xake-toolchain/eclass/flag-o-matic.eclass
 *   /usr/portage/local/layman/xake-toolchain/eclass/hardened-funcs.eclass
 * This ebuild is from a repository named 'secure'
 *


Any ideas?


I hope you didn't extract a stage3 on your existing system as it might cause weird issues. All you have to do is follow the guide starting from <b>4. Bootstrapping the system</b> if you run into problems from there let me know. The above error doesn't really tell me much.
Back to top
View user's profile Send private message
Herring42
Guru
Guru


Joined: 10 Mar 2004
Posts: 373
Location: Buckinghamshire

PostPosted: Tue Apr 28, 2009 6:42 am    Post subject: Reply with quote

likewhoa wrote:
Herring42 wrote:
Ok, Stated from the beginning!
...

Any ideas?


I hope you didn't extract a stage3 on your existing system as it might cause weird issues. All you have to do is follow the guide starting from <b>4. Bootstrapping the system</b> if you run into problems from there let me know. The above error doesn't really tell me much.


Luckily, no I didn't.

What I found was this:

The gcc from the overlay couldn't be built with the hardened gcc-3.4.6 from the main tree. It could, however be built with the masked gcc-4.3.3-r2 in the main tree that I could build with hardened gcc-3.4.6. Complicated eh?

I've currently finished the guide, and have just emerged @system, the kernel and am currently emergeing @world.

I haven't rebooted yet, as I'm a little worried that top seems to be segfaulting. I worried about what else might be broken :(
_________________
"The problem with quotes on the internet is that it is difficult
to determine whether or not they are genuine." -- Abraham Lincoln
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 777
Location: Brooklyn, New York

PostPosted: Tue Apr 28, 2009 9:20 am    Post subject: Reply with quote

Herring42 wrote:
likewhoa wrote:
Herring42 wrote:
Ok, Stated from the beginning!
...

Any ideas?


I hope you didn't extract a stage3 on your existing system as it might cause weird issues. All you have to do is follow the guide starting from <b>4. Bootstrapping the system</b> if you run into problems from there let me know. The above error doesn't really tell me much.


Luckily, no I didn't.

What I found was this:

The gcc from the overlay couldn't be built with the hardened gcc-3.4.6 from the main tree. It could, however be built with the masked gcc-4.3.3-r2 in the main tree that I could build with hardened gcc-3.4.6. Complicated eh?

I've currently finished the guide, and have just emerged @system, the kernel and am currently emergeing @world.

I haven't rebooted yet, as I'm a little worried that top seems to be segfaulting. I worried about what else might be broken :(


Seeing that the masked gcc-4.3.3-r2 built from the tree is good news for the official hardened profile to me. Keep me posted on your progress.
Back to top
View user's profile Send private message
Herring42
Guru
Guru


Joined: 10 Mar 2004
Posts: 373
Location: Buckinghamshire

PostPosted: Tue Apr 28, 2009 5:42 pm    Post subject: Reply with quote

likewhoa wrote:

Seeing that the masked gcc-4.3.3-r2 built from the tree is good news for the official hardened profile to me. Keep me posted on your progress.


Well, Good news, and not so good news.

First, I'm fully RAID1 mirrored, and compiling grub with a hardened amd64 compile causes it to fail on reboot with a message complaining about not having enough memory. The solution is to change the compiler to the vanilla version, compile grub, install in the mbr, then change back.

The not so good is that NFS seems to have stopped working, though I have not yet determined the cause. I'm using NFS4 with kerberos, and its a bit flaky at the best of times...
_________________
"The problem with quotes on the internet is that it is difficult
to determine whether or not they are genuine." -- Abraham Lincoln
Back to top
View user's profile Send private message
radegand
n00b
n00b


Joined: 22 Aug 2008
Posts: 45
Location: Poland

PostPosted: Thu Jul 23, 2009 10:48 am    Post subject: Reply with quote

Hi all,
I've just created a kvm box following this guide running gcc-4.4 and glibc-2.10 using x86 arch. I'm currently also creating a x86_64 image but had to rebuild it as by mistake I got into multilib profile which I didn't wanted.

Anyway - all went smooth and easy. Few things:
*) I haven't unmasked any specific packages apart from gcc and glibc. openrc, udev,baselayout-2, sysvinit required keywording as per guide. So in the end my package.unmask file:
Code:
=sys-devel/gcc-4.4*
=sys-libs/glibc-2.10*

and package.keywords:
Code:
=sys-devel/gcc-4.4*
=sys-libs/glibc-2.10*
=sys-apps/openrc-0.4*
=sys-fs/udev-13*
=sys-apps/baselayout-2*
=sys-apps/sysvinit-2.86*
sys-kernel/hardened-sources ~amd64

*) openrc-9999 does not seem to be required anymore :)
*)When doing the initial reemerge of
Code:
emerge gcc-config linux-headers glibc binutils gcc portage -1
I got a weird portage error but unfortunatelly I haven't saved it :( I rebuild the portage manually then emerged rest of packages and this time it was fine.
*) rebuilt the world using 'emerge -eav world' - everything went fine, no errors at all. :)

Thanks for the guide! 8)
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 777
Location: Brooklyn, New York

PostPosted: Sat Aug 29, 2009 2:59 pm    Post subject: Reply with quote

Updated guide for gcc-4.4.1 and soon gcc-4.5 (testing) branch will be available. Stay tune....
Back to top
View user's profile Send private message
timeBandit
Bodhisattva
Bodhisattva


Joined: 31 Dec 2004
Posts: 2674
Location: here, there or in transit

PostPosted: Sat Aug 29, 2009 3:25 pm    Post subject: Reply with quote

@Herring42 and all newcomers, please limit discussion in this thread to QA of the guide itself.

Support questions related to migrating your system per this guide belong in Support for GCC 4.x on hardened systems.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others.
Back to top
View user's profile Send private message
blueness
Developer
Developer


Joined: 25 Nov 2009
Posts: 32
Location: Buffalo, NY

PostPosted: Wed Nov 25, 2009 9:04 pm    Post subject: Reply with quote

There's a few minor errors with regard to adding /etc/portage/repos.conf to get the correct eclass inheritance:

1. For non-testing branch, you just need the following lines:

[DEFAULT]
eclass-overrides = hardened-dev

in repos.conf

2. You need repos.conf even with portage-2.1.6.13, not just >=sys-apps/portage-2.2. See bug at https://bugs.gentoo.org/show_bug.cgi?id=293961
3. The name of the file is repos.conf not repo.conf
4. eclass-overrides = secure does not work
5. eclass-overrides = hardened-development also does not work

Both 4 and 5 lead to

Unavailable repository 'secure' referenced by eclass-overrides entry in '/etc/portage/repos.conf'

or

Unavailable repository 'hardened-development' referenced by eclass-overrides entry in '/etc/portage/repos.conf'
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 777
Location: Brooklyn, New York

PostPosted: Sun Dec 06, 2009 12:26 am    Post subject: Reply with quote

blueness wrote:
There's a few minor errors with regard to adding /etc/portage/repos.conf to get the correct eclass inheritance:

1. For non-testing branch, you just need the following lines:

[DEFAULT]
eclass-overrides = hardened-dev

in repos.conf

2. You need repos.conf even with portage-2.1.6.13, not just >=sys-apps/portage-2.2. See bug at https://bugs.gentoo.org/show_bug.cgi?id=293961
3. The name of the file is repos.conf not repo.conf
4. eclass-overrides = secure does not work
5. eclass-overrides = hardened-development also does not work

Both 4 and 5 lead to

Unavailable repository 'secure' referenced by eclass-overrides entry in '/etc/portage/repos.conf'

or

Unavailable repository 'hardened-development' referenced by eclass-overrides entry in '/etc/portage/repos.conf'


thanks, changes included.
Back to top
View user's profile Send private message
jagdfalke
n00b
n00b


Joined: 09 Apr 2005
Posts: 5

PostPosted: Mon Aug 09, 2010 3:07 pm    Post subject: Reply with quote

As far as I can see, the hardened-development overlay from layman is empty now, and everything has been merged into the main portage tree: https://bugs.gentoo.org/show_bug.cgi?id=318171

I believe that gcc-4.4.3-r3 and gcc-4.4.4-r1 have hardened support incl. full SSP.

Regards,
Milan
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum