Re: Hardened toolchain

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hardened toolchain

From:	kiasoc5
Subject:	Re: Hardened toolchain
Date:	Thu, 14 Apr 2022 20:59:49 +0200 (CEST)

Mar 29, 2022, 10:15 by ludo@gnu.org:

> Hi,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> Maxime Devos <maximedevos@telenet.be> writes:
>>
>>> zimoun schreef op ma 21-03-2022 om 14:34 [+0100]:
>>>
>>>> > * gcc can be compiled with `--enable-default-ssp --enable-default-
>>>> > pie`
>>>> > to enforce ssp and pic
>>>>
>>>> You wrote [1]:
>>>>
>>>> --8<---------------cut here---------------start------------->8---
>>>> (define-public gcc
>>>>   (package
>>>>     (inherit gcc)
>>>>     (arguments
>>>>      (substitute-keyword-arguments (package-arguments gcc)
>>>>      ((#:configure-flags flags
>>>>        `(append (list "--enable-default-ssp" "--enable-default-pie")
>>>>             ,flags)))))))
>>>> --8<---------------cut here---------------end--------------->8---
>>>>
>>>
>>> I think it would be a lot simpler to just add this to the 'standard'
>>> gcc configure flags, in (gnu packages gcc), given that probably the
>>> idea is to do this hardening for all packages?  Needs a world-rebuild
>>> though.
>>>
>>
>> +1.  The whole distribution can probably benefit from this hardening.
>>
>
> That’s something worth trying in a branch off ‘core-updates’.
>
> Stack smashing protection (SSP) may incur measurable run-time overhead
> though so enabling that one by default may be less consensual.
>
We could do it like how NixOS does it [1]. There can be a `harden?` list in the 
build system that contains a default set of flags. Packages that need to have 
less hardening for performance or other reasons can modify that list. I believe 
this was discussed in an old email (not this thread).

> There are other things that could be done in this area, often with no or
> little overhead, such as building with -D_FORTIFY_SOURCE.  Doing that
> transparently (without changing build systems) is a bit of a challenge
> though.
>
> Ludo’.
>
Where and how should the default make and ldflags be set? I guess they could be 
set in the build-system/*.scm.

[1] https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Hardened toolchain, kiasoc5 <=
- Message not available
  - Message not available
    - Message not available
    - Message not available
    - Re: Hardened toolchain, jbranso, 2022/04/15
    - Re: Hardened toolchain, Zhu Zihao, 2022/04/15
    - Re: Hardened toolchain, raingloom, 2022/04/15
    - Re: Hardened toolchain, Katherine Cox-Buday, 2022/04/26
    - Re: Hardened toolchain, Aurora, 2022/04/28
    - Re: Hardened toolchain, Katherine Cox-Buday, 2022/04/28
    - Re: Hardened toolchain, Aurora, 2022/04/28
    - Re: Hardened toolchain, Vagrant Cascadian, 2022/04/28
    - Re: Hardened toolchain, Aurora, 2022/04/28
- Re: Hardened toolchain, Nathan Dehnel, 2022/04/15

Prev by Date: Let’s meet in person in Paris, Sept. 16–18!
Next by Date: [no subject]
Previous by thread: Let’s meet in person in Paris, Sept. 16–18!
Next by thread: Re: Hardened toolchain
Index(es):
- Date
- Thread