View previous topic :: View next topic |
Author |
Message |
timeBandit Bodhisattva
Joined: 31 Dec 2004 Posts: 2719 Location: here, there or in transit
|
Posted: Sat Aug 29, 2009 2:48 pm Post subject: Support for GCC 4.x on hardened systems |
|
|
Continued and relocated from a long-running discussion that evolved into a support thread.
Are you running a hardened profile?
Are you using GCC 4.x and following The Hardened GCC4 Toolchain Overlay Guide?
Has something broken?
Post your questions here. _________________ Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
|
Back to top |
|
|
Dwokfur Tux's lil' helper
Joined: 15 Sep 2006 Posts: 86 Location: Budapest, Hungary, Europe
|
|
Back to top |
|
|
petlab Apprentice
Joined: 03 May 2004 Posts: 290 Location: Armpit, Oregon
|
Posted: Mon Aug 31, 2009 9:27 pm Post subject: |
|
|
I have installed following [HOWTO] The Hardened GCC4 Toolchain Overlay Guide. I've emerged gcc-4.4.1-r2 and glibc-2.10.1, with multilib. My question - is multilib workable or did I waste compile time?
I started from the 4.3.3 stage3, and followed as well as I could until I am able to emerge "glibc linux-headers binutils gcc." However, now I "cannot run C compiled programs. while emerging my first package." Did I break it, or can we freshen up the Overlay Guide? I'll help if I can.
My goal is to get to gcc-4.4.1-r2 hardened, with the graphite framework as well. Thanks for any and all help! _________________ Get Serious - Get JAWA CZ |
|
Back to top |
|
|
Veldrin Veteran
Joined: 27 Jul 2004 Posts: 1945 Location: Zurich, Switzerland
|
Posted: Tue Sep 01, 2009 7:18 pm Post subject: |
|
|
This is usually a problem with binutils.
Code: | # binutils-config 1 |
should fix it |
|
Back to top |
|
|
petlab Apprentice
Joined: 03 May 2004 Posts: 290 Location: Armpit, Oregon
|
Posted: Tue Sep 01, 2009 8:13 pm Post subject: |
|
|
Thank you for the help. binutils-config did not work. I am not sure I actually have a working toolchain at this point. Let's start again. I'm not sure whether I should follow the [HOWTO] thread on the forums here, or the Install page over at the trac. They outline similar steps, but there are inconsistencies both pages, imho. Which one is the correct route? Simply emerge packages from the overlay, or make a chroot and get the stage3? Thanks again, all. _________________ Get Serious - Get JAWA CZ |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Tue Sep 01, 2009 9:48 pm Post subject: |
|
|
petlab wrote: | Thank you for the help. binutils-config did not work. I am not sure I actually have a working toolchain at this point. Let's start again. I'm not sure whether I should follow the [HOWTO] thread on the forums here, or the Install page over at the trac. They outline similar steps, but there are inconsistencies both pages, imho. Which one is the correct route? Simply emerge packages from the overlay, or make a chroot and get the stage3? Thanks again, all. |
Use the HOWTO the one on the trac is outdated and removed. _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Sat Sep 05, 2009 4:34 pm Post subject: |
|
|
New ebuild (grub-0.97-r11) for grub-0.97 is in the overlay for testing the porting of the Grub2 -fPIE check.
Savannah CVS Surfing - project grub - Revision 2564 _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
cord Guru
Joined: 28 Apr 2007 Posts: 344
|
Posted: Mon Sep 07, 2009 6:55 pm Post subject: |
|
|
Code: | LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--warn-once" |
Are these flags safe for subj? |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Fri Sep 11, 2009 11:15 am Post subject: |
|
|
cord wrote: | Code: | LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--warn-once" |
Are these flags safe for subj? |
Looks safe.
Code: |
--sort-common Sort common symbols by size
--warn-once Warn only once per undefined symbol
|
_________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Fri Sep 18, 2009 1:50 pm Post subject: |
|
|
We have rename the overlay from hardened-development.git to hardened-dev.git and no change for layman _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)
Last edited by zorry on Fri Sep 18, 2009 2:39 pm; edited 1 time in total |
|
Back to top |
|
|
cord Guru
Joined: 28 Apr 2007 Posts: 344
|
Posted: Fri Sep 18, 2009 2:15 pm Post subject: |
|
|
Did you?
Code: |
# layman -L
...
* hardened-development [Git] (git://git.overlays.gentoo.org/proj/hardened-dev.git)
...
#
|
Overlay name is still 'hardened-development' |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Fri Sep 18, 2009 2:41 pm Post subject: |
|
|
cord wrote: | Did you?
Code: |
# layman -L
...
* hardened-development [Git] (git://git.overlays.gentoo.org/proj/hardened-dev.git)
...
#
|
Overlay name is still 'hardened-development' |
Yes but for git users it have change.
Thanks for the note. _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
Xake Guru
Joined: 11 Feb 2004 Posts: 588 Location: Göteborg, the rainy part of scandinavia
|
Posted: Sat Sep 19, 2009 5:27 pm Post subject: |
|
|
Yes, we did.
cord wrote: | Code: |
# layman -L
...
* hardened-development [Git] (git://git.overlays.gentoo.org/proj/[b]hardened-dev[/b].git)
...
#
|
|
was: hardened-development.git
If you get problem with layman -S, then just remove and readd the overlay. _________________ If I edit a post without commenting it mostly is spelling-errors.
And if I sounds rude I am sorry, that is just my personality speaking and has most of the time nothing to do with you personally. |
|
Back to top |
|
|
radegand n00b
Joined: 22 Aug 2008 Posts: 45 Location: Poland
|
Posted: Tue Sep 22, 2009 5:32 pm Post subject: |
|
|
Hi,
Why was the ebuild for glibc-2.10.1 removed from the overlay? As a user of these I'm a bit concerned... Was there some major flaw with these? Let me know if any testing of it is needed...I've checked the 'testing' branch but nothing was there either
Cheers |
|
Back to top |
|
|
Veldrin Veteran
Joined: 27 Jul 2004 Posts: 1945 Location: Zurich, Switzerland
|
Posted: Tue Sep 22, 2009 6:04 pm Post subject: |
|
|
radegand wrote: | Hi,
Why was the ebuild for glibc-2.10.1 removed from the overlay? As a user of these I'm a bit concerned... Was there some major flaw with these? Let me know if any testing of it is needed...I've checked the 'testing' branch but nothing was there either
Cheers | just an educated guess - because it has been move to the main tree. |
|
Back to top |
|
|
radegand n00b
Joined: 22 Aug 2008 Posts: 45 Location: Poland
|
Posted: Tue Sep 22, 2009 6:29 pm Post subject: |
|
|
Veldrin wrote: | just an educated guess - because it has been move to the main tree. |
I have to admit - such an obvious idea hasn't even cross my mind! Was it really the case? The one from portage doesn't compile and bails out with somehow interesting error:
Code: | x86_64-pc-linux-gnu-gcc: -pie and -static|pg|p|profile are incompatible |
|
|
Back to top |
|
|
Xake Guru
Joined: 11 Feb 2004 Posts: 588 Location: Göteborg, the rainy part of scandinavia
|
Posted: Tue Sep 22, 2009 6:29 pm Post subject: |
|
|
radegand wrote: | Hi,
Why was the ebuild for glibc-2.10.1 removed from the overlay? As a user of these I'm a bit concerned... Was there some major flaw with these? Let me know if any testing of it is needed...I've checked the 'testing' branch but nothing was there either
Cheers |
In portage. _________________ If I edit a post without commenting it mostly is spelling-errors.
And if I sounds rude I am sorry, that is just my personality speaking and has most of the time nothing to do with you personally. |
|
Back to top |
|
|
radegand n00b
Joined: 22 Aug 2008 Posts: 45 Location: Poland
|
Posted: Tue Sep 22, 2009 9:59 pm Post subject: |
|
|
Ok, thanks. So I think I got a new bug then |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Wed Sep 23, 2009 11:00 am Post subject: |
|
|
radegand wrote: |
Ok, thanks. So I think I got a new bug then |
It is a error in the specs for the crtbeginTS.o in GCC espf-0.3.4 and will be fixed in espf-0.3.5.
So no error in GLIBC 2.10.1 in the tree. _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
Tom_ Guru
Joined: 20 May 2004 Posts: 444 Location: France
|
Posted: Wed Sep 23, 2009 11:43 am Post subject: |
|
|
Hello,
According to this howto, it seems possible to upgrade a standalone Gentoo system to make it have an hardened toolchain. Could someone confirm this please? In other words, i have a perfectly-running Gentoo system, and I would like to use an hardened toolchain : is that possible without breaking my system ?
I've got another question : if i want to go back to a normal toolchain, is that also possible ?
Thank you in advance! |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
Posted: Wed Sep 23, 2009 12:02 pm Post subject: |
|
|
Tom_ wrote: | Hello,
According to this howto, it seems possible to upgrade a standalone Gentoo system to make it have an hardened toolchain. Could someone confirm this please? In other words, i have a perfectly-running Gentoo system, and I would like to use an hardened toolchain : is that possible without breaking my system ?
I've got another question : if i want to go back to a normal toolchain, is that also possible ?
Thank you in advance! |
confirmed !
Quote: | cat /etc/portage/profile/package.use.mask
sys-devel/gcc -hardened
sys-libs/glibc -hardened |
don't forget to enable hardened USE-flag globally ! _________________ https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004 |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Wed Sep 23, 2009 6:39 pm Post subject: |
|
|
radegand wrote: |
Ok, thanks. So I think I got a new bug then |
Disable the profile use flag and recompile to see if that fix it.
Code: |
x86_64-pc-linux-gnu-gcc libc-tls.c -c -std=gnu99 -fgnu89-inline -O2 -Wall -Winline -Wwrite-strings -fmerge-all-constants -fno-stack-protector -fno-strict-aliasing -pipe -Wstrict-prototypes -pg -I../include -I/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-amd64-x86_64-pc-linux-gnu-nptl/csu
|
-pg is added to the command line and the check that is added to espf-0.3.4 check for that.
For -pg -p -profile will disable hardened specs for the start and end files. _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
radegand n00b
Joined: 22 Aug 2008 Posts: 45 Location: Poland
|
Posted: Wed Sep 23, 2009 7:19 pm Post subject: |
|
|
zorry wrote: |
Disable the profile use flag and recompile to see if that fix it.
|
Yep, it compiled fine, thanks!
Also just for the record - radeon (R300) is working fine on hardened 4.4.1 with KMS and direct rendering enabled with latest mesa from the X11 overlay Shiny KDE 4.3.1 with all the hardened goodies! More info how to set it up is available here. |
|
Back to top |
|
|
|