Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
gcc does not support plugins armv6j hardened
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
Duco Ergo Sum
Tux's lil' helper
Tux's lil' helper


Joined: 06 Dec 2005
Posts: 124
Location: Winsford

PostPosted: Thu Aug 09, 2012 9:08 pm    Post subject: gcc does not support plugins armv6j hardened Reply with quote

Hi.

I've run into a problem installing Hardened Gentoo my Raspberry Pi. Everything has gone okay until trying to compile the kernel. My research hasn't revealed anything helpful.

I am presented with the message that GCC does not support plugins. I have tried building both hardened-sources and re-emerging gcc.

Code:

 ~ # cd /usr/src/linux
linux # make
Makefile:614: *** Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev.  If you choose to ignore this error and lessen the improvements provided by this patch, re-run make with the DISABLE_PAX_PLUGINS=y argument.. Stop.


There doesn't seem to be any problem building the gentoo-sources kernel but I am trying to build a hardened system. Also the gentoo kernel doesn't have the BCM2835 support that you find in the Raspberry Pi kernel.

I have set the make.profile to point to the hardened arm profile and run the ./bootstrap.sh script followed by emerge -e system.

Any thoughts or guidance please.
Back to top
View user's profile Send private message
chithanh
Developer
Developer


Joined: 05 Aug 2006
Posts: 1674
Location: Berlin, Germany

PostPosted: Tue Aug 14, 2012 11:57 pm    Post subject: Reply with quote

You cannot use a vanilla-sources or gentoo-sources or hardened-sources kernel on the Raspberry Pi. You must use the kernel provided by the Raspberry Pi foundation.

Currently you can get the official kernel 3.1.9 from https://github.com/raspberrypi/linux/
And there are unofficial 3.2 kernels from the bootc repository https://github.com/bootc/linux/branches

You might be able to add some hardened patches to these kernels, but whether that will result in a working system is uncertain.
Back to top
View user's profile Send private message
blueness
Developer
Developer


Joined: 25 Nov 2009
Posts: 30
Location: Buffalo, NY

PostPosted: Wed Aug 15, 2012 12:03 am    Post subject: Re: gcc does not support plugins armv6j hardened Reply with quote

Duco Ergo Sum wrote:

Code:

Makefile:614: *** Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed




Make sure you're using gcc-4.5 or above since previous versions do not support plugins. If you are, then you need to open a bug report.

BTW, I'm excited by your work since 1) I maintain the hardened kernels but have not yes tested them on arm and 2) I built a couple of hardened userland stage4's, one glibc base and the other uclibc based. Along with the hardened kernel, we'd have a fully hardened arm gentoo system. The stages are available on the mirrors under experimental:

http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/experimental/arm/hardened/stage4-armv7a-hardfloat-hardened-20120728.tar.lzma

http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/experimental/arm/uclibc/stage4-armv7a-softfloat-uclibc-hardened-20120728.tar.lzma

Let me know where this work goes!
Back to top
View user's profile Send private message
blueness
Developer
Developer


Joined: 25 Nov 2009
Posts: 30
Location: Buffalo, NY

PostPosted: Wed Aug 15, 2012 12:28 am    Post subject: Reply with quote

chithanh wrote:
You cannot use a vanilla-sources or gentoo-sources or hardened-sources kernel on the Raspberry Pi. You must use the kernel provided by the Raspberry Pi foundation.

Currently you can get the official kernel 3.1.9 from https://github.com/raspberrypi/linux/
And there are unofficial 3.2 kernels from the bootc repository https://github.com/bootc/linux/branches

You might be able to add some hardened patches to these kernels, but whether that will result in a working system is uncertain.


You probably right. I don't know how much of the ras pi has been pushed into the upstream kernel. Nonetheless, I have gotten further than you might think with a vanilla/hardened kernel on boards like the mikrotik boards. Some hardware doesn't work but you might get it booting. Its worth trying and seeing how far you get.
Back to top
View user's profile Send private message
Duco Ergo Sum
Tux's lil' helper
Tux's lil' helper


Joined: 06 Dec 2005
Posts: 124
Location: Winsford

PostPosted: Wed Aug 15, 2012 8:57 am    Post subject: Echo's from the void Reply with quote

Hi,

Admittedly thus far, I haven't gotten as far as trying to boot an actual kernel other than the one that came with the original distro.

gcc-config reports:

Code:

# gcc-config -l
[1] armv6j-hardfloat-linux-gnueabi-4.5.3 *
[2] armv6j-hardfloat-linux-gnueabi-4.5.3-hardenednopie
[3] armv6j-hardfloat-linux-gnueabi-4.5.3-hardenednopiessp
[4] armv6j-hardfloat-linux-gnueabi-4.5.3-hardenednossp
[5] armv6j-hardfloat-linux-gnueabi-4.5.3-vanilla


I have found an ebuild dev-libs/bcm2835 which as part of my attempts to compile a working kernel I have installed. This package was masked and I didn't attempt to use it prior to discovering this problem.

Just as chithanh has suggested, one route that I took to trying to achieve a hardened kernel was to apply the gentoo hardened patches to the raspberry pi kernel source. This too presents the unsupported plugins problem. My assumption is therefore that this must indeed be a gcc problem.

Many of the hardened patches that I applied understandably failed to find corresponding code to modify. I couldn't report which or how many but there were quite a few. You Gentoo Devs do some work on the vanilla kernel source before sending it down stream to us mortals, what's the best way recreate your efforts on the raspberry pi source to make it more gentoo and hardened friendly? Or for that fact any other platform specific source?

As for reporting a bug, I have to admit to being a little weary. Apart from what I've already reported earlier are there any other details you'd suggest that I should include? For example, since I ran ./bootstrap.sh I'm not really sure what that actually does at a low level to gcc and that might need to be reported (I assumed that using ./bootstrap.sh was the best way to harden my vanilla armv6-stage3). Also who (apart from yourselves) among the Gentoo Dev's should be copied in on this?

By the way, I am very new to Hardened Gentoo and I'm really only beginning to look at system security seriously. So on that note I'd be grateful for any guidance or pointers to something like an idiots guide. In that regard when it has come to using the Hardened features, I've been reading the help provided in menuconfig and then guessing (I have read some of the Gentoo Hardened Documentation and do continue to refer to it). Once this plugins issue is resolved I'd be more than happy to apply a more targeted approach to building a kernel and to test features.

Thank you for your feedback. I will report back here with any news.

[Off Topic]
Just to let you know. So far on the raspberry pi, emerge --sync hangs rather regularly, completing only occasionally. An overview of what I'm hoping to achieve here, my first major landmark is to build a secure Dovecot based email server.

And even more off topic, why aren't Pax, PIE and SSP in the regular gentoo stream? As I understand it unlike the rest of the hardened environment they require very little user intervention to work but provide very significant security enhancements.
[/Off Topic]
Back to top
View user's profile Send private message
chithanh
Developer
Developer


Joined: 05 Aug 2006
Posts: 1674
Location: Berlin, Germany

PostPosted: Thu Aug 30, 2012 12:51 pm    Post subject: Reply with quote

dev-libs/bcm2835 is not related to building the kernel, it is a library which exposes some of the SoC hardware like GPIO or SPI in an easy to use way.

Running emerge --sync on the Raspberry Pi can be a problem due to dropped packets (dmesg might be full of page allocation failures etc.). Use emerge-webrsync if necessary.
Back to top
View user's profile Send private message
Duco Ergo Sum
Tux's lil' helper
Tux's lil' helper


Joined: 06 Dec 2005
Posts: 124
Location: Winsford

PostPosted: Thu Aug 30, 2012 3:46 pm    Post subject: Reply with quote

chithanh thanks.
Back to top
View user's profile Send private message
Duco Ergo Sum
Tux's lil' helper
Tux's lil' helper


Joined: 06 Dec 2005
Posts: 124
Location: Winsford

PostPosted: Sat Sep 01, 2012 6:10 pm    Post subject: Reply with quote

Hi,

After having successfully run an 'emerge --sync' sys-devel/gcc-4.5.4 was pulled in. Ordinarily, I wouldn't think this is worth mentioning however, the emerge failed with the message 'emake failed with bootstrap-lean'

Since I can't say what bootstrap does to GCC I can't report this as a bug to the up stream GCC devs and I am reasonably certain that this isn't a supported gentoo install route either and as such I'm not sure that it'd be welcomed as a Gentoo-GCC bug.

I've read through the scripst/bootstrap.sh and to be honest when it comes to GCC, I'm none the wiser. Please help.
Back to top
View user's profile Send private message
N8Fear
Tux's lil' helper
Tux's lil' helper


Joined: 15 Apr 2013
Posts: 91
Location: Berlin (Germany)

PostPosted: Mon Apr 15, 2013 9:37 pm    Post subject: Reply with quote

Hi,

first of all excuse me for gravedigging this old post, but since I found it while searching for a solution to the original problem (gcc plugins not working) and I just found a solution by trial and error I wanted to share it with anyone who may have the same problems:

It seems like it's a gcc bug (there are some needed files that are not installed) and it seems to be fixed in 4.8 (haven't tested it myself but found a post by Jakub Jelinek (I think) in the gcc bugtracker that claims as much).

The missing files are arm-cores.def and vxworks-dummy.h
If you search them in the gcc cvs or google them you can put them inside
/usr/lib/gcc/armv6j-hardfloat-linux-gnueabi/<version>/plugin/include/config/arm (arm-cores.def) and /usr/lib/gcc/armv6j-hardfloat-linux-gnueabi/<version>/plugin/include/config (vxworks-dummy.h).

Afterwards the gcc-plugins for building a hardened kernel on arm are working.
If anyone searches raspi-sources with the grsec patches applied (works for me(tm)) : git://github.com/N8Fear/rpi-sources.git has a branch with 3.8.y sources (atm somewhat outdated - will push something newer in the next few days)

WKR
Hinnerk
Back to top
View user's profile Send private message
Duco Ergo Sum
Tux's lil' helper
Tux's lil' helper


Joined: 06 Dec 2005
Posts: 124
Location: Winsford

PostPosted: Mon Apr 15, 2013 10:26 pm    Post subject: Reply with quote

Hi N8Fear,

Thanks, for digging this up. To be honest I'd put this all on the back burners a while ago. So, the only thing you're guilty of is give me the prod to get working on Gentoo again and for that, thanks a lot! ;)

Again thank you, I am honestly very grateful. If (and or when) I make some progress, I'll post a reply here.
Back to top
View user's profile Send private message
N8Fear
Tux's lil' helper
Tux's lil' helper


Joined: 15 Apr 2013
Posts: 91
Location: Berlin (Germany)

PostPosted: Mon Apr 15, 2013 10:40 pm    Post subject: Reply with quote

I've got a hardened Gentoo running in my raspi for about haft a year - until 1 or 2 months ago even with selinux (that install died due to sd-card corruption - so I'd advise you to make some backups.. ;) )
It's working quite nicely and since the grsec arm push in 3.8 there isn't much not supported, I guess. At least paxtest and checksec.sh look good...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum