| View previous topic :: View next topic |
| Author |
Message |
Naib
Advocate
Joined: 21 May 2004
Posts: 3891
Location: UK - Birmingham
|
 Posted: Sun Jan 25, 2009 4:19 pm Post subject: |
 |
|
couple of corrections needed (esp if you go for portage22)
1)
| Code: |
gcc-config 2 && source /etc/profile |
check the output of gcc-config -l first
| Code: |
gcc-config -l
[1] i686-pc-linux-gnu-4.3.2 *
[2] i686-pc-linux-gnu-4.3.2-nofortify
[3] i686-pc-linux-gnu-4.3.2-nopie
[4] i686-pc-linux-gnu-4.3.2-nossp_all
[5] i686-pc-linux-gnu-4.3.2-vanilla
|
for me using hardened stage tarballs I would use gcc-config 1 for a fully hardened toolchain
2)
| Code: |
while read ebuild; do emerge -v1 "${ebuild}" || echo "${ebuild}" >>failed; done < <(emerge -ep --columns --color=n system| cut -d] -f2 | awk '{print$1}' | egrep -v "(glibc|/portage|binutils|gcc|linux-h)"|sed '1,4d') |
Does not work with portage22 (don't know if it still works with portage21
| Code: |
while read ebuild; do emerge -v1 "$ebuild" || echo "$ebuild" >>failed; done < <( emerge -ep --color=n system| cut -d] -f2 | awk '{print "="$1}' | egrep -v "(glibc|/portage|binutils|gcc|linux-h)")
|
3)
| Code: |
# echo "=sys-apps/openrc-0.4*">>/etc/portage/package.keywords
# echo "=sys-apps/baselayout-2*">>/etc/portage/package.keywords |
sysvinit > 2.86-r11 is needed
| Code: |
# echo "=sys-apps/openrc-0.4*">>/etc/portage/package.keywords
# echo "=sys-apps/baselayout-2*">>/etc/portage/package.keywords
# echo "=sys-apps/sysvinit-2.86*" >> /etc/portage/package.keywords
|
apart from that, this howto is valid for a new build
_________________
| Quote: | | Voting holds no real power, he who counts the votes has the true power. |
Weaver Projects
whats the difference between 9/11 and a cow?
u stop milking a cow after 10 years |
|
| Back to top |
|
 |
likewhoa
l33t
Joined: 04 Oct 2006
Posts: 695
Location: Brooklyn, New York
|
| Posted: Sun Jan 25, 2009 5:56 pm Post subject: |
|
|
| Naib wrote: | | couple of corrections needed....) |
Thanks Naib, I will be implementing your corrections and will be updating the guide for use with the new stage3 tarball zorry build. |
|
| Back to top |
|
|
Naib
Advocate
Joined: 21 May 2004
Posts: 3891
Location: UK - Birmingham
|
| Posted: Sun Jan 25, 2009 6:11 pm Post subject: |
|
|
| likewhoa wrote: | | Naib wrote: | | couple of corrections needed....) |
Thanks Naib, I will be implementing your corrections and will be updating the guide for use with the new stage3 tarball zorry build. |
sweet! its the new stage tarballs I am using right now 
_________________
| Quote: | | Voting holds no real power, he who counts the votes has the true power. |
Weaver Projects
whats the difference between 9/11 and a cow?
u stop milking a cow after 10 years |
|
| Back to top |
|
|
likewhoa
l33t
Joined: 04 Oct 2006
Posts: 695
Location: Brooklyn, New York
|
| Posted: Mon Jan 26, 2009 8:26 pm Post subject: |
|
|
| ok guide has been updated & tested with new stage3 from zorry and official stages from gentoo. |
|
| Back to top |
|
|
g0rg0n
n00b
Joined: 18 Feb 2006
Posts: 53
|
| Posted: Fri Feb 13, 2009 4:12 am Post subject: |
|
|
thanks for the hard work!
i'm up to chapter 7 configuring kernel
and everything went smoothly so far!
_________________
DoTA, anyone? |
|
| Back to top |
|
|
Darknight
Guru
Joined: 26 Jan 2004
Posts: 446
Location: Italy
|
| Posted: Mon Mar 02, 2009 10:53 am Post subject: |
|
|
| Very nice, thank you. |
|
| Back to top |
|
|
jagdfalke
n00b
Joined: 09 Apr 2005
Posts: 5
|
| Posted: Thu Mar 19, 2009 9:45 am Post subject: |
|
|
Hi,
with your howto I was able to convert a standard hardened stage3 based system into a GCC-4.3 based hardened system. Thanks a lot for your work!
I have the following suggestions:
1. Add
| Code: |
echo "=sys-libs/glibc-2.8*">>/etc/portage/package.unmask
|
as I got the following messages without it:
| Code: |
server64d ~ # emerge -p glibc
These are the packages that would be merged, in order:
Calculating dependencies ... done!
[ebuild UD] sys-libs/glibc-2.6.1 [2.8_p20080602-r2]
server64d ~ #
server64d ~ # emerge -p =glibc-2.8\*
These are the packages that would be merged, in order:
Calculating dependencies ... done!
!!! All ebuilds that could satisfy "=sys-libs/glibc-2.8*" have been masked.
!!! One of the following masked packages is required to complete your request:
- sys-libs/glibc-2.8_p20080602-r2 (masked by: package.mask)
/usr/portage/profiles/hardened/linux/package.mask:
# sys-libs/glibc-2.8 is about to go stable and stable hardened may not be ready for it.
# 2009-02-11 gengor
- sys-libs/glibc-2.8_p20080602-r1 (masked by: package.mask)
- sys-libs/glibc-2.8_p20080602 (masked by: package.mask)
For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.
server64d ~ #
|
2. Add 69_all_gcc-43-pr39013.patch from http://bugs.gentoo.org/show_bug.cgi?id=254355 to the GCC ebuild (it is also included in the newer portage tree GCC patchset I think). Fixes compilation of netlib, for more information see there. (I haven't tried the patch myself so far, but it is reported to work.) |
|
| Back to top |
|
|
zorry
Developer
Joined: 30 Mar 2008
Posts: 353
Location: Umeå The north part of scandinavia
|
| Posted: Thu Mar 19, 2009 11:17 am Post subject: |
|
|
@jagfalke
Will update the gcc ebuild when the patch hit gcc's patchset.
If you reed the bug report so do the old patch brake stuff.
_________________
gcc version 4.6.2 (Gentoo Hardened 4.6.2 p1.1, pie-0.5.0) |
|
| Back to top |
|
|
Phacops
n00b
Joined: 05 Jan 2008
Posts: 8
Location: France
|
| Posted: Fri Apr 24, 2009 10:34 pm Post subject: |
|
|
| Code: | | echo "=sys-boot/grub-0.97-r7" >>/etc/portage/package.keywords |
Grub version should be 0.97-r10.
Thanks a lot for this guide. |
|
| Back to top |
|
|
likewhoa
l33t
Joined: 04 Oct 2006
Posts: 695
Location: Brooklyn, New York
|
| Posted: Sat Apr 25, 2009 7:26 am Post subject: |
|
|
| Phacops wrote: | | Code: | | echo "=sys-boot/grub-0.97-r7" >>/etc/portage/package.keywords |
Grub version should be 0.97-r10.
Thanks a lot for this guide. |
Thanks. |
|
| Back to top |
|
|
Herring42
Guru
Joined: 10 Mar 2004
Posts: 334
Location: Buckinghamshire
|
| Posted: Mon Apr 27, 2009 6:07 am Post subject: |
|
|
Silly question:
How do I convert a running GCC 3.5 Hardened system to using a 4.3 compiler?
Cheers.
_________________
"The problem with quotes on the internet is that it is difficult
to determine whether or not they are genuine." -- Abraham Lincoln |
|
| Back to top |
|
|
likewhoa
l33t
Joined: 04 Oct 2006
Posts: 695
Location: Brooklyn, New York
|
| Posted: Mon Apr 27, 2009 6:31 am Post subject: |
|
|
| Herring42 wrote: | Silly question:
How do I convert a running GCC 3.5 Hardened system to using a 4.3 compiler?
Cheers. |
Follow this guide. |
|
| Back to top |
|
|
Herring42
Guru
Joined: 10 Mar 2004
Posts: 334
Location: Buckinghamshire
|
| Posted: Mon Apr 27, 2009 6:39 am Post subject: |
|
|
| likewhoa wrote: | | Herring42 wrote: | Silly question:
How do I convert a running GCC 3.5 Hardened system to using a 4.3 compiler?
Cheers. |
Follow this guide. |
Let me rephrase that. I'm running a hardened system. Do I need to start at the beginning, and boot off a hardened live CD, downloading a stage 3 etc, or can I save some time from starting further down the guide?
_________________
"The problem with quotes on the internet is that it is difficult
to determine whether or not they are genuine." -- Abraham Lincoln |
|
| Back to top |
|
|
Herring42
Guru
Joined: 10 Mar 2004
Posts: 334
Location: Buckinghamshire
|
| Posted: Mon Apr 27, 2009 9:47 am Post subject: |
|
|
Ok, Stated from the beginning!
Compiling GCC, I get this error:
| Code: | config.status: creating auto-host.h
config.status: executing default commands
make[2]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.3-r2/work/build'
make[1]: *** [stage2-bubble] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.3-r2/work/build'
make: *** [bootstrap-lean] Error 2
*
* ERROR: sys-devel/gcc-4.3.3-r2 failed.
* Call stack:
* ebuild.sh, line 49: Called src_compile
* environment, line 4844: Called toolchain_src_compile
* environment, line 5373: Called gcc_src_compile
* environment, line 3018: Called gcc_do_make
* environment, line 2822: Called die
* The specific snippet of code:
* emake LDFLAGS="${LDFLAGS}" STAGE1_CFLAGS="${STAGE1_CFLAGS}" LIBPATH="${LIBPATH}" BOOT_CFLAGS="${BOOT_CFLAGS}" ${GCC_MAKE_TARGET} || die "emake f
ailed with ${GCC_MAKE_TARGET}";
* The die message:
* emake failed with bootstrap-lean
*
* If you need support, post the topmost build error, and the call stack if relevant.
* A complete build log is located at '/var/log/portage/sys-devel:gcc-4.3.3-r2:20090427-093333.log'.
* The ebuild environment file is located at '/var/tmp/portage/sys-devel/gcc-4.3.3-r2/temp/environment'.
* This ebuild used the following eclasses from overlays:
* /usr/portage/local/layman/xake-toolchain/eclass/toolchain.eclass
* /usr/portage/local/layman/xake-toolchain/eclass/toolchain-funcs.eclass
* /usr/portage/local/layman/xake-toolchain/eclass/flag-o-matic.eclass
* /usr/portage/local/layman/xake-toolchain/eclass/hardened-funcs.eclass
* This ebuild is from a repository named 'secure'
*
|
Any ideas?
_________________
"The problem with quotes on the internet is that it is difficult
to determine whether or not they are genuine." -- Abraham Lincoln |
|
| Back to top |
|
|
likewhoa
l33t
Joined: 04 Oct 2006
Posts: 695
Location: Brooklyn, New York
|
| Posted: Mon Apr 27, 2009 8:55 pm Post subject: |
|
|
| Herring42 wrote: | Ok, Stated from the beginning!
Compiling GCC, I get this error:
| Code: | config.status: creating auto-host.h
config.status: executing default commands
make[2]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.3-r2/work/build'
make[1]: *** [stage2-bubble] Error 2
make[1]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.3-r2/work/build'
make: *** [bootstrap-lean] Error 2
*
* ERROR: sys-devel/gcc-4.3.3-r2 failed.
* Call stack:
* ebuild.sh, line 49: Called src_compile
* environment, line 4844: Called toolchain_src_compile
* environment, line 5373: Called gcc_src_compile
* environment, line 3018: Called gcc_do_make
* environment, line 2822: Called die
* The specific snippet of code:
* emake LDFLAGS="${LDFLAGS}" STAGE1_CFLAGS="${STAGE1_CFLAGS}" LIBPATH="${LIBPATH}" BOOT_CFLAGS="${BOOT_CFLAGS}" ${GCC_MAKE_TARGET} || die "emake f
ailed with ${GCC_MAKE_TARGET}";
* The die message:
* emake failed with bootstrap-lean
*
* If you need support, post the topmost build error, and the call stack if relevant.
* A complete build log is located at '/var/log/portage/sys-devel:gcc-4.3.3-r2:20090427-093333.log'.
* The ebuild environment file is located at '/var/tmp/portage/sys-devel/gcc-4.3.3-r2/temp/environment'.
* This ebuild used the following eclasses from overlays:
* /usr/portage/local/layman/xake-toolchain/eclass/toolchain.eclass
* /usr/portage/local/layman/xake-toolchain/eclass/toolchain-funcs.eclass
* /usr/portage/local/layman/xake-toolchain/eclass/flag-o-matic.eclass
* /usr/portage/local/layman/xake-toolchain/eclass/hardened-funcs.eclass
* This ebuild is from a repository named 'secure'
*
|
Any ideas? |
I hope you didn't extract a stage3 on your existing system as it might cause weird issues. All you have to do is follow the guide starting from <b>4. Bootstrapping the system</b> if you run into problems from there let me know. The above error doesn't really tell me much. |
|
| Back to top |
|
|
Herring42
Guru
Joined: 10 Mar 2004
Posts: 334
Location: Buckinghamshire
|
| Posted: Tue Apr 28, 2009 6:42 am Post subject: |
|
|
| likewhoa wrote: | | Herring42 wrote: | Ok, Stated from the beginning!
...
Any ideas? |
I hope you didn't extract a stage3 on your existing system as it might cause weird issues. All you have to do is follow the guide starting from <b>4. Bootstrapping the system</b> if you run into problems from there let me know. The above error doesn't really tell me much. |
Luckily, no I didn't.
What I found was this:
The gcc from the overlay couldn't be built with the hardened gcc-3.4.6 from the main tree. It could, however be built with the masked gcc-4.3.3-r2 in the main tree that I could build with hardened gcc-3.4.6. Complicated eh?
I've currently finished the guide, and have just emerged @system, the kernel and am currently emergeing @world.
I haven't rebooted yet, as I'm a little worried that top seems to be segfaulting. I worried about what else might be broken 
_________________
"The problem with quotes on the internet is that it is difficult
to determine whether or not they are genuine." -- Abraham Lincoln |
|
| Back to top |
|
|
likewhoa
l33t
Joined: 04 Oct 2006
Posts: 695
Location: Brooklyn, New York
|
| Posted: Tue Apr 28, 2009 9:20 am Post subject: |
|
|
| Herring42 wrote: | | likewhoa wrote: | | Herring42 wrote: | Ok, Stated from the beginning!
...
Any ideas? |
I hope you didn't extract a stage3 on your existing system as it might cause weird issues. All you have to do is follow the guide starting from <b>4. Bootstrapping the system</b> if you run into problems from there let me know. The above error doesn't really tell me much. |
Luckily, no I didn't.
What I found was this:
The gcc from the overlay couldn't be built with the hardened gcc-3.4.6 from the main tree. It could, however be built with the masked gcc-4.3.3-r2 in the main tree that I could build with hardened gcc-3.4.6. Complicated eh?
I've currently finished the guide, and have just emerged @system, the kernel and am currently emergeing @world.
I haven't rebooted yet, as I'm a little worried that top seems to be segfaulting. I worried about what else might be broken |
Seeing that the masked gcc-4.3.3-r2 built from the tree is good news for the official hardened profile to me. Keep me posted on your progress. |
|
| Back to top |
|
|
Herring42
Guru
Joined: 10 Mar 2004
Posts: 334
Location: Buckinghamshire
|
| Posted: Tue Apr 28, 2009 5:42 pm Post subject: |
|
|
| likewhoa wrote: |
Seeing that the masked gcc-4.3.3-r2 built from the tree is good news for the official hardened profile to me. Keep me posted on your progress. |
Well, Good news, and not so good news.
First, I'm fully RAID1 mirrored, and compiling grub with a hardened amd64 compile causes it to fail on reboot with a message complaining about not having enough memory. The solution is to change the compiler to the vanilla version, compile grub, install in the mbr, then change back.
The not so good is that NFS seems to have stopped working, though I have not yet determined the cause. I'm using NFS4 with kerberos, and its a bit flaky at the best of times...
_________________
"The problem with quotes on the internet is that it is difficult
to determine whether or not they are genuine." -- Abraham Lincoln |
|
| Back to top |
|
|
radegand
n00b
Joined: 22 Aug 2008
Posts: 43
Location: Poland
|
| Posted: Thu Jul 23, 2009 10:48 am Post subject: |
|
|
Hi all,
I've just created a kvm box following this guide running gcc-4.4 and glibc-2.10 using x86 arch. I'm currently also creating a x86_64 image but had to rebuild it as by mistake I got into multilib profile which I didn't wanted.
Anyway - all went smooth and easy. Few things:
*) I haven't unmasked any specific packages apart from gcc and glibc. openrc, udev,baselayout-2, sysvinit required keywording as per guide. So in the end my package.unmask file:
| Code: | =sys-devel/gcc-4.4*
=sys-libs/glibc-2.10* |
and package.keywords:
| Code: | =sys-devel/gcc-4.4*
=sys-libs/glibc-2.10*
=sys-apps/openrc-0.4*
=sys-fs/udev-13*
=sys-apps/baselayout-2*
=sys-apps/sysvinit-2.86*
sys-kernel/hardened-sources ~amd64 |
*) openrc-9999 does not seem to be required anymore 
*)When doing the initial reemerge of | Code: | | emerge gcc-config linux-headers glibc binutils gcc portage -1 |
I got a weird portage error but unfortunatelly I haven't saved it I rebuild the portage manually then emerged rest of packages and this time it was fine.
*) rebuilt the world using 'emerge -eav world' - everything went fine, no errors at all.
Thanks for the guide!  |
|
| Back to top |
|
|
likewhoa
l33t
Joined: 04 Oct 2006
Posts: 695
Location: Brooklyn, New York
|
| Posted: Sat Aug 29, 2009 2:59 pm Post subject: |
|
|
| Updated guide for gcc-4.4.1 and soon gcc-4.5 (testing) branch will be available. Stay tune.... |
|
| Back to top |
|
|
timeBandit
Administrator
Joined: 31 Dec 2004
Posts: 2667
Location: here, there or in transit
|
| Posted: Sat Aug 29, 2009 3:25 pm Post subject: |
|
|
@Herring42 and all newcomers, please limit discussion in this thread to QA of the guide itself.
Support questions related to migrating your system per this guide belong in Support for GCC 4.x on hardened systems.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
| Back to top |
|
|
blueness
Developer
Joined: 25 Nov 2009
Posts: 16
Location: Buffalo, NY
|
| Posted: Wed Nov 25, 2009 9:04 pm Post subject: |
|
|
There's a few minor errors with regard to adding /etc/portage/repos.conf to get the correct eclass inheritance:
1. For non-testing branch, you just need the following lines:
[DEFAULT]
eclass-overrides = hardened-dev
in repos.conf
2. You need repos.conf even with portage-2.1.6.13, not just >=sys-apps/portage-2.2. See bug at http://bugs.gentoo.org/show_bug.cgi?id=293961
3. The name of the file is repos.conf not repo.conf
4. eclass-overrides = secure does not work
5. eclass-overrides = hardened-development also does not work
Both 4 and 5 lead to
Unavailable repository 'secure' referenced by eclass-overrides entry in '/etc/portage/repos.conf'
or
Unavailable repository 'hardened-development' referenced by eclass-overrides entry in '/etc/portage/repos.conf' |
|
| Back to top |
|
|
likewhoa
l33t
Joined: 04 Oct 2006
Posts: 695
Location: Brooklyn, New York
|
| Posted: Sun Dec 06, 2009 12:26 am Post subject: |
|
|
| blueness wrote: | There's a few minor errors with regard to adding /etc/portage/repos.conf to get the correct eclass inheritance:
1. For non-testing branch, you just need the following lines:
[DEFAULT]
eclass-overrides = hardened-dev
in repos.conf
2. You need repos.conf even with portage-2.1.6.13, not just >=sys-apps/portage-2.2. See bug at http://bugs.gentoo.org/show_bug.cgi?id=293961
3. The name of the file is repos.conf not repo.conf
4. eclass-overrides = secure does not work
5. eclass-overrides = hardened-development also does not work
Both 4 and 5 lead to
Unavailable repository 'secure' referenced by eclass-overrides entry in '/etc/portage/repos.conf'
or
Unavailable repository 'hardened-development' referenced by eclass-overrides entry in '/etc/portage/repos.conf' |
thanks, changes included. |
|
| Back to top |
|
|
jagdfalke
n00b
Joined: 09 Apr 2005
Posts: 5
|
| Posted: Mon Aug 09, 2010 3:07 pm Post subject: |
|
|
As far as I can see, the hardened-development overlay from layman is empty now, and everything has been merged into the main portage tree: http://bugs.gentoo.org/show_bug.cgi?id=318171
I believe that gcc-4.4.3-r3 and gcc-4.4.4-r1 have hardened support incl. full SSP.
Regards,
Milan |
|
| Back to top |
|
|
|
Unsupported Software
