Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] The Hardened GCC4 Toolchain Overlay Guide
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 743
Location: Brooklyn, New York

PostPosted: Sat Aug 30, 2008 3:07 pm    Post subject: [HOWTO] The Hardened GCC4 Toolchain Overlay Guide Reply with quote

1. Introduction

Welcome to the GCC4 Toolchain Overlay Guide. This guide will get you the best of both worlds; The GNU GCC 4.{2,3} Compiler and your good ol hardened kernel. The current state of the Official Gentoo Hardened Project only offers the GCC3 compiler. The Official Hardened Development Project which is a continuation of kevquinn's work, offers gcc-4.3.4 & gcc-4.4.1 (testing branch will have gcc-4.5 soon) stages and will work with the Gentoo Hardened and non-hardened stages as well as the ones provided here. This overlay is provided by http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-development.git;a=summary. We will not get into the details of the best security practices like PaX, GRsecurity, SELinux & various other security measures etc.. We will only get you the base system ready & once you finish this guide, you will find various links to Official Gentoo Documentations and guides on setting up the multiple security methods that can be implemented with a hardened kernel.

1a. Before you begin

You only need a livecd (preferally a hardened installcd but not require), a live system (for converting from the non-hardened to hardened profile) and some chest hair, ok maybe not chest hair but some patience and attention to detail. When you finish here you will have the opportunity to sport a paranoid linux kernel but also, make lots of money implementing it to your clients, or just to show it off to your ubuntu buddies. Whichever you will enjoy the piece of mind you get from having your kernel ever more secure & that's all you need before you begin.

1b. User Agreement

You AGREE to follow this guide and not go skipping unless you know what YOU'RE doing. Remember it's not as hard as it looks just stay focus and get it done. Finally I like to add that the Gentoo Linux Foundation is in no way interested in breaking your system nor supports this guide. The toolchain overlay used here is based on Kevquinn's work. By following the instructions below, you agree to take full responsibility. You may not blame me or any contributors. Help is NOT guaranteed, but will be provided on the basis that you followed directions in this guide alone.

This guide assumes you have already gone pass Chapter 4 of Part 1 of the Gentoo handbook.

2. Installing the Gentoo Hardened GCC4 Installation Files
You may use any of the official stages in this guide, if you decide to use the toolchain overlay stages BEWARE as you might not get support. Anyways, these stages are based on the gcc3 hardened stage and should be good enough for everyone. The community is supporting this transition and it provides trac access to anyone willing to file bugs at https://hardened.gentooexperimental.org/trac/secure. Feel free to join and contribute to push gcc4 hardened into mainstream.

2a. Setting the Date/Time

Before you continue you need to check your date/time and update it. A mis-configured clock may lead to strange results in the future!

Verify the current date/time.

Code:
# date


If the date/time displayed is wrong, update it using the date MMDDhhmmYYYY syntax (Month, Day, hour, minute and Year). For instance, to set the date to Sat August 30 04:20:00, in the year 2008.

Code:
# date 083004202009


2b. Retrieving Toolchain stages.
You can either download a stage3 from one of the gentoo mirrors-- non-hardened and hardened stages will work, or you can also convert a live system to a hardened profile using this guide. If you want to download the stage3 hardened stages provided by the toolchain overlay which are compiled with GCC4 instead of the GCC3 ones provided by gentoo, then navigate to https://weaver.gentooenterprise.com/hardened to retrieve the require stage3 tarball for your ARCH.

Extracting the AMD64 tarball
This example assumes you have downloaded the AMD64 GCC-4.3 tarball. Users that are just converting to a hardened profile can skip this section.

Code:

# cd /mnt/gentoo
# wget --no-check-certificate https://weaver.gentooenterprise.com/hardened/gcc-4.3/stage3-amd64-hardened-4.3-20090401.tar.bz2
# tar xvjpf stage3*


Gentoo Portage Tree Snapshot

Code:

# cd /mnt/gentoo
# wget http://mirror.datapipe.net/gentoo/snapshots/portage-latest.tar.bz2
# tar xvjpf portage* -C usr/


2c. Setting your compiler flags make.conf

We need to do one of several things; We first need to set our variables & add the following changes to your make.conf. You must change ARCH to whatever arch you use, also make sure to add any additonal GENTOO_MIRRORS host.

TIP:Those who want to tailor the gentoo-install for their system only (cflags and cxxflags-wise) use: -march=native

Quote:

CFLAGS="-O2 -march=ARCH -pipe"
LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--warn-once"
GENTOO_MIRRORS="${GENTOO_MIRRORS} /usr/local/toolchain-overlay/distfiles"
PORTDIR_OVERLAY="/usr/local/toolchain-overlay"
PORTAGE_ECLASS_WARNING_ENABLE="0"
PORT_LOGDIR="/var/log/portage"


3. Installing the Gentoo Base System

Mounting Procfs and Dev.

Code:

# mount -t proc none /mnt/gentoo/proc
# mount -o bind /dev /mnt/gentoo/dev


Copying the dns server address file into the base stage.

Code:

# cp -Lv /etc/resolv.conf /mnt/gentoo/etc/resolv.conf


3a. Chrooting & Rehashing environment paths.

Code:
# screen
# chroot /mnt/gentoo /bin/bash
# env-update && source /etc/profile
# export PS1="(chroot) $PS1"


Quote:
To leave the gentoo base system chroot at any time type 'exit && exit' once.


3d. Updating the Portage Tree.
note: Ignore the "!!! Invalid PORTDIR_OVERLAY (not a dir): '/usr/local/toolchain-overlay'" message on the next command.

Code:
 
# emerge --sync --quiet


3b. Setting Locales

We will be selecting only the locales necessary for our system, since if no locales are set in locale.gen, glibc will generate locales for all languages, which wastes time unless you need every locale available. We will choose the English ISO-8889-1 & UTF-8 locale, uncomment any locales that you might want besides those two.

Set the locales.

Code:

# nano -w /etc/locale.gen


Generate the locales.

Code:

# locale-gen


Next we will begin the rebuild of the toolchain this process is; the most important and most time consuming process of the base system install.

4. Bootstrapping the system

Now that we have done all of the above it is now time to rebuild the toolchain with our new make.conf changes. This is the part where your system will build most of the system utils,compiler and libraries. After this process you will not only have a system that is rock solid, secure (almost but more than most) and on the bleeding edge with the most up to date packages from the toolchain overlay & portage tree. If for any reason packages fail on the next steps, take a look at the FAQ/Troubleshooting section at the bottom of this guide for help and tips if available.

Note: This step is the most time consuming & important aspect of the build; furthermore it will take about 2-4hours depending on your hardware specs. For me it took only 1hour and 30 minutes on a dual-core opteron 165 @ 2853MHz with 2GB of RAM.

4a. Retrieving the hardened overlay
First we need to retrieve our toolchain overlay, We will be using git to accomplish this, you can later use layman to automate this process.

Retrieve the overlay using GIT.

Code:

# [ ! -d /etc/portage ] && mkdir /etc/portage
# echo "dev-util/git -perl threads bash-completion">>/etc/portage/package.use
# emerge dev-util/git
# git clone git://git.overlays.gentoo.org/proj/hardened-development.git /usr/local/hardened-development


Performing the Bootstrap, but first we are gonna make some additions to our package.* files. Use the method that suits the GCC4 stage you downloaded ONLY.

First we add certain packages that are known to fail from the portage tree.

For GCC-4.3
Code:

echo "=sys-devel/gcc-4.3*" >>/etc/portage/package.keywords
echo "=sys-devel/gcc-4.3*" >>/etc/portage/package.unmask


For GCC-4.4
Code:

echo "=sys-devel/gcc-4.4*" >>/etc/portage/package.keywords
echo "=sys-devel/gcc-4.4*" >>/etc/portage/package.unmask


For Glibc 2.10
Code:

echo "=sys-libs/glibc-2.10*" >>/etc/portage/package.keywords
echo "=sys-libs/glibc-2.10*" >>/etc/portage/package.unmask


We need a repos.conf for our eclasses to work with >=sys-apps/portage-2.2
Code:

echo -e "[DEFAULT]\neclass-overrides = secure">>/etc/portage/repos.conf
echo -e "[gentoo]\neclass-overrides = secure">>/etc/portage/repos.conf


Users trying the GCC-4.5 testing branch ONLY. (Optional)
NOTE: GCC-4.5 should not be used in a production system as of now and it will be in the overlay
when we do start development on GCC 4.5.

Code:

# cd /usr/local/hardened-development
# git branch testing origin/testing
# git checkout testing && git pull && cd $OLDPWD


repo.conf for GCC-4.5 testing branch ONLY
Code:

echo -e "[DEFAULT]\neclass-overrides = hardened-development-testing">>/etc/portage/repos.conf
echo -e "[gentoo]\neclass-overrides = hardened-development-testing">>/etc/portage/repos.conf


Switching to hardened profile(Optional)
ONLY users who downloaded the gentoo non-hardened stage3 or if you're currently just converting your live system to the hardened profile. You must switch to the compatible hardened profile of choice first before continuing further.

Code:

# emerge gcc-config linux-headers glibc binutils gcc portage -1


Switch to the newly compiled GCC4 compiler. NOTE: Users that upgraded from GCC3 must change the gcc-config number to the correct one which of this writing is #6. User on the GCC5 testing branch can just "source /etc/profile" instead.

Code:

# gcc-config 2 && source /etc/profile


4b. Enabling the GNU Hashstyle.
I won't get into detail on this as most of you already know about this new hash style anyways. A typical Gentoo system will use --hash-style=both we will force the use of the GNU hash style instead.

Code:

# sed -i 's/once/once,--hash-style=gnu/' /etc/make.conf
# emerge linux-headers glibc binutils gcc -1


4c. Rebuilding world packages.

Now that we have bootstrapped the system and we now have an updated toolchain, we can begin to rebuild all remain packages in the system against the new toolchain. This one-liner will build all packages minus the toolchain packages; All failed packages will be saved in a file and shown later.

Adding Baselayout2 & OpenRC to package.keywords. This step is optional.

Code:

echo "=sys-apps/openrc-0.4*">>/etc/portage/package.keywords
echo "=sys-fs/udev-14*">>/etc/portage/package.keywords
echo "=sys-apps/baselayout-2*">>/etc/portage/package.keywords
echo "=sys-apps/sysvinit-2.86*" >> /etc/portage/package.keywords


Emerge all packages against the newly compiled toolchain.
NOTE: GCC3 users should run "emerge -C mktemp" before running the command below as it will block a new coreutils ebuild.

Code:

# while read ebuild; do emerge -v1 "${ebuild}" || echo "${ebuild}" >>failed; done < <(emerge -ep --columns --color=n system| cut -d] -f2 | awk '{print$1}' | egrep -v "(glibc|/portage|binutils|gcc|linux-h)"|sed '1,4d')
# source /etc/profile


Emerge any packages that failed the system build.

Code:
# while read package; do emerge -1 ${package};done < <(cat failed)


Merge changes from new system packages.

Since we have rebuild our system packages, we will merge those changes using etc-update. Use the "-5" option when prompted as this will merge all changes to all available configuration updates for us without user prompt.

Code:
 # etc-update


Edit this list of packages here to suit your needs, these are common system tools and misc packages.

Code:
# emerge syslog-ng ntp grub vixie-cron sysfsutils dhcpcd eix gentoolkit portage-utils genlop
# for i in syslog-ng vixie-cron; do rc-update add $i default; done


4d. Eliminating Clock Skew

Fixing clock skew, we allieviate this problem by adding a network time protocol client into the installation.

Code:
# ntpdate -u -b pool.ntp.org


4d. Configuring the OpenRC System Source: Gentoo OpenRC Migration Guide

OpenRC is a dependency-based rc system that works with whatever init is provided by the system, normally /sbin/init. However, it is not a replacement for /sbin/init. The default init used by Gentoo Linux is sys-apps/sysvinit, while Gentoo/FreeBSD uses the FreeBSD init provided by sys-freebsd/freebsd-sbin.

We need to verify that the OpenRC ebuild added the neccessary boot run-levels, we do this by checking if the require symbolic links are set.

Code:

# for i in root procfs mtab swap fsck;do [ ! -L /etc/runlevels/boot/${i} ] && rc-update add ${i} boot;done


Next we will verify that we didn't lose the net.eth0 symbolic link require for your network device.
Code:

# [ ! -L /etc/init.d/net.eth0 ] && ln -s /etc/init.d/net.lo /etc/init.d/net.eth0


That's it for this guide, I will not go into detail about the types of security features in hardened-sources since this guide is focuses only on getting you the toolchain overlay compiled. Now that you got this far it's time to configure your kernel following the Part 1 - Chapter 7 section of the Gentoo handbook. I will post various resources to get you a step ahead below. Good luck and enjoy your new hardened toolchain.

Likewhoa

5. Resources

Below are various links to help you get more in-depth detail into setting up and using the various security methods available.


  1. Gentoo Hardened Project - http://www.gentoo.org/proj/en/hardened
  2. Official Hardened Frequently Asked Questions - http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml
  3. Grsecurty2 Quickstart Guide - http://www.gentoo.org/proj/en/hardened/grsecurity.xml
  4. Gentoo SELinux Handbook - http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
  5. Gentoo Hardened Mailing List Archives - http://gentoo.org/archives.gentoo.org/gentoo-hardened
  6. Gentoo Wiki Security Index - http://en.gentoo-wiki.com/Index:Security
  7. Forums Thread Relating to GCC4 hardened - http://forums.gentoo.org/viewtopic-t-668885
  8. Discussion thread for GCC4 hardened profiles - http://forums.gentoo.org/viewtopic-t-790110.html


Last edited by likewhoa on Sun Dec 06, 2009 12:32 am; edited 25 times in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 32112
Location: 56N 3W

PostPosted: Sat Aug 30, 2008 3:51 pm    Post subject: Reply with quote

git-clone should not have the -
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 5727
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Aug 30, 2008 4:09 pm    Post subject: Reply with quote

NeddySeagoon wrote:
git-clone should not have the -


++

that command seems to be gone with latest git-versions

git-clone --> git clone

some more points:

*) those who want to tailor the gentoo-install for their system only (cflags and cxxflags-wise) use: -march=native

*) cp -v should become cp -L (copying resolv.conf)

Quote:
The "-L" option is needed to make sure we don't copy a symbolic link)
# cp -L /etc/resolv.conf /mnt/gentoo/etc/


*) binutils --> just use the latest in-tree version, right now: 2.18.50.0.8

*) e2fsprogs --> just use the latest in-tree version, that should compile fine
NOTE: for this sys-libs/ss and another one (don't know the name right now) might need to be unmerged and e2fsprogs-libs emerged;
only experienced users should do this since this might remove fsck & prevent your system from booting

*) --hash-style=gnu --> isn't that enabledby default ?

that's all for now !

good job !

thanks, buddy :)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.3.0-r2
2.6.37.2_plus_v1: BFS, CFS,THP,compaction, zcache or TOI
Hardcore Linux user since 2004 :D
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 743
Location: Brooklyn, New York

PostPosted: Sat Aug 30, 2008 4:24 pm    Post subject: Reply with quote

thanks NeddySeagoon for the pointer.

@KernelOfTruth first off thanks.
I think the default hash style is set to both but not really sure, will confirm this. about binutils we used the one provided in the overlay but I did test
2.18.50.0.8 and it seems to work so changes will be made to use that one if zorry agrees. about that e2fsprogs deal I will have to run into it first as I didn't experience that while testing the build.

I would like some confirmation from users that try this out using ~ARCH keywords.
Back to top
View user's profile Send private message
d2_racing
Moderator
Moderator


Joined: 25 Apr 2005
Posts: 13046
Location: Ste-Foy,Canada

PostPosted: Sun Aug 31, 2008 1:39 am    Post subject: Reply with quote

Hi, this line :

Quote:

Now that we have done all of the above it is now time to rebuild the toolchain toolchain with our new make.conf changes.


Should be like this :

Now that we have done all of the above it is now time to rebuild the toolchain with our new make.conf changes.
_________________
Sysadmin of GentooQuébec.org
Wiki
Signature
IRC on Freenode : #gentoo-quebec
Back to top
View user's profile Send private message
yngwin
Developer
Developer


Joined: 19 Dec 2002
Posts: 4396
Location: Suzhou, China

PostPosted: Sun Aug 31, 2008 4:56 pm    Post subject: Reply with quote

Nice guide! I was actually looking into doing something like this, so this will help when I get around to it. :)

likewhoa wrote:
I think the default hash style is set to both but not really sure, will confirm this.

I confirm this is the case.
_________________
"Those who deny freedom to others deserve it not for themselves." - Abraham Lincoln
Free Culture | Defective by Design | EFF
Back to top
View user's profile Send private message
d2_racing
Moderator
Moderator


Joined: 25 Apr 2005
Posts: 13046
Location: Ste-Foy,Canada

PostPosted: Mon Sep 01, 2008 4:06 pm    Post subject: Reply with quote

Nice Guide, I'm looking forward to test this guide in a near futur :P
_________________
Sysadmin of GentooQuébec.org
Wiki
Signature
IRC on Freenode : #gentoo-quebec
Back to top
View user's profile Send private message
Sadako
Advocate
Advocate


Joined: 05 Aug 2004
Posts: 3753
Location: sleeping in the bathtub

PostPosted: Tue Sep 02, 2008 6:46 pm    Post subject: Reply with quote

One thing which seems to be missing is any mention of the portage slowdown due to a toolchain eclass in the overlay overriding one in portage proper.

Every time after you emerge --sync, you should notice any portage usage extremely slow for a while, this is because the dependency cache for each ebuild related to the emerge command you entered is being regenerated.

You can regenerate the entire cache at once with `emerge --regen`, although this is quite slow (~20 minutes with my 2.4 GHz athlon64 X2).

An alias such as 'esync="emerge --sync && emerge --regen'" can be useful (although I'm using a script instead which performs a few other operations as well).

Also, it can be well worth making use of using rsync's "exclude" to reduce the size of the portage tree fetched during emerge --sync, for example getting rid of either the gnome-* or kde-* categories, or the vim or emacs/xemacs ones, depending on which zealot you happen to be. :P
This can help to reduce the time it takes to --regen by quite a bit, and if you're using this on a headless box you can drastically reduce both the size of the portage tree and how long --regen takes.

For reference, you'd typically use it by adding PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" to make.conf, and /etc/portage/rsync_excludes contains entries like the following to exclude (for example) all games-related ebuilds and mono/.net or whatever;
Code:
dev-dotnet/
games-*/


`du -chs /usr/portage/*-*` should give you an idea of what it might be beneficial to remove, assuming you're not using anything from those categories, and more advanced/complicated excludes files can be used to remove all but a few specific packages from a category.

Anyways, I just thought this was something worth mentioning at least.
_________________
"You have to invite me in"
Back to top
View user's profile Send private message
d2_racing
Moderator
Moderator


Joined: 25 Apr 2005
Posts: 13046
Location: Ste-Foy,Canada

PostPosted: Wed Sep 03, 2008 12:23 pm    Post subject: Reply with quote

Hopeless wrote:
One thing which seems to be missing is any mention of the portage slowdown due to a toolchain eclass in the overlay overriding one in portage proper.

Every time after you emerge --sync, you should notice any portage usage extremely slow for a while, this is because the dependency cache for each ebuild related to the emerge command you entered is being regenerated.

You can regenerate the entire cache at once with `emerge --regen`, although this is quite slow (~20 minutes with my 2.4 GHz athlon64 X2).



Hi, is there any documentation about this problem, because I want to know how did you find this problem ? I noticed this problem for a long time, but I never found any doc about that.
_________________
Sysadmin of GentooQuébec.org
Wiki
Signature
IRC on Freenode : #gentoo-quebec
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 5727
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Wed Sep 03, 2008 1:24 pm    Post subject: Reply with quote

d2_racing wrote:
Hopeless wrote:
One thing which seems to be missing is any mention of the portage slowdown due to a toolchain eclass in the overlay overriding one in portage proper.

Every time after you emerge --sync, you should notice any portage usage extremely slow for a while, this is because the dependency cache for each ebuild related to the emerge command you entered is being regenerated.

You can regenerate the entire cache at once with `emerge --regen`, although this is quite slow (~20 minutes with my 2.4 GHz athlon64 X2).



Hi, is there any documentation about this problem, because I want to know how did you find this problem ? I noticed this problem for a long time, but I never found any doc about that.


read the messages portage spits out after emerge --sync ;)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.3.0-r2
2.6.37.2_plus_v1: BFS, CFS,THP,compaction, zcache or TOI
Hardcore Linux user since 2004 :D
Back to top
View user's profile Send private message
neuron
Advocate
Advocate


Joined: 28 May 2002
Posts: 2371

PostPosted: Sun Sep 07, 2008 5:51 pm    Post subject: Reply with quote

One of those mirrors were really slow for me for some reason, so I mirrored the files:

http://geezer.mine.nu/hardened/
Back to top
View user's profile Send private message
Naib
Advocate
Advocate


Joined: 21 May 2004
Posts: 4161
Location: Removed by Neddy

PostPosted: Sun Sep 07, 2008 5:59 pm    Post subject: Reply with quote

The server where the stages are hosted has been having a "fun time" recently, it should be fine tho now
_________________
A free press is the unsleeping guardian of every other right that free men prize; it is the most dangerous foe of tyranny. Where men have the habit of liberty, the Press will continue to be the vigilant guardian of the rights of the ordinary citizen.
Back to top
View user's profile Send private message
neuron
Advocate
Advocate


Joined: 28 May 2002
Posts: 2371

PostPosted: Sun Sep 07, 2008 6:04 pm    Post subject: Reply with quote

Naib wrote:
The server where the stages are hosted has been having a "fun time" recently, it should be fine tho now


That one was ok, fast but bursting, the second one was really slow for me though, could be a long traceroute though, I dunno.
Back to top
View user's profile Send private message
neuron
Advocate
Advocate


Joined: 28 May 2002
Posts: 2371

PostPosted: Sun Sep 07, 2008 6:19 pm    Post subject: Reply with quote

Quote:

Adding Baselayout2 & OpenRC to package.keywords. This step is optional & should not be used if using the gcc-4.3 testing branch.


Could you include a bug # or thread with information on why that fails/progress on fixing it?
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 364
Location: Umeå The north part of scandinavia

PostPosted: Sun Sep 07, 2008 6:37 pm    Post subject: Reply with quote

neuron wrote:
Quote:

Adding Baselayout2 & OpenRC to package.keywords. This step is optional & should not be used if using the gcc-4.3 testing branch.


Could you include a bug # or thread with information on why that fails/progress on fixing it?

U need the OpenRC-9999 version to use it on the testing branch
It have a O_CREATE bug look for that in the trac or on the forum thread.
_________________
gcc version 4.6.2 (Gentoo Hardened 4.6.2 p1.1, pie-0.5.0)
Back to top
View user's profile Send private message
neuron
Advocate
Advocate


Joined: 28 May 2002
Posts: 2371

PostPosted: Sun Sep 07, 2008 8:33 pm    Post subject: Reply with quote

echo "=sys-apps/net-tools-1.60_p20071202044231-r1" >>/etc/portage/package.keywords

also needed on gcc 4.3
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 743
Location: Brooklyn, New York

PostPosted: Sun Sep 07, 2008 8:47 pm    Post subject: Reply with quote

neuron wrote:
echo "=sys-apps/net-tools-1.60_p20071202044231-r1" >>/etc/portage/package.keywords

also needed on gcc 4.3


noted.
Back to top
View user's profile Send private message
neuron
Advocate
Advocate


Joined: 28 May 2002
Posts: 2371

PostPosted: Thu Sep 11, 2008 4:29 pm    Post subject: Reply with quote

Quote:
GCC-4.3 Testing Branch ONLY
Code:
# echo "=sys-apps/openrc-9999* ~ARCH">>/etc/portage/package.keywords



Has to be openrc-9999* **, not ~arch.

Note that you dont actually need ~arch anymore, having the line implies ~${ARCH}
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 743
Location: Brooklyn, New York

PostPosted: Thu Sep 11, 2008 5:15 pm    Post subject: Reply with quote

neuron wrote:
Quote:
GCC-4.3 Testing Branch ONLY
Code:
# echo "=sys-apps/openrc-9999* ~ARCH">>/etc/portage/package.keywords



Has to be openrc-9999* **, not ~arch.

Note that you dont actually need ~arch anymore, having the line implies ~${ARCH}


Didn't notice it was masked by missing keyword. changes made. thanks for the changes.
Back to top
View user's profile Send private message
dubkat
n00b
n00b


Joined: 03 Oct 2007
Posts: 8
Location: Syracuse, NY

PostPosted: Thu Oct 09, 2008 5:34 pm    Post subject: Reply with quote

I tested this guide on an already existing Hardened Gentoo 3 fileserver, using Paludis instead of Portage. I went for GCC-4.2.4 and it went off without a hitch (so far). Thank you for all your hard work. Hopefully this will be considered official in the near future!

-d
Back to top
View user's profile Send private message
hellboi64
Apprentice
Apprentice


Joined: 11 Sep 2004
Posts: 155
Location: Columbus, Ohio, USA

PostPosted: Thu Oct 16, 2008 6:12 pm    Post subject: Error compiling GCC 4.3 Reply with quote

<< Post moved to http://forums.gentoo.org/viewtopic-p-5250944.html#5250944 >>
_________________
http://www.apfritts.com/
http://ostem.org.ohio-state.edu/
http://www.osuchallengex.org/

A government big enough to give you everything you want, is strong enough to take everything you have.
- Thomas Jefferson


Last edited by hellboi64 on Fri Oct 17, 2008 5:33 pm; edited 1 time in total
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Fri Oct 17, 2008 5:03 am    Post subject: Re: Error compiling GCC 4.3 Reply with quote

hellboi64 wrote:

* /usr/portage/sys-devel/gcc/files/4.2.0/gcc-4.2.0-cc1-no-stack-protector.patch
* ( gcc-4.2.0-cc1-no-stack-protector.patch )
*


You must build gcc-4.3.1-r1, our eclasses does not work with the gcc ebuilds from portage.
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 364
Location: Umeå The north part of scandinavia

PostPosted: Fri Oct 17, 2008 9:58 am    Post subject: Re: Error compiling GCC 4.3 Reply with quote

Xake wrote:
hellboi64 wrote:

* /usr/portage/sys-devel/gcc/files/4.2.0/gcc-4.2.0-cc1-no-stack-protector.patch
* ( gcc-4.2.0-cc1-no-stack-protector.patch )
*


You must build gcc-4.3.1-r1, our eclasses does not work with the gcc ebuilds from portage.

Take the support in this thread How long until hardened and toolchain will produce a hardened gcc4?

Mod edit: the new support thread is here. --timeBandit
_________________
gcc version 4.6.2 (Gentoo Hardened 4.6.2 p1.1, pie-0.5.0)
Back to top
View user's profile Send private message
hellboi64
Apprentice
Apprentice


Joined: 11 Sep 2004
Posts: 155
Location: Columbus, Ohio, USA

PostPosted: Fri Oct 17, 2008 1:25 pm    Post subject: Reply with quote

<< Post moved to http://forums.gentoo.org/viewtopic-p-5250944.html#5250944 >>
_________________
http://www.apfritts.com/
http://ostem.org.ohio-state.edu/
http://www.osuchallengex.org/

A government big enough to give you everything you want, is strong enough to take everything you have.
- Thomas Jefferson


Last edited by hellboi64 on Fri Oct 17, 2008 5:33 pm; edited 1 time in total
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 364
Location: Umeå The north part of scandinavia

PostPosted: Fri Oct 17, 2008 2:36 pm    Post subject: Reply with quote

hellboi64 wrote:
I am getting the same error :-\

Code:
 * Cannot find $EPATCH_SOURCE!  Value for $EPATCH_SOURCE is:
 *
 *   /usr/portage/sys-devel/gcc/files/4.2.0/gcc-4.2.0-cc1-no-stack-protector.patch
 *   ( gcc-4.2.0-cc1-no-stack-protector.patch )
 *
 * ERROR: sys-devel/gcc-4.3.1-r1 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_unpack
 *             environment, line 4800:  Called gcc_src_unpack
 *             environment, line 3120:  Called do_gcc_SSP_patches
 *             environment, line 1252:  Called epatch 'src_unpack'
 *             environment, line 1992:  Called die
 * The specific snippet of code:
 *                   die "Cannot find \$EPATCH_SOURCE!";
 *  The die message:
 *   Cannot find $EPATCH_SOURCE!
 *
 * If you need support, post the topmost build error, and the call stack if relevant.
 * A complete build log is located at '/var/log/portage/sys-devel:gcc-4.3.1-r1:20081017-132207.log'.
 * The ebuild environment file is located at '/var/tmp/portage/sys-devel/gcc-4.3.1-r1/temp/environment'.
 * This ebuild used the following eclasses from overlays:
 *   /usr/local/toolchain-overlay/eclass/toolchain.eclass
 *   /usr/local/toolchain-overlay/eclass/toolchain-funcs.eclass
 *   /usr/local/toolchain-overlay/eclass/flag-o-matic.eclass

You need to use the GCC from the overlay not that one from portage.
Post support QA in the Support thread.
_________________
gcc version 4.6.2 (Gentoo Hardened 4.6.2 p1.1, pie-0.5.0)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum