View previous topic :: View next topic |
Author |
Message |
likewhoa l33t
Joined: 04 Oct 2006 Posts: 778 Location: Brooklyn, New York
|
Posted: Sat Aug 30, 2008 3:07 pm Post subject: [HOWTO] The Hardened GCC4 Toolchain Overlay Guide |
|
|
1. Introduction
Welcome to the GCC4 Toolchain Overlay Guide. This guide will get you the best of both worlds; The GNU GCC 4.{2,3} Compiler and your good ol hardened kernel. The current state of the Official Gentoo Hardened Project only offers the GCC3 compiler. The Official Hardened Development Project which is a continuation of kevquinn's work, offers gcc-4.3.4 & gcc-4.4.1 (testing branch will have gcc-4.5 soon) stages and will work with the Gentoo Hardened and non-hardened stages as well as the ones provided here. This overlay is provided by http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-development.git;a=summary. We will not get into the details of the best security practices like PaX, GRsecurity, SELinux & various other security measures etc.. We will only get you the base system ready & once you finish this guide, you will find various links to Official Gentoo Documentations and guides on setting up the multiple security methods that can be implemented with a hardened kernel.
1a. Before you begin
You only need a livecd (preferally a hardened installcd but not require), a live system (for converting from the non-hardened to hardened profile) and some chest hair, ok maybe not chest hair but some patience and attention to detail. When you finish here you will have the opportunity to sport a paranoid linux kernel but also, make lots of money implementing it to your clients, or just to show it off to your ubuntu buddies. Whichever you will enjoy the piece of mind you get from having your kernel ever more secure & that's all you need before you begin.
1b. User Agreement
You AGREE to follow this guide and not go skipping unless you know what YOU'RE doing. Remember it's not as hard as it looks just stay focus and get it done. Finally I like to add that the Gentoo Linux Foundation is in no way interested in breaking your system nor supports this guide. The toolchain overlay used here is based on Kevquinn's work. By following the instructions below, you agree to take full responsibility. You may not blame me or any contributors. Help is NOT guaranteed, but will be provided on the basis that you followed directions in this guide alone.
This guide assumes you have already gone pass Chapter 4 of Part 1 of the Gentoo handbook.
2. Installing the Gentoo Hardened GCC4 Installation Files
You may use any of the official stages in this guide, if you decide to use the toolchain overlay stages BEWARE as you might not get support. Anyways, these stages are based on the gcc3 hardened stage and should be good enough for everyone. The community is supporting this transition and it provides trac access to anyone willing to file bugs at https://hardened.gentooexperimental.org/trac/secure. Feel free to join and contribute to push gcc4 hardened into mainstream.
2a. Setting the Date/Time
Before you continue you need to check your date/time and update it. A mis-configured clock may lead to strange results in the future!
Verify the current date/time.
If the date/time displayed is wrong, update it using the date MMDDhhmmYYYY syntax (Month, Day, hour, minute and Year). For instance, to set the date to Sat August 30 04:20:00, in the year 2008.
Code: | # date 083004202009 |
2b. Retrieving Toolchain stages.
You can either download a stage3 from one of the gentoo mirrors-- non-hardened and hardened stages will work, or you can also convert a live system to a hardened profile using this guide. If you want to download the stage3 hardened stages provided by the toolchain overlay which are compiled with GCC4 instead of the GCC3 ones provided by gentoo, then navigate to https://weaver.gentooenterprise.com/hardened to retrieve the require stage3 tarball for your ARCH.
Extracting the AMD64 tarball
This example assumes you have downloaded the AMD64 GCC-4.3 tarball. Users that are just converting to a hardened profile can skip this section.
Code: |
# cd /mnt/gentoo
# wget --no-check-certificate https://weaver.gentooenterprise.com/hardened/gcc-4.3/stage3-amd64-hardened-4.3-20090401.tar.bz2
# tar xvjpf stage3*
|
Gentoo Portage Tree Snapshot
Code: |
# cd /mnt/gentoo
# wget http://mirror.datapipe.net/gentoo/snapshots/portage-latest.tar.bz2
# tar xvjpf portage* -C usr/
|
2c. Setting your compiler flags make.conf
We need to do one of several things; We first need to set our variables & add the following changes to your make.conf. You must change ARCH to whatever arch you use, also make sure to add any additonal GENTOO_MIRRORS host.
TIP:Those who want to tailor the gentoo-install for their system only (cflags and cxxflags-wise) use: -march=native
Quote: |
CFLAGS="-O2 -march=ARCH -pipe"
LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--warn-once"
GENTOO_MIRRORS="${GENTOO_MIRRORS} /usr/local/toolchain-overlay/distfiles"
PORTDIR_OVERLAY="/usr/local/toolchain-overlay"
PORTAGE_ECLASS_WARNING_ENABLE="0"
PORT_LOGDIR="/var/log/portage"
|
3. Installing the Gentoo Base System
Mounting Procfs and Dev.
Code: |
# mount -t proc none /mnt/gentoo/proc
# mount -o bind /dev /mnt/gentoo/dev
|
Copying the dns server address file into the base stage.
Code: |
# cp -Lv /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
|
3a. Chrooting & Rehashing environment paths.
Code: | # screen
# chroot /mnt/gentoo /bin/bash
# env-update && source /etc/profile
# export PS1="(chroot) $PS1"
|
Quote: | To leave the gentoo base system chroot at any time type 'exit && exit' once. |
3d. Updating the Portage Tree.
note: Ignore the "!!! Invalid PORTDIR_OVERLAY (not a dir): '/usr/local/toolchain-overlay'" message on the next command.
Code: |
# emerge --sync --quiet
|
3b. Setting Locales
We will be selecting only the locales necessary for our system, since if no locales are set in locale.gen, glibc will generate locales for all languages, which wastes time unless you need every locale available. We will choose the English ISO-8889-1 & UTF-8 locale, uncomment any locales that you might want besides those two.
Set the locales.
Code: |
# nano -w /etc/locale.gen
|
Generate the locales.
Next we will begin the rebuild of the toolchain this process is; the most important and most time consuming process of the base system install.
4. Bootstrapping the system
Now that we have done all of the above it is now time to rebuild the toolchain with our new make.conf changes. This is the part where your system will build most of the system utils,compiler and libraries. After this process you will not only have a system that is rock solid, secure (almost but more than most) and on the bleeding edge with the most up to date packages from the toolchain overlay & portage tree. If for any reason packages fail on the next steps, take a look at the FAQ/Troubleshooting section at the bottom of this guide for help and tips if available.
Note: This step is the most time consuming & important aspect of the build; furthermore it will take about 2-4hours depending on your hardware specs. For me it took only 1hour and 30 minutes on a dual-core opteron 165 @ 2853MHz with 2GB of RAM.
4a. Retrieving the hardened overlay
First we need to retrieve our toolchain overlay, We will be using git to accomplish this, you can later use layman to automate this process.
Retrieve the overlay using GIT.
Code: |
# [ ! -d /etc/portage ] && mkdir /etc/portage
# echo "dev-util/git -perl threads bash-completion">>/etc/portage/package.use
# emerge dev-util/git
# git clone git://git.overlays.gentoo.org/proj/hardened-development.git /usr/local/hardened-development
|
Performing the Bootstrap, but first we are gonna make some additions to our package.* files. Use the method that suits the GCC4 stage you downloaded ONLY.
First we add certain packages that are known to fail from the portage tree.
For GCC-4.3
Code: |
echo "=sys-devel/gcc-4.3*" >>/etc/portage/package.keywords
echo "=sys-devel/gcc-4.3*" >>/etc/portage/package.unmask
|
For GCC-4.4
Code: |
echo "=sys-devel/gcc-4.4*" >>/etc/portage/package.keywords
echo "=sys-devel/gcc-4.4*" >>/etc/portage/package.unmask
|
For Glibc 2.10
Code: |
echo "=sys-libs/glibc-2.10*" >>/etc/portage/package.keywords
echo "=sys-libs/glibc-2.10*" >>/etc/portage/package.unmask
|
We need a repos.conf for our eclasses to work with >=sys-apps/portage-2.2
Code: |
echo -e "[DEFAULT]\neclass-overrides = secure">>/etc/portage/repos.conf
echo -e "[gentoo]\neclass-overrides = secure">>/etc/portage/repos.conf
|
Users trying the GCC-4.5 testing branch ONLY. (Optional)
NOTE: GCC-4.5 should not be used in a production system as of now and it will be in the overlay
when we do start development on GCC 4.5.
Code: |
# cd /usr/local/hardened-development
# git branch testing origin/testing
# git checkout testing && git pull && cd $OLDPWD
|
repo.conf for GCC-4.5 testing branch ONLY
Code: |
echo -e "[DEFAULT]\neclass-overrides = hardened-development-testing">>/etc/portage/repos.conf
echo -e "[gentoo]\neclass-overrides = hardened-development-testing">>/etc/portage/repos.conf
|
Switching to hardened profile(Optional)
ONLY users who downloaded the gentoo non-hardened stage3 or if you're currently just converting your live system to the hardened profile. You must switch to the compatible hardened profile of choice first before continuing further.
Code: |
# emerge gcc-config linux-headers glibc binutils gcc portage -1
|
Switch to the newly compiled GCC4 compiler. NOTE: Users that upgraded from GCC3 must change the gcc-config number to the correct one which of this writing is #6. User on the GCC5 testing branch can just "source /etc/profile" instead.
Code: |
# gcc-config 2 && source /etc/profile
|
4b. Enabling the GNU Hashstyle.
I won't get into detail on this as most of you already know about this new hash style anyways. A typical Gentoo system will use --hash-style=both we will force the use of the GNU hash style instead.
Code: |
# sed -i 's/once/once,--hash-style=gnu/' /etc/make.conf
# emerge linux-headers glibc binutils gcc -1
|
4c. Rebuilding world packages.
Now that we have bootstrapped the system and we now have an updated toolchain, we can begin to rebuild all remain packages in the system against the new toolchain. This one-liner will build all packages minus the toolchain packages; All failed packages will be saved in a file and shown later.
Adding Baselayout2 & OpenRC to package.keywords. This step is optional.
Code: |
echo "=sys-apps/openrc-0.4*">>/etc/portage/package.keywords
echo "=sys-fs/udev-14*">>/etc/portage/package.keywords
echo "=sys-apps/baselayout-2*">>/etc/portage/package.keywords
echo "=sys-apps/sysvinit-2.86*" >> /etc/portage/package.keywords
|
Emerge all packages against the newly compiled toolchain.
NOTE: GCC3 users should run "emerge -C mktemp" before running the command below as it will block a new coreutils ebuild.
Code: |
# while read ebuild; do emerge -v1 "${ebuild}" || echo "${ebuild}" >>failed; done < <(emerge -ep --columns --color=n system| cut -d] -f2 | awk '{print$1}' | egrep -v "(glibc|/portage|binutils|gcc|linux-h)"|sed '1,4d')
# source /etc/profile
|
Emerge any packages that failed the system build.
Code: | # while read package; do emerge -1 ${package};done < <(cat failed) |
Merge changes from new system packages.
Since we have rebuild our system packages, we will merge those changes using etc-update. Use the "-5" option when prompted as this will merge all changes to all available configuration updates for us without user prompt.
Edit this list of packages here to suit your needs, these are common system tools and misc packages.
Code: | # emerge syslog-ng ntp grub vixie-cron sysfsutils dhcpcd eix gentoolkit portage-utils genlop
# for i in syslog-ng vixie-cron; do rc-update add $i default; done |
4d. Eliminating Clock Skew
Fixing clock skew, we allieviate this problem by adding a network time protocol client into the installation.
Code: | # ntpdate -u -b pool.ntp.org |
4d. Configuring the OpenRC System Source: Gentoo OpenRC Migration Guide
OpenRC is a dependency-based rc system that works with whatever init is provided by the system, normally /sbin/init. However, it is not a replacement for /sbin/init. The default init used by Gentoo Linux is sys-apps/sysvinit, while Gentoo/FreeBSD uses the FreeBSD init provided by sys-freebsd/freebsd-sbin.
We need to verify that the OpenRC ebuild added the neccessary boot run-levels, we do this by checking if the require symbolic links are set.
Code: |
# for i in root procfs mtab swap fsck;do [ ! -L /etc/runlevels/boot/${i} ] && rc-update add ${i} boot;done
|
Next we will verify that we didn't lose the net.eth0 symbolic link require for your network device.
Code: |
# [ ! -L /etc/init.d/net.eth0 ] && ln -s /etc/init.d/net.lo /etc/init.d/net.eth0
|
That's it for this guide, I will not go into detail about the types of security features in hardened-sources since this guide is focuses only on getting you the toolchain overlay compiled. Now that you got this far it's time to configure your kernel following the Part 1 - Chapter 7 section of the Gentoo handbook. I will post various resources to get you a step ahead below. Good luck and enjoy your new hardened toolchain.
Likewhoa
5. Resources
Below are various links to help you get more in-depth detail into setting up and using the various security methods available.
- Gentoo Hardened Project - http://www.gentoo.org/proj/en/hardened
- Official Hardened Frequently Asked Questions - http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml
- Grsecurty2 Quickstart Guide - http://www.gentoo.org/proj/en/hardened/grsecurity.xml
- Gentoo SELinux Handbook - http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml
- Gentoo Hardened Mailing List Archives - http://gentoo.org/archives.gentoo.org/gentoo-hardened
- Gentoo Wiki Security Index - http://en.gentoo-wiki.com/Index:Security
- Forums Thread Relating to GCC4 hardened - https://forums.gentoo.org/viewtopic-t-668885
- Discussion thread for GCC4 hardened profiles - https://forums.gentoo.org/viewtopic-t-790110.html
Last edited by likewhoa on Sun Dec 06, 2009 12:32 am; edited 25 times in total |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54242 Location: 56N 3W
|
Posted: Sat Aug 30, 2008 3:51 pm Post subject: |
|
|
git-clone should not have the - _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
Posted: Sat Aug 30, 2008 4:09 pm Post subject: |
|
|
NeddySeagoon wrote: | git-clone should not have the - |
++
that command seems to be gone with latest git-versions
git-clone --> git clone
some more points:
*) those who want to tailor the gentoo-install for their system only (cflags and cxxflags-wise) use: -march=native
*) cp -v should become cp -L (copying resolv.conf)
Quote: | The "-L" option is needed to make sure we don't copy a symbolic link)
# cp -L /etc/resolv.conf /mnt/gentoo/etc/ |
*) binutils --> just use the latest in-tree version, right now: 2.18.50.0.8
*) e2fsprogs --> just use the latest in-tree version, that should compile fine
NOTE: for this sys-libs/ss and another one (don't know the name right now) might need to be unmerged and e2fsprogs-libs emerged;
only experienced users should do this since this might remove fsck & prevent your system from booting
*) --hash-style=gnu --> isn't that enabledby default ?
that's all for now !
good job !
thanks, buddy _________________ https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004 |
|
Back to top |
|
|
likewhoa l33t
Joined: 04 Oct 2006 Posts: 778 Location: Brooklyn, New York
|
Posted: Sat Aug 30, 2008 4:24 pm Post subject: |
|
|
thanks NeddySeagoon for the pointer.
@KernelOfTruth first off thanks.
I think the default hash style is set to both but not really sure, will confirm this. about binutils we used the one provided in the overlay but I did test
2.18.50.0.8 and it seems to work so changes will be made to use that one if zorry agrees. about that e2fsprogs deal I will have to run into it first as I didn't experience that while testing the build.
I would like some confirmation from users that try this out using ~ARCH keywords. |
|
Back to top |
|
|
d2_racing Bodhisattva
Joined: 25 Apr 2005 Posts: 13047 Location: Ste-Foy,Canada
|
Posted: Sun Aug 31, 2008 1:39 am Post subject: |
|
|
Hi, this line :
Quote: |
Now that we have done all of the above it is now time to rebuild the toolchain toolchain with our new make.conf changes.
|
Should be like this :
Now that we have done all of the above it is now time to rebuild the toolchain with our new make.conf changes. |
|
Back to top |
|
|
yngwin Retired Dev
Joined: 19 Dec 2002 Posts: 4572 Location: Suzhou, China
|
Posted: Sun Aug 31, 2008 4:56 pm Post subject: |
|
|
Nice guide! I was actually looking into doing something like this, so this will help when I get around to it.
likewhoa wrote: | I think the default hash style is set to both but not really sure, will confirm this. |
I confirm this is the case. _________________ "Those who deny freedom to others deserve it not for themselves." - Abraham Lincoln
Free Culture | Defective by Design | EFF |
|
Back to top |
|
|
d2_racing Bodhisattva
Joined: 25 Apr 2005 Posts: 13047 Location: Ste-Foy,Canada
|
Posted: Mon Sep 01, 2008 4:06 pm Post subject: |
|
|
Nice Guide, I'm looking forward to test this guide in a near futur |
|
Back to top |
|
|
Sadako Advocate
Joined: 05 Aug 2004 Posts: 3792 Location: sleeping in the bathtub
|
Posted: Tue Sep 02, 2008 6:46 pm Post subject: |
|
|
One thing which seems to be missing is any mention of the portage slowdown due to a toolchain eclass in the overlay overriding one in portage proper.
Every time after you emerge --sync, you should notice any portage usage extremely slow for a while, this is because the dependency cache for each ebuild related to the emerge command you entered is being regenerated.
You can regenerate the entire cache at once with `emerge --regen`, although this is quite slow (~20 minutes with my 2.4 GHz athlon64 X2).
An alias such as 'esync="emerge --sync && emerge --regen'" can be useful (although I'm using a script instead which performs a few other operations as well).
Also, it can be well worth making use of using rsync's "exclude" to reduce the size of the portage tree fetched during emerge --sync, for example getting rid of either the gnome-* or kde-* categories, or the vim or emacs/xemacs ones, depending on which zealot you happen to be.
This can help to reduce the time it takes to --regen by quite a bit, and if you're using this on a headless box you can drastically reduce both the size of the portage tree and how long --regen takes.
For reference, you'd typically use it by adding PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" to make.conf, and /etc/portage/rsync_excludes contains entries like the following to exclude (for example) all games-related ebuilds and mono/.net or whatever; Code: | dev-dotnet/
games-*/ |
`du -chs /usr/portage/*-*` should give you an idea of what it might be beneficial to remove, assuming you're not using anything from those categories, and more advanced/complicated excludes files can be used to remove all but a few specific packages from a category.
Anyways, I just thought this was something worth mentioning at least. _________________ "You have to invite me in" |
|
Back to top |
|
|
d2_racing Bodhisattva
Joined: 25 Apr 2005 Posts: 13047 Location: Ste-Foy,Canada
|
Posted: Wed Sep 03, 2008 12:23 pm Post subject: |
|
|
Hopeless wrote: | One thing which seems to be missing is any mention of the portage slowdown due to a toolchain eclass in the overlay overriding one in portage proper.
Every time after you emerge --sync, you should notice any portage usage extremely slow for a while, this is because the dependency cache for each ebuild related to the emerge command you entered is being regenerated.
You can regenerate the entire cache at once with `emerge --regen`, although this is quite slow (~20 minutes with my 2.4 GHz athlon64 X2).
|
Hi, is there any documentation about this problem, because I want to know how did you find this problem ? I noticed this problem for a long time, but I never found any doc about that. |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
Posted: Wed Sep 03, 2008 1:24 pm Post subject: |
|
|
d2_racing wrote: | Hopeless wrote: | One thing which seems to be missing is any mention of the portage slowdown due to a toolchain eclass in the overlay overriding one in portage proper.
Every time after you emerge --sync, you should notice any portage usage extremely slow for a while, this is because the dependency cache for each ebuild related to the emerge command you entered is being regenerated.
You can regenerate the entire cache at once with `emerge --regen`, although this is quite slow (~20 minutes with my 2.4 GHz athlon64 X2).
|
Hi, is there any documentation about this problem, because I want to know how did you find this problem ? I noticed this problem for a long time, but I never found any doc about that. |
read the messages portage spits out after emerge --sync _________________ https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004 |
|
Back to top |
|
|
neuron Advocate
Joined: 28 May 2002 Posts: 2371
|
Posted: Sun Sep 07, 2008 5:51 pm Post subject: |
|
|
One of those mirrors were really slow for me for some reason, so I mirrored the files:
http://geezer.mine.nu/hardened/ |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Sun Sep 07, 2008 5:59 pm Post subject: |
|
|
The server where the stages are hosted has been having a "fun time" recently, it should be fine tho now _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
neuron Advocate
Joined: 28 May 2002 Posts: 2371
|
Posted: Sun Sep 07, 2008 6:04 pm Post subject: |
|
|
Naib wrote: | The server where the stages are hosted has been having a "fun time" recently, it should be fine tho now |
That one was ok, fast but bursting, the second one was really slow for me though, could be a long traceroute though, I dunno. |
|
Back to top |
|
|
neuron Advocate
Joined: 28 May 2002 Posts: 2371
|
Posted: Sun Sep 07, 2008 6:19 pm Post subject: |
|
|
Quote: |
Adding Baselayout2 & OpenRC to package.keywords. This step is optional & should not be used if using the gcc-4.3 testing branch.
|
Could you include a bug # or thread with information on why that fails/progress on fixing it? |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Sun Sep 07, 2008 6:37 pm Post subject: |
|
|
neuron wrote: | Quote: |
Adding Baselayout2 & OpenRC to package.keywords. This step is optional & should not be used if using the gcc-4.3 testing branch.
|
Could you include a bug # or thread with information on why that fails/progress on fixing it? |
U need the OpenRC-9999 version to use it on the testing branch
It have a O_CREATE bug look for that in the trac or on the forum thread. _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
neuron Advocate
Joined: 28 May 2002 Posts: 2371
|
Posted: Sun Sep 07, 2008 8:33 pm Post subject: |
|
|
echo "=sys-apps/net-tools-1.60_p20071202044231-r1" >>/etc/portage/package.keywords
also needed on gcc 4.3 |
|
Back to top |
|
|
likewhoa l33t
Joined: 04 Oct 2006 Posts: 778 Location: Brooklyn, New York
|
Posted: Sun Sep 07, 2008 8:47 pm Post subject: |
|
|
neuron wrote: | echo "=sys-apps/net-tools-1.60_p20071202044231-r1" >>/etc/portage/package.keywords
also needed on gcc 4.3 |
noted. |
|
Back to top |
|
|
neuron Advocate
Joined: 28 May 2002 Posts: 2371
|
Posted: Thu Sep 11, 2008 4:29 pm Post subject: |
|
|
Quote: | GCC-4.3 Testing Branch ONLY
Code: | # echo "=sys-apps/openrc-9999* ~ARCH">>/etc/portage/package.keywords |
|
Has to be openrc-9999* **, not ~arch.
Note that you dont actually need ~arch anymore, having the line implies ~${ARCH} |
|
Back to top |
|
|
likewhoa l33t
Joined: 04 Oct 2006 Posts: 778 Location: Brooklyn, New York
|
Posted: Thu Sep 11, 2008 5:15 pm Post subject: |
|
|
neuron wrote: | Quote: | GCC-4.3 Testing Branch ONLY
Code: | # echo "=sys-apps/openrc-9999* ~ARCH">>/etc/portage/package.keywords |
|
Has to be openrc-9999* **, not ~arch.
Note that you dont actually need ~arch anymore, having the line implies ~${ARCH} |
Didn't notice it was masked by missing keyword. changes made. thanks for the changes. |
|
Back to top |
|
|
dubkat n00b
Joined: 03 Oct 2007 Posts: 8 Location: Syracuse, NY
|
Posted: Thu Oct 09, 2008 5:34 pm Post subject: |
|
|
I tested this guide on an already existing Hardened Gentoo 3 fileserver, using Paludis instead of Portage. I went for GCC-4.2.4 and it went off without a hitch (so far). Thank you for all your hard work. Hopefully this will be considered official in the near future!
-d |
|
Back to top |
|
|
apfritts Apprentice
Joined: 11 Sep 2004 Posts: 156 Location: Mountain View, California, USA
|
|
Back to top |
|
|
Xake Guru
Joined: 11 Feb 2004 Posts: 588 Location: Göteborg, the rainy part of scandinavia
|
Posted: Fri Oct 17, 2008 5:03 am Post subject: Re: Error compiling GCC 4.3 |
|
|
hellboi64 wrote: |
* /usr/portage/sys-devel/gcc/files/4.2.0/gcc-4.2.0-cc1-no-stack-protector.patch
* ( gcc-4.2.0-cc1-no-stack-protector.patch )
*
|
You must build gcc-4.3.1-r1, our eclasses does not work with the gcc ebuilds from portage. |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Fri Oct 17, 2008 9:58 am Post subject: Re: Error compiling GCC 4.3 |
|
|
Xake wrote: | hellboi64 wrote: |
* /usr/portage/sys-devel/gcc/files/4.2.0/gcc-4.2.0-cc1-no-stack-protector.patch
* ( gcc-4.2.0-cc1-no-stack-protector.patch )
*
|
You must build gcc-4.3.1-r1, our eclasses does not work with the gcc ebuilds from portage. |
Take the support in this thread How long until hardened and toolchain will produce a hardened gcc4?
Mod edit: the new support thread is here. --timeBandit _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
apfritts Apprentice
Joined: 11 Sep 2004 Posts: 156 Location: Mountain View, California, USA
|
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Fri Oct 17, 2008 2:36 pm Post subject: |
|
|
hellboi64 wrote: | I am getting the same error :-\
Code: | * Cannot find $EPATCH_SOURCE! Value for $EPATCH_SOURCE is:
*
* /usr/portage/sys-devel/gcc/files/4.2.0/gcc-4.2.0-cc1-no-stack-protector.patch
* ( gcc-4.2.0-cc1-no-stack-protector.patch )
*
* ERROR: sys-devel/gcc-4.3.1-r1 failed.
* Call stack:
* ebuild.sh, line 49: Called src_unpack
* environment, line 4800: Called gcc_src_unpack
* environment, line 3120: Called do_gcc_SSP_patches
* environment, line 1252: Called epatch 'src_unpack'
* environment, line 1992: Called die
* The specific snippet of code:
* die "Cannot find \$EPATCH_SOURCE!";
* The die message:
* Cannot find $EPATCH_SOURCE!
*
* If you need support, post the topmost build error, and the call stack if relevant.
* A complete build log is located at '/var/log/portage/sys-devel:gcc-4.3.1-r1:20081017-132207.log'.
* The ebuild environment file is located at '/var/tmp/portage/sys-devel/gcc-4.3.1-r1/temp/environment'.
* This ebuild used the following eclasses from overlays:
* /usr/local/toolchain-overlay/eclass/toolchain.eclass
* /usr/local/toolchain-overlay/eclass/toolchain-funcs.eclass
* /usr/local/toolchain-overlay/eclass/flag-o-matic.eclass |
|
You need to use the GCC from the overlay not that one from portage.
Post support QA in the Support thread. _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
|