From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id oJZpCgIhOmKiFwAAgWs5BA (envelope-from ) for ; Tue, 22 Mar 2022 20:18:26 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id KNQPAwIhOmJXbQAAG6o9tA (envelope-from ) for ; Tue, 22 Mar 2022 20:18:26 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CAE893EDD3 for ; Tue, 22 Mar 2022 20:18:25 +0100 (CET) Received: from localhost ([::1]:48656 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWk1Q-00047f-Vm for larch@yhetil.org; Tue, 22 Mar 2022 15:18:25 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37088) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWjzE-0001VU-59 for guix-devel@gnu.org; Tue, 22 Mar 2022 15:16:12 -0400 Received: from [2a00:1450:4864:20::42c] (port=36851 helo=mail-wr1-x42c.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nWjz9-0005tt-8Z for guix-devel@gnu.org; Tue, 22 Mar 2022 15:16:07 -0400 Received: by mail-wr1-x42c.google.com with SMTP id u3so1690240wrg.3 for ; Tue, 22 Mar 2022 12:16:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:in-reply-to:references:date:message-id:mime-version :content-transfer-encoding; bh=v/NqJhR7K5kOi7hbmmAOctHtvbf4GqkFYLWTW/RYPZg=; b=FjERH/fLJ3P1BN3Z4fkp3jmhG7NqjTUb6/bpfvjXWl20DjZJuctEnyEBEGjqvafYAG TewIPsgmbkcE6xfk9s8zkRYCzLtKFqWfkJkLDMIz7z0Hxi9w37H2gm1RBLCAXn5kSOVo 0Rprtxr9gXAxv1kASae/wvMDqdAhgbP5mPcFe39yu6BoHmOqECPhytRgCk/sfi5CQnqt pgWx8u7eOB81oxmTw+lrBltSkVQyyjxhLF8QJIb3rci4tjh/fdMkVpBN6JFvBNrHnOy5 uRX975vKIj2JUWO4O6WatATHRer5r97mOcZ3xAkw2BJIij79fdSe5xLY2YLZsUQ5fvnD QTww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=v/NqJhR7K5kOi7hbmmAOctHtvbf4GqkFYLWTW/RYPZg=; b=mAyYgfJnFCi/tYXBBbQ+QFqG3QuVzx/uoaGLeYKqn3jd1iLMc4cd+Y6W+I2fT0JyXM 1r0soHAQDXAWSH/lWv/hfhZEmnoM+I0y8s8v3lQBUaB4zIKfADtgWtIXWcKj9CpH9vM8 Ab6XpSf97pD/zZhw4atIRRiFkjHOgZXJGE9Gd5SrF4Dv9Tlvut+l+WFGG45EYhanUS2q LXnH4ZDiSU/IGVyxvWVzQjuM36telK060BZ3bXyjasKDRqlGj0Kri25hTe7eV60tx8h3 e3wLOVylC5VJzgNh4Mnfv+sDknXJxOar1MKFKpdyZie6gPWt5pA3uUoV1iZxEpxu29ig vhMA== X-Gm-Message-State: AOAM533oPi8/pMSsHeX6XO6/8tO0qir0eQ1oBueLj2MJQ5r0/UK/qg0J ssHcDlR4edj6LVU4ARTdTsMvEgKjGoQ= X-Google-Smtp-Source: ABdhPJymQjh9LYCe4JzbuzQNGzs9xwlR7M51yq4oadVjzDGft5wyvxBoQabO33/ePl0FkOv1SATaYA== X-Received: by 2002:adf:f84c:0:b0:203:f4b9:4213 with SMTP id d12-20020adff84c000000b00203f4b94213mr18867274wrq.27.1647976561350; Tue, 22 Mar 2022 12:16:01 -0700 (PDT) Received: from lili (2a01cb04061b8800e2568b9190e03e61.ipv6.abo.wanadoo.fr. [2a01:cb04:61b:8800:e256:8b91:90e0:3e61]) by smtp.gmail.com with ESMTPSA id v8-20020a1cf708000000b0034d7b5f2da0sm2509068wmh.33.2022.03.22.12.16.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Mar 2022 12:16:00 -0700 (PDT) From: zimoun To: kiasoc5@tutanota.com, Guix Devel Subject: Re: Hardened toolchain In-Reply-To: References: <874k3r8m4m.fsf@gmail.com> Date: Tue, 22 Mar 2022 20:06:55 +0100 Message-ID: <86y2119580.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Host-Lookup-Failed: Reverse DNS lookup failed for 2a00:1450:4864:20::42c (failed) Received-SPF: pass client-ip=2a00:1450:4864:20::42c; envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x42c.google.com X-Spam_score_int: -6 X-Spam_score: -0.7 X-Spam_bar: / X-Spam_report: (-0.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.659, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1647976705; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=v/NqJhR7K5kOi7hbmmAOctHtvbf4GqkFYLWTW/RYPZg=; b=iKxv4B7qaEbUJWd4mROICZPyI1VXNsTd3taioApnjGlPlV8OX4j90eGXhTbs4TH+FQeSqk gWnL9vYlfhI8PWNSFfEnAvHR83xOZaY7d0vwW1a3is7qXr9MqxYgd8fGVO6CNO9kr9AmIk rKBg9ZUUhg1alOSQSmb4a88CMXSBOT4dTlp9YblwOzI64icYOWlj8OSFy1oXbCMFT1XGUd 0j3nhvZKmhHdo5h8lAH4bJpz5YoNCnye6Kv5AU5BVsKTUM6pufzNKNKQCCUc4f7ioDaCf5 QzKrLmHivTW8JUDiEANRB/+raGtkxXrybXUw33Bme1HaJREZnCx1wbRXlQCU1g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1647976705; a=rsa-sha256; cv=none; b=WHswMvnX7DnwAF/JxNN/xWzSWv5xx+q61fJzT0jl6M+J3yXwV+kTitlRhLrFUd7wsKpEIR 8J+H/B57tqemeW1lLY7Orcu6t4c0XU3NR0OOrL2L/gf9RQ0U16OiOSy7VNQ7xM7locD4iT xhgM1PJ6DjdX5tplveJBujcOFDav3YCBKnmqlJ64fOMDEyBg44KdPuOfF5x5v/j54ggwms Zr2EVBQdhzLiHJaKcAjVUvuGlBpV8B8CIdb++ft5MUXtYZH0N3QgBktM2DleE+B0dbp0Jq CXvti2niqqHyI9ubIAsm6reKovzunZk6lETPQ6t1+y+udJYa5BylFpp4+AOT9w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b="FjERH/fL"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -9.11 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b="FjERH/fL"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: CAE893EDD3 X-Spam-Score: -9.11 X-Migadu-Scanner: scn0.migadu.com X-TUID: plO1YcUp0kRm Hi, (Although you know :) please keep CC guix-devel.)=20 On Tue, 22 Mar 2022 at 18:23, kiasoc5@tutanota.com wrote: >> --8<---------------cut here---------------start------------->8--- >> (define (make-gcc-hardened gcc) >> (package >> (inherit gcc) >> (arguments >> (substitute-keyword-arguments (package-arguments gcc) >> ((#:configure-flags flags >> `(append (list "--enable-default-ssp" "--enable-default-pie") >> ,flags))))))) >> >> (define-public gcc-hardened >> (make-gcc-hardened gcc)) >> --8<---------------cut here---------------end--------------->8--- [...] > > I get an error when I build with guix, if you could help find it that > would be great. > > % ./pre-inst-env guix build -f hardened.scm > /home/kiasoc5/build/guix-notes/hardening/hardened.scm:11:10: error: (subs= titute-keyword-arguments (package-arguments gcc) ((#:con=EF=AC=81gure-=EF= =AC=82ags =EF=AC=82ags (quasiquote (append (list "--enable-default-ssp" "--= enable-default-pie") (unquote =EF=AC=82ags)))))): source expression failed = to match any pattern That=E2=80=99s because a typo. :-) ((#:configure-flags flags ^ missing closing parenthesis. Well, it looks like: --8<---------------cut here---------------start------------->8--- (use-modules (gnu) (guix) (guix packages)) (use-package-modules gcc) (define (make-gcc-hardened gcc) (package (inherit gcc) (arguments (substitute-keyword-arguments (package-arguments gcc) ((#:configure-flags flags) `(append (list "--enable-default-ssp" "--enable-default-pie") ,flags)))))) (define-public gcc-hardened (make-gcc-hardened gcc)) gcc-hardened --8<---------------cut here---------------end--------------->8--- Then, this command guix build -f hardened.scm -n returns: --8<---------------cut here---------------start------------->8--- substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 10= 0.0% The following derivation would be built: /gnu/store/3i6i3pqr5r7l1568b3hswbgych974aqw-gcc-10.3.0.drv 81.4 MB would be downloaded: /gnu/store/7vrx4p62bkmxzrxwqdc4il9hqyh1yngh-libstdc++-10.3.0 /gnu/store/i459ksarhxysqb8gxa8hq6phl13d0q4a-libstdc++-headers-10.3.0 /gnu/store/d3js6699lc1p0sw7p0dkafi0cn33sig6-gcc-10.3.0.tar.xz --8<---------------cut here---------------end--------------->8--- I do not have tried to effectively build this gcc-hardened. :-) Hope that helps. Cheers, simon