From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id QDOhMVZ/OGJN/QAAgWs5BA (envelope-from ) for ; Mon, 21 Mar 2022 14:36:22 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id EDl4KlZ/OGK8EgEAG6o9tA (envelope-from ) for ; Mon, 21 Mar 2022 14:36:22 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 643C014AF1 for ; Mon, 21 Mar 2022 14:36:22 +0100 (CET) Received: from localhost ([::1]:48448 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWICr-0004da-IK for larch@yhetil.org; Mon, 21 Mar 2022 09:36:21 -0400 Received: from eggs.gnu.org ([209.51.188.92]:39346) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWIBV-0004CW-Eu for guix-devel@gnu.org; Mon, 21 Mar 2022 09:35:00 -0400 Received: from [2a00:1450:4864:20::42f] (port=46753 helo=mail-wr1-x42f.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nWIBT-0002T9-SA for guix-devel@gnu.org; Mon, 21 Mar 2022 09:34:57 -0400 Received: by mail-wr1-x42f.google.com with SMTP id h4so2756808wrc.13 for ; Mon, 21 Mar 2022 06:34:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:in-reply-t:date:message-id:mime-version; bh=4kOKaJWTQRXwN2MuUr4byFnNYaZYEJE1WKKBD1P2wAo=; b=GbK7m/x4C44uDm2fgJJktjydA1edXcrCifi8HniV1oG4C02J85dqRQImWOqtO3PtGf sNcNNMoiLBpqd2Ay8Rw3KMly61EMnO/zEuQWUM37ORtqO0fLcEhzeXtX+Q/qY6Zz+PvE hBW+HGgaixR7q2ZInn9hGrzJ6I+57ZZJlI0QdVXvTm0Fcc/GoW9CThYd7xIMwvNKup0O 7AX3sJS4xkUdK4SplIFi5KZaMIiw+8sgxO6XDxDPSTeP8GGwjCCyGZ+GtdtPQE1gy2+6 Dzn2b/sHXpyXujKfdArpfkQ5LhsSN5f0oyCEM580s18aQPKFJSIfAsYqtW6lNqSBQgiC rXwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:in-reply-t:date:message-id :mime-version; bh=4kOKaJWTQRXwN2MuUr4byFnNYaZYEJE1WKKBD1P2wAo=; b=Hw4QgH4COllJFjkW/hAnDB802O3seBR3ANJNRjUad1AAxkKAmkbc9ALlfrE/WKzaPB 29N3ij3jP3AfeLJR6HVAGtOQXZ/VNzP3qs3nBtCwpQCfl4QSG5Ji00ftr7NPHDJ+DuSn mChaTMQj2yJR+u8i3r3EVsTsnDU71eaV0LKxlJD61hfxuZ8OCXPfkTOB83q+mDv/sR4P JL5/XGR1Q0V2KiXx0ia0ifOB0FWIopOcni/RVTchUpDnpkrDkubS20U8eqi/mINA8jwh Bw2pt2HyVLMsS4JOT/8oGwmuSMA88ywTyzDGwWGXGBEfimPt81B2mB3vSqzzlA6oz5Wo PyUA== X-Gm-Message-State: AOAM531YohEwyP8wV6SiujjFairpE8q2USaHvmlN9XMrWpT0FbHGyGv5 zol5ZnZFEyevyMuOKxHoHqVVzGoZAt4= X-Google-Smtp-Source: ABdhPJwt39pJyzMv798nR7AIZ2AEW4DKCWKLg3RCmJsbXc1fCW2VJU6PW6vIoyGHvVKTCpPj8xApWw== X-Received: by 2002:a5d:598b:0:b0:203:95c0:7b72 with SMTP id n11-20020a5d598b000000b0020395c07b72mr18856004wri.172.1647869694235; Mon, 21 Mar 2022 06:34:54 -0700 (PDT) Received: from pfiuh07 ([193.48.40.241]) by smtp.gmail.com with ESMTPSA id n15-20020a05600c4f8f00b003842f011bc5sm17683277wmq.2.2022.03.21.06.34.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Mar 2022 06:34:53 -0700 (PDT) From: zimoun To: kiasoc5@tutanota.com, guix-devel@gnu.org Subject: Hardened toolchain In-Reply-T: MtzBL4o--3-2@tutanota.com Date: Mon, 21 Mar 2022 14:34:49 +0100 Message-ID: <874k3r8m4m.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-Host-Lookup-Failed: Reverse DNS lookup failed for 2a00:1450:4864:20::42f (failed) Received-SPF: pass client-ip=2a00:1450:4864:20::42f; envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x42f.google.com X-Spam_score_int: -6 X-Spam_score: -0.7 X-Spam_bar: / X-Spam_report: (-0.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.659, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1647869782; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=4kOKaJWTQRXwN2MuUr4byFnNYaZYEJE1WKKBD1P2wAo=; b=WuT0j0h+LIeyDRB6MBIvbBwqMJBbIvtV+0oRuXr0mYHaaITiktJzfxeppqnEtPOoNS27CR cgN0/XVp3YFa7vJoPn85p/za/R3xmWaFMf2AyrU9TkFiENdSLi4K8kGgDxystvOITNOPfI SRoDCcp8oulfm3eGpINlwdYgwL2k6c34lrEc5bsefCxn/jq1ahvG7w4qJiyqrsqxiXVhw/ Uj3OveF2+0eAULn+FxdwmRhr3U82Zolw/qZz4yRnAqbB6aWfgFeSXxE6g7GY6aKXeP58JB MQRiV1fkEBxEcNVfc2QhukBKAPnrCKBQOlkpxv6BD91HCidlu1xv6WkdHlh44Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1647869782; a=rsa-sha256; cv=none; b=MiyoRYurKSNfG5rPAgBMX+Occz0JpYlvow2sQTGEo0z7zrM/sSX9e24VZSDMD8gSgV8DuS 8UNg8lnZlg0VdWf7kpUUU1UJ5jPC1y9j5NtEwmCOYzweMhfH00AnIY3OYAXXQ7GhaQk3YS Gb0pCLtWFh6CUQouBxdaYxkBqkbUTaKH72NDY7401DtgBdL393Bc2vVIklmdmXfq5U26RS VmW9Y2Cn6laUtBAcYnLaKuMX+pw481BW8+bOubXeST8RzrO4FxWVHrwnBx7CUjyh5ws9/4 LDb+cZLXBoNrZOawBUvW/1/nRnKMeYDJDF8mSlgAEbUuf3+3N7W1BGh4rTiA3Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b="GbK7m/x4"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -6.12 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b="GbK7m/x4"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 643C014AF1 X-Spam-Score: -6.12 X-Migadu-Scanner: scn0.migadu.com X-TUID: /CklYyEX2HwN Hi, > I posted an initial message on help-guix about compiling a custom > hardened gcc, but guix-devel is a better list to continue the > discussion. I wanted to revisit compiling Guix packages with a > hardened toolchain since many other distros do this to improve the > security of their packages. On help-guix, you mean this [1], right? 1: > Previous emails only mentioned passing hardening options to CFLAGS and > LDFLAGS. Another important step is to compile features into GCC and > binutils. Specifically: > * gcc can be compiled with `--enable-default-ssp --enable-default-pie` > to enforce ssp and pic You wrote [1]: --8<---------------cut here---------------start------------->8--- (define-public gcc (package (inherit gcc) (arguments (substitute-keyword-arguments (package-arguments gcc) ((#:configure-flags flags `(append (list "--enable-default-ssp" "--enable-default-pie") ,flags))))))) --8<---------------cut here---------------end--------------->8--- and from my understanding, it can lead to name clash because the symbol 'gcc' (define-public gcc) and the symbol 'gcc' (inherit gcc) are the same but does not refer to the same thing. Instead, let define as gcc-hardened or whatever else than 'gcc'. Note that it could be better to define a procedure taking a GCC package and returning it with "hardened" options. Untested, --8<---------------cut here---------------start------------->8--- (define (make-gcc-hardened gcc) (package (inherit gcc) (arguments (substitute-keyword-arguments (package-arguments gcc) ((#:configure-flags flags `(append (list "--enable-default-ssp" "--enable-default-pie") ,flags))))))) (define-public gcc-hardened (make-gcc-hardened gcc)) --8<---------------cut here---------------end--------------->8--- This way, it becomes easy to also get GCC@7 using such options. > * binutils can be compiled with `--enable-relro --enable-pic` to > enforce relro and pic Yes. Indeed, you need to adapt various tools from "gcc-toolchain" with these hardened options. > I'm not a toolchain expert by any means, but I think this is a good > first step in improving Guix package security. Once you have a new hardened gcc-toolchain, then you can use a package transformation (with-c-toolchain) and recompile all the graph using this new hardened gcc-toolchain for the packages you are interested in. Include such and provide binary substitutes is another question. :-) (maintenance burden, etc.) Hope that helps Cheers, simon