unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Hardened toolchain
@ 2022-03-21 13:34 zimoun
       [not found] ` <Mymdzxm--3-2@tutanota.com>
  2022-03-27 20:22 ` Maxime Devos
  0 siblings, 2 replies; 32+ messages in thread
From: zimoun @ 2022-03-21 13:34 UTC (permalink / raw)
  To: kiasoc5, guix-devel

Hi,

> I posted an initial message on help-guix about compiling a custom
> hardened gcc, but guix-devel is a better list to continue the
> discussion. I wanted to revisit compiling Guix packages with a
> hardened toolchain since many other distros do this to improve the
> security of their packages.

On help-guix, you mean this [1], right?

1: <https://yhetil.org/guix/MtzBL4o--3-2@tutanota.com/>


> Previous emails only mentioned passing hardening options to CFLAGS and
> LDFLAGS. Another important step is to compile features into GCC and
> binutils.  Specifically:

> * gcc can be compiled with `--enable-default-ssp --enable-default-pie`
> to enforce ssp and pic

You wrote [1]:

--8<---------------cut here---------------start------------->8---
(define-public gcc
  (package
    (inherit gcc)
    (arguments
     (substitute-keyword-arguments (package-arguments gcc)
     ((#:configure-flags flags
       `(append (list "--enable-default-ssp" "--enable-default-pie")
            ,flags)))))))
--8<---------------cut here---------------end--------------->8---

and from my understanding, it can lead to name clash because the symbol
'gcc' (define-public gcc) and the symbol 'gcc' (inherit gcc) are the
same but does not refer to the same thing.

Instead, let define as gcc-hardened or whatever else than 'gcc'.  Note
that it could be better to define a procedure taking a GCC package and
returning it with "hardened" options.  Untested,

--8<---------------cut here---------------start------------->8---
(define (make-gcc-hardened gcc)
  (package
    (inherit gcc)
    (arguments
     (substitute-keyword-arguments (package-arguments gcc)
     ((#:configure-flags flags
       `(append (list "--enable-default-ssp" "--enable-default-pie")
            ,flags)))))))

(define-public gcc-hardened
  (make-gcc-hardened gcc))
--8<---------------cut here---------------end--------------->8---

This way, it becomes easy to also get GCC@7 using such options.


> * binutils can be compiled with `--enable-relro --enable-pic` to
> enforce relro and pic

Yes.  Indeed, you need to adapt various tools from "gcc-toolchain" with
these hardened options.


> I'm not a toolchain expert by any means, but I think this is a good
> first step in improving Guix package security.

Once you have a new hardened gcc-toolchain, then you can use a package
transformation (with-c-toolchain) and recompile all the graph using this
new hardened gcc-toolchain for the packages you are interested in.

Include such and provide binary substitutes is another question. :-)
(maintenance burden, etc.)


Hope that helps

Cheers,
simon


^ permalink raw reply	[flat|nested] 32+ messages in thread
* Re: Hardened toolchain
@ 2022-04-15 20:36 Nathan Dehnel
  2022-04-16  3:51 ` raingloom
  0 siblings, 1 reply; 32+ messages in thread
From: Nathan Dehnel @ 2022-04-15 20:36 UTC (permalink / raw)
  To: raingloom, guix-devel

>People shouldn't have to take extra steps and burn extra CPU cycles for
security. If I have to recompile everything to harden my system, I
likely won't bother.
>Pretty much everyone benefits from hardening, but not everyone has the
resources and know how to do it manually. Just choosing what to harden
is already not a trivial question.

Then have hardened be the default and have --hardened=off be the
package transform option?


^ permalink raw reply	[flat|nested] 32+ messages in thread
* Hardened toolchain
@ 2022-03-21  4:31 kiasoc5--- via Development of GNU Guix and the GNU System distribution.
  0 siblings, 0 replies; 32+ messages in thread
From: kiasoc5--- via Development of GNU Guix and the GNU System distribution. @ 2022-03-21  4:31 UTC (permalink / raw)
  To: Guix Devel

I posted an initial message on help-guix about compiling a custom hardened gcc, but guix-devel is a better list to continue the discussion. I wanted to revisit compiling Guix packages with a hardened toolchain since many other distros do this to improve the security of their packages.

Previous emails  only mentioned passing hardening options to CFLAGS and LDFLAGS. Another important step is to compile features into GCC and binutils. Specifically:

* gcc can be compiled with `--enable-default-ssp --enable-default-pie` to enforce ssp and pic
* binutils can be compiled with `--enable-relro --enable-pic` to enforce relro and pic

I'm not a toolchain expert by any means, but I think this is a good first step in improving Guix package security.

1. https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028405.html


^ permalink raw reply	[flat|nested] 32+ messages in thread

end of thread, other threads:[~2022-05-02 21:10 UTC | newest]

Thread overview: 32+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-03-21 13:34 Hardened toolchain zimoun
     [not found] ` <Mymdzxm--3-2@tutanota.com>
2022-03-22 19:06   ` zimoun
2022-03-22 20:02     ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-03-25 19:39       ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-03-25 22:54         ` zimoun
2022-03-26 19:33           ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-03-26 22:02             ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-03-27 20:06             ` zimoun
2022-03-27 20:22 ` Maxime Devos
2022-03-28  3:17   ` Maxim Cournoyer
2022-03-28  7:35     ` zimoun
2022-03-29  0:02     ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-03-29 10:15     ` Ludovic Courtès
2022-04-14 18:59       ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-04-15 15:18       ` jbranso
2022-04-15 16:04         ` Zhu Zihao
2022-04-15 16:34           ` raingloom
2022-04-26 11:07             ` Katherine Cox-Buday
2022-04-28 17:36               ` Aurora
2022-04-28 17:41                 ` Katherine Cox-Buday
2022-04-28 19:53                   ` Aurora
2022-04-28 17:50                 ` Vagrant Cascadian
2022-04-28 19:54                   ` Aurora
2022-04-29 10:31       ` zimoun
2022-04-29 15:51         ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-05-02 14:55         ` Katherine Cox-Buday
2022-05-02 16:25         ` Maxime Devos
2022-05-02 17:41           ` zimoun
2022-05-02 21:10             ` Maxime Devos
  -- strict thread matches above, loose matches on Subject: below --
2022-04-15 20:36 Nathan Dehnel
2022-04-16  3:51 ` raingloom
2022-03-21  4:31 kiasoc5--- via Development of GNU Guix and the GNU System distribution.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).