From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id SBl3O8McOGKCRAAAgWs5BA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 21 Mar 2022 07:35:47 +0100
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id 0STUOMMcOGK8FQEA9RJhRA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 21 Mar 2022 07:35:47 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 28ABD2967A
	for <larch@yhetil.org>; Mon, 21 Mar 2022 07:34:29 +0100 (CET)
Received: from localhost ([::1]:59774 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1nWBcZ-00050S-U4
	for larch@yhetil.org; Mon, 21 Mar 2022 02:34:27 -0400
Received: from eggs.gnu.org ([209.51.188.92]:56502)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kiasoc5@tutanota.com>)
 id 1nW9hE-0002AB-VI
 for guix-devel@gnu.org; Mon, 21 Mar 2022 00:31:09 -0400
Received: from w1.tutanota.de ([81.3.6.162]:47952)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kiasoc5@tutanota.com>)
 id 1nW9hA-0006wI-5B
 for guix-devel@gnu.org; Mon, 21 Mar 2022 00:31:08 -0400
Received: from w3.tutanota.de (unknown [192.168.1.164])
 by w1.tutanota.de (Postfix) with ESMTP id 48904FA0A89
 for <guix-devel@gnu.org>; Mon, 21 Mar 2022 04:31:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1647837061; 
 s=s1; d=tutanota.com;
 h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Date:Date:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:Sender;
 bh=EUoaLGibmGhFF1Dfb1B4NKIqAI8Zu8WWzLv3j0c6eK4=;
 b=Aa96GgT2oWPB6E2SnhM0LE17ayxozzFw8Nbkd19kUJxlj57i2/1QtTe9eov08vze
 eWjjhy+9z7t/t+F7hRSVUpdQyhY3Z1HH1UcGROvhIptRHc9RnyOm1KRZlnakL7jXH6u
 6b/CMqK5Gz5knn3pqL38JN0WDeuZZq9gWpOd+HV50FHtyxO9rhH0v9WcbtyvK+9kYzk
 XFqBasC2qDfCxfum/RhMgC/HDeiD2q3UDl/ccaQXKjsE2wUHITj4NulY+VQ+SkpBgHA
 j/Dgkgon/ZEyn23/3NbU1YNa2aGluTF6bk3Inf7FmxAmbeqVKu1MDOqPT/TrvTCwMuW
 MADRnOiLiw==
Date: Mon, 21 Mar 2022 05:31:01 +0100 (CET)
To: Guix Devel <guix-devel@gnu.org>
Message-ID: <MyejWoQ--3-2@tutanota.com>
Subject: Hardened toolchain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=81.3.6.162; envelope-from=kiasoc5@tutanota.com;
 helo=w1.tutanota.de
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Mailman-Approved-At: Mon, 21 Mar 2022 02:31:23 -0400
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
Reply-to:  kiasoc5@tutanota.com
From: kiasoc5--- via "Development of GNU Guix and the GNU System distribution."
 <guix-devel@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1647844469;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=EUoaLGibmGhFF1Dfb1B4NKIqAI8Zu8WWzLv3j0c6eK4=;
	b=IeMoxs9QDjXQRrlaq6t9ZD4qVWjVkkaYCbDE8/NWLmGZJgLPSetqC1kWo2GLGCjhbtowos
	ccqVFPbz/X15L9wJJnVnmMQ8yd7rVA0HROXW/t2kfoJQM/zaf5jZhAvj/YND0JW9bwWOKn
	6gF2CVw46QVlbO+AoTJnd94fTvW1QTzp/WHwgHk42bflv4K7RT/9vy+vJuHkdp1+Md3oYV
	t9Hcm7JMqE8XXIxhn+WqJj/WCNaoH8f3a4oRrqiueinGgSUeQI/wz/9V7TiIo6xUJwnsND
	vBLYhtMHNYuBk6wvp9DzKOE1E8Tv6tKaHwNxmmG/EAbeZ8qd3qw7p7eSqbCPGQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1647844469; a=rsa-sha256; cv=none;
	b=Z5g0PMOzBFf3fL4ZCdDQZ4q85DUFgfgG+FGwCwI0K6d8vh1LLiOZcCZja07LUEwSqVvfH0
	B0KUY7TkZ25KZewAkFQX74Q4VhPFvagtBabFvFfWYMkiLwOEkUZhh4T6aK/PE1hQZZR590
	evDJzOERKLFkU5pnSxMJo1Lpl1TrCVv7PZnHvrfHCeRjzwg2f38fJxcD4UKMLE2aos5owM
	bpZQ8c3ylOHaodzhJ8CH0DbL1bFQzkxWJMSNFAxBu2WH3mcv2bUm3mPjo7eTfkyi+92DXj
	oy7RuOoFeZnvTix/D8OHt0SuWaTKXTTne91Gaj3WHm67Oy6MLf6wYvHkleg0SA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=Aa96GgT2;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -4.22
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=Aa96GgT2;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: 28ABD2967A
X-Spam-Score: -4.22
X-Migadu-Scanner: scn0.migadu.com
X-TUID: /BTgdeqec167

I posted an initial message on help-guix about compiling a custom hardened gcc, but guix-devel is a better list to continue the discussion. I wanted to revisit compiling Guix packages with a hardened toolchain since many other distros do this to improve the security of their packages.

Previous emails  only mentioned passing hardening options to CFLAGS and LDFLAGS. Another important step is to compile features into GCC and binutils. Specifically:

* gcc can be compiled with `--enable-default-ssp --enable-default-pie` to enforce ssp and pic
* binutils can be compiled with `--enable-relro --enable-pic` to enforce relro and pic

I'm not a toolchain expert by any means, but I think this is a good first step in improving Guix package security.

1. https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028405.html