From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id QJn8H7ZqP2LEBQAAgWs5BA (envelope-from ) for ; Sat, 26 Mar 2022 20:34:14 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id QE5ZHbZqP2LqagAA9RJhRA (envelope-from ) for ; Sat, 26 Mar 2022 20:34:14 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id ECC943ABBD for ; Sat, 26 Mar 2022 20:34:13 +0100 (CET) Received: from localhost ([::1]:41652 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nYCAv-0003uV-5p for larch@yhetil.org; Sat, 26 Mar 2022 15:34:13 -0400 Received: from eggs.gnu.org ([209.51.188.92]:34768) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nYCAB-0003sZ-2u for guix-devel@gnu.org; Sat, 26 Mar 2022 15:33:30 -0400 Received: from w1.tutanota.de ([81.3.6.162]:50862) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nYCA8-0007rI-5P for guix-devel@gnu.org; Sat, 26 Mar 2022 15:33:25 -0400 Received: from w3.tutanota.de (unknown [192.168.1.164]) by w1.tutanota.de (Postfix) with ESMTP id 70CD1FBF6ED; Sat, 26 Mar 2022 19:33:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1648323202; s=s1; d=tutanota.com; h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender; bh=qa3uegbHI//RW9l/qa3A4J4JlcZk7MXUWV1BXO/LzaU=; b=NMSrZm2cC57IFZOy6v26nwOsPTugdYYKZBk2cFQ37kPixS6WemqgpqUIJXR6VmK6 ddcYKntTytX4kYSE3lMK9XVWsgpWgsuqSIHIgVY7q08xaa9zd5oKRYm5lBuflpaiNFH Arj6MSqN0cHj59EsbhyZkXPT1Uka1iUfooHWT8fcQLnGdYdqeLeYiJ3DtZJZE+LgY2X RliBZRCtJAAhdUbvLWycJ9Pm6fmgxQMAYq5JfH/pFMQPDfLDnZOVKtMbAEqKrSUoJoH fCgFuYsBHlVv0IjoFgoWF+coq9t0uEMZQo86FE/uS0e2+QF5jeGioZCGs7BsZOjG7iH kZfcpqvfuQ== Date: Sat, 26 Mar 2022 20:33:22 +0100 (CET) To: zimoun Cc: Guix Devel Message-ID: In-Reply-To: <864k3l4p99.fsf@gmail.com> References: <874k3r8m4m.fsf@gmail.com> <86y2119580.fsf@gmail.com> <864k3l4p99.fsf@gmail.com> Subject: Re: Hardened toolchain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=81.3.6.162; envelope-from=kiasoc5@tutanota.com; helo=w1.tutanota.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" Reply-to: kiasoc5@tutanota.com From: kiasoc5--- via "Development of GNU Guix and the GNU System distribution." X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1648323254; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=qa3uegbHI//RW9l/qa3A4J4JlcZk7MXUWV1BXO/LzaU=; b=Ljc99bcA+jIV+VOPk8GYkibuLZSa51jv5oxyBGdyKkSSwGlxoYN7fsHAblBgmc4zx1r/8u MtLIcm7V+O03s5KK7cH6fduY24oBu0EIC98K5GNKHHrVWaZhiH6vFpReRNCMlfttSrYnAt vrok0l/FHPTEZIKQBwwH9I8WlQRRZWr9o1dmRITFti6UW6hMCQBuB2yIow7x3V+/OUBjuT b/cdUWSsuTbQXWWM1Gm/zZStiUHBLqzyAOumzlC8W8bWehvUL6A/lA5Pj6LSIlzsWopOrL FWE3LSdHpmZCCCF8zmxcBFTliEGnKAIFJ5Gnm1H7dxgrcFih7iuZY/tLirFDMg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1648323254; a=rsa-sha256; cv=none; b=cmNOey0eUnogmJDXvzyBr08bOG3WLTOFzEKQSO9EO1dGVKpHsNnjGjH6G2yM9uY+ZMUku4 tbZ++bi7fJrZu64ffTeq5B6NfzfHQZTY8OviBhvZVyJp4XCTKJ8ve8qHR5JNo9KdEwjRSy dR8NUqdRFFVYiZXgFI1w54cgjeco1zSO9+ZuKq/pJL86b2GrGNFfyzcXiVLk+ArTZBEQ5F FRXSdDvAVtPRo5S3FEQbr513tvpqDZnV5BdxJzafMxPZmPhjU21KDCtPLriU7OWguV5zNu MnhyR5XQU0EG1vXLjBDAk+BZMBAJH5m2sFIC7LgTMd3EoMDVLdUMsI4qy7fTKg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=NMSrZm2c; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.38 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=NMSrZm2c; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: ECC943ABBD X-Spam-Score: -3.38 X-Migadu-Scanner: scn1.migadu.com X-TUID: RfA61mnJpi5K Hi Simon, Mar 25, 2022, 22:54 by zimon.toutoune@gmail.com: > Hi, > > On Fri, 25 Mar 2022 at 20:39, kiasoc5@tutanota.com wrote: > >> =3D=3D=3D=3Dthe middle of guix build -f hardened.scm=3D=3D=3D=3D >> building /gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv... >> Backtrace: >> In ice-9/eval.scm: >> =C2=A0=C2=A0 217:50 19 (lp (# ?)) >> =C2=A0=C2=A0 217:50 18 (lp (# ?)) >> =C2=A0=C2=A0 217:50 17 (lp (# ?)) >> =C2=A0=C2=A0 217:50 16 (lp (# ?)) >> =C2=A0=C2=A0 217:50 15 (lp (# ?)) >> =C2=A0=C2=A0 217:50 14 (lp (# ?)) >> =C2=A0=C2=A0 217:50 13 (lp (# ?)) >> =C2=A0=C2=A0 217:50 12 (lp (# ?)) >> =C2=A0=C2=A0 217:50 11 (lp (# ?)) >> =C2=A0=C2=A0 217:50 10 (lp (# ?)) >> =C2=A0=C2=A0 217:50=C2=A0 9 (lp (# ?)) >> =C2=A0=C2=A0 217:50=C2=A0 8 (lp (# ?)) >> =C2=A0=C2=A0 217:50=C2=A0 7 (lp (# ?)) >> =C2=A0=C2=A0 217:50=C2=A0 6 (lp (# ?)) >> =C2=A0=C2=A0 217:50=C2=A0 5 (lp (# ?)) >> =C2=A0=C2=A0 217:50=C2=A0 4 (lp (# ?)) >> =C2=A0=C2=A0 217:33=C2=A0 3 (lp (# ?)) >> =C2=A0=C2=A0=C2=A0 159:9=C2=A0 2 (_ #(#(# #f) #f)) >> =C2=A0=C2=A0=C2=A0 159:9=C2=A0 1 (_ #(#(# #f) #f)) >> In unknown file: >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0 (string-a= ppend "LDFLAGS=3D" "-Wl,-rpath=3D" #f "/lib " "-W?" ?) >> >> ERROR: In procedure string-append: >> In procedure string-append: Wrong type (expecting string): #f >> builder for `/gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv'= failed with exit code 1 >> build of /gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv fail= ed >> View build log at '/var/log/guix/drvs/1n/lrgg5ryl486haw0kdqnbp4wa17lhwh-= gcc-10.3.0.drv.gz'. >> guix build: error: build of `/gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh= -gcc-10.3.0.drv' failed >> =3D=3D=3D=3Dthe middle of guix build -f hardened.scm=3D=3D=3D=3D >> > > You are creating a cycle, no? It is not a DAG and so the transformation > fails, no? > Oh I didn't notice that. The example makes sense too. > For instance, this: > > --8<---------------cut here---------------start------------->8--- > (use-modules (guix packages) > (gnu packages gcc) > (gnu packages base)) > > (define make-gcc-toolchain > (@@ (gnu packages commencement) make-gcc-toolchain)) > > (define gcc-bis > (package > (inherit gcc) > (version (string-append (package-version gcc) "-bis")))) > > (define gcc-toolchain-bis > (make-gcc-toolchain gcc-bis glibc)) > > (define (package-with-c-toolchain-bis package) > (package-with-c-toolchain > package `(("toolchain" ,gcc-toolchain-bis)))) > > > (package-with-c-toolchain-bis gcc-bis) > --8<---------------cut here---------------end--------------->8--- > > fails with the same message. There is bootstrapping issue: the binary > of gcc-bis is required to compile the source of gcc-bis; where does come > from such binary of gcc-bis? > > > Considering your use case, you need: > > - gcc considered as binary seed > =20 > - use this binary gcc with the hardened options to compile the source > of GCC; resulting to the binary gcc-hardened-1 > > - use this binary gcc-hardened-2 with the hardened options to recompile > the source of GCC; resulting to the binary gcc-hardened-2 > > - if checksum(gcc-hardened-1) =3D=3D checksum(gcc-hardened-2) > then use this binary to define a new toolchain > else reach the fixed point > > fixed point: use this binary gcc-hardened-{n-1} to compile the source of > GCC and output the binary gcc-hardened-{n}; compare the checksum of > the binary {n-1} and {n} and repeat until equality is reached. > Just so I understand, in other (imperative) words: gcc-hardened-1 =3D gcc-hardened built with regular gcc gcc-hardened-2 =3D gcc-hardened built with gcc-hardened-1 n =3D 1 while checksum(gcc-hardened-{n}) !=3D checksum(gcc-hardened-{n+1}): =C2=A0=C2=A0 gcc-hardened-{n+1} =3D gcc-hardened built with gcc-hardened-{n= } =C2=A0=C2=A0 n++ define the new toolchain with gcc-hardened-{n+1} > Guix is not auto-magically resolving the fixed-point, i.e., it does not > unroll the cycle by magic. :-) You have to do it manually or write code > for automatise the process; described above. > Thanks, are there any examples in the code base that would be a good refere= nce? > > Hope that helps. > > Cheers, > simon >