From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id INcgJEBvWGIYfgAAgWs5BA (envelope-from ) for ; Thu, 14 Apr 2022 21:00:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id ECzjHEBvWGI3ZgAAG6o9tA (envelope-from ) for ; Thu, 14 Apr 2022 21:00:16 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 181B831397 for ; Thu, 14 Apr 2022 21:00:16 +0200 (CEST) Received: from localhost ([::1]:43038 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nf4hT-0005mt-91 for larch@yhetil.org; Thu, 14 Apr 2022 15:00:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41978) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nf4hA-0005mk-DL for guix-devel@gnu.org; Thu, 14 Apr 2022 14:59:56 -0400 Received: from w1.tutanota.de ([81.3.6.162]:38078) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nf4h8-0006Xj-6t; Thu, 14 Apr 2022 14:59:56 -0400 Received: from w3.tutanota.de (unknown [192.168.1.164]) by w1.tutanota.de (Postfix) with ESMTP id 70729FBF7EE; Thu, 14 Apr 2022 18:59:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1649962789; s=s1; d=tutanota.com; h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender; bh=n4aMvAIh62Azn7mXAdCl9rYM5ghPLAml9kL9vLb0830=; b=zyiSGFs1UElXrmXugxqZubfAd6wUgAnhbJeyXYRi/iBPHfO+Gze4OvnEI8YD3+iW IYwblLdvDz+rOYfgk5709tWxM5mR21o46hZTyKM3IE7NaQHNhTvPaaoZPt2GYWECN8g GDWVPxlUnPESTAbwc3Y+aI0cxEvMumZw+0hX03RWe08SqhVs/0uosHOlHWfrq3a7UT/ hsCiAvqy2KwyoH80QUfo+kpwEXtre2vx1rB7UGlE4jrEofZeIlzaSWP8pI5wZypSGBu do/c+B06YO40jDoO2bns1NqQ8y/8ItBh/iztcCteEFN16ucK4o4HxoFU8qZXs6L7JWB ryzR91smHQ== Date: Thu, 14 Apr 2022 20:59:49 +0200 (CEST) To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Cc: Maxim Cournoyer , Maxime Devos , Guix Devel , zimoun Message-ID: In-Reply-To: <87pmm512uv.fsf@gnu.org> References: <874k3r8m4m.fsf@gmail.com> <8464b1bff3acb0a84f46ea6dcbbeaa7045b03d1c.camel@telenet.be> <874k3iwysf.fsf@gmail.com> <87pmm512uv.fsf@gnu.org> Subject: Re: Hardened toolchain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=81.3.6.162; envelope-from=kiasoc5@tutanota.com; helo=w1.tutanota.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" Reply-to: kiasoc5@tutanota.com From: kiasoc5--- via "Development of GNU Guix and the GNU System distribution." X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1649962816; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=n4aMvAIh62Azn7mXAdCl9rYM5ghPLAml9kL9vLb0830=; b=jMx1kpBg3/DwA2SbaUWO69Snk40Eqoeq7bEGxKDX+E3ixQPhJAbcy78QHRRpDRakVIui4y AnYa8P8fTDGomeu2Kiwq4xivk4H1tpvGD8q++1DIlVxiVfG6FkZovKscR6tjsFaYwLu7P9 J14HrieBn2xFaDC1+zsv370HLbssY0xgl49pIWL/TfuqDpRYqO+V/FZTOCPYOiRosngLiI aF6YiTB7iKBY8XlUycQaPLP+J2Vpvhq2reUrL95O62oT8JJ7VwtZ6Gh/Tj8+pdCLEtXyUe 1bec+y4dNGC8hXnddyZB5E4P7cUcfiKmIDR+MrM7L8TRD9M6w4WBOVlF1eg34Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1649962816; a=rsa-sha256; cv=none; b=TJkmWoKXPzOHJWMLWkKvXMUlY7FysJ+Yi0PLULJr5qAT6MMWqSGWrdQV4p5NRRMB1TLdsY fzvU0Jc4+0hZgjOke4yWxxwNH2AWSZWc/DfZbambrPTbs67GC3B7Z4DOBB/sz89u859WvD DzVc7sZ68NG1q/YYVk8nYY6rpwKVqwvGkRTsyARCD4T0/rGiJ15RkKRSKz+C8YZN0Mk7VQ rzBXvFWFjEAZOFkAmTrV1L6xnJTK/QDa9bCIYVfTgtt4tP7kF9OVf4GY4GpwvIORsU8aFk I5S2HeSD6RPJMnizIHbpwZm155m9V3vpNqaRzZl2wkD1ffEW/6KEd2zeDE1z9w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=zyiSGFs1; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.34 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=zyiSGFs1; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 181B831397 X-Spam-Score: -3.34 X-Migadu-Scanner: scn1.migadu.com X-TUID: tz2uGpX2hqef Mar 29, 2022, 10:15 by ludo@gnu.org: > Hi, > > Maxim Cournoyer skribis: > >> Maxime Devos writes: >> >>> zimoun schreef op ma 21-03-2022 om 14:34 [+0100]: >>> >>>> > * gcc can be compiled with `--enable-default-ssp --enable-default- >>>> > pie` >>>> > to enforce ssp and pic >>>> >>>> You wrote [1]: >>>> >>>> --8<---------------cut here---------------start------------->8--- >>>> (define-public gcc >>>> =C2=A0 (package >>>> =C2=A0=C2=A0=C2=A0 (inherit gcc) >>>> =C2=A0=C2=A0=C2=A0 (arguments >>>> =C2=A0=C2=A0=C2=A0=C2=A0 (substitute-keyword-arguments (package-argume= nts gcc) >>>> =C2=A0=C2=A0=C2=A0=C2=A0 ((#:configure-flags flags >>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 `(append (list "--enable-default-= ssp" "--enable-default-pie") >>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ,fl= ags))))))) >>>> --8<---------------cut here---------------end--------------->8--- >>>> >>> >>> I think it would be a lot simpler to just add this to the 'standard' >>> gcc configure flags, in (gnu packages gcc), given that probably the >>> idea is to do this hardening for all packages? Needs a world-rebuild >>> though. >>> >> >> +1. The whole distribution can probably benefit from this hardening. >> > > That=E2=80=99s something worth trying in a branch off =E2=80=98core-updat= es=E2=80=99. > > Stack smashing protection (SSP) may incur measurable run-time overhead > though so enabling that one by default may be less consensual. > We could do it like how NixOS does it [1]. There can be a `harden?` list in= the build system that contains a default set of flags. Packages that need = to have less hardening for performance or other reasons can modify that lis= t. I believe this was discussed in an old email (not this thread). > There are other things that could be done in this area, often with no or > little overhead, such as building with -D_FORTIFY_SOURCE. Doing that > transparently (without changing build systems) is a bit of a challenge > though. > > Ludo=E2=80=99. > Where and how should the default make and ldflags be set? I guess they coul= d be set in the build-system/*.scm. [1] https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html