From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id SBl3O8McOGKCRAAAgWs5BA (envelope-from ) for ; Mon, 21 Mar 2022 07:35:47 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 0STUOMMcOGK8FQEA9RJhRA (envelope-from ) for ; Mon, 21 Mar 2022 07:35:47 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 28ABD2967A for ; Mon, 21 Mar 2022 07:34:29 +0100 (CET) Received: from localhost ([::1]:59774 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWBcZ-00050S-U4 for larch@yhetil.org; Mon, 21 Mar 2022 02:34:27 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56502) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nW9hE-0002AB-VI for guix-devel@gnu.org; Mon, 21 Mar 2022 00:31:09 -0400 Received: from w1.tutanota.de ([81.3.6.162]:47952) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nW9hA-0006wI-5B for guix-devel@gnu.org; Mon, 21 Mar 2022 00:31:08 -0400 Received: from w3.tutanota.de (unknown [192.168.1.164]) by w1.tutanota.de (Postfix) with ESMTP id 48904FA0A89 for ; Mon, 21 Mar 2022 04:31:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1647837061; s=s1; d=tutanota.com; h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Date:Date:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:Sender; bh=EUoaLGibmGhFF1Dfb1B4NKIqAI8Zu8WWzLv3j0c6eK4=; b=Aa96GgT2oWPB6E2SnhM0LE17ayxozzFw8Nbkd19kUJxlj57i2/1QtTe9eov08vze eWjjhy+9z7t/t+F7hRSVUpdQyhY3Z1HH1UcGROvhIptRHc9RnyOm1KRZlnakL7jXH6u 6b/CMqK5Gz5knn3pqL38JN0WDeuZZq9gWpOd+HV50FHtyxO9rhH0v9WcbtyvK+9kYzk XFqBasC2qDfCxfum/RhMgC/HDeiD2q3UDl/ccaQXKjsE2wUHITj4NulY+VQ+SkpBgHA j/Dgkgon/ZEyn23/3NbU1YNa2aGluTF6bk3Inf7FmxAmbeqVKu1MDOqPT/TrvTCwMuW MADRnOiLiw== Date: Mon, 21 Mar 2022 05:31:01 +0100 (CET) To: Guix Devel Message-ID: Subject: Hardened toolchain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=81.3.6.162; envelope-from=kiasoc5@tutanota.com; helo=w1.tutanota.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Mon, 21 Mar 2022 02:31:23 -0400 X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" Reply-to: kiasoc5@tutanota.com From: kiasoc5--- via "Development of GNU Guix and the GNU System distribution." X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1647844469; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=EUoaLGibmGhFF1Dfb1B4NKIqAI8Zu8WWzLv3j0c6eK4=; b=IeMoxs9QDjXQRrlaq6t9ZD4qVWjVkkaYCbDE8/NWLmGZJgLPSetqC1kWo2GLGCjhbtowos ccqVFPbz/X15L9wJJnVnmMQ8yd7rVA0HROXW/t2kfoJQM/zaf5jZhAvj/YND0JW9bwWOKn 6gF2CVw46QVlbO+AoTJnd94fTvW1QTzp/WHwgHk42bflv4K7RT/9vy+vJuHkdp1+Md3oYV t9Hcm7JMqE8XXIxhn+WqJj/WCNaoH8f3a4oRrqiueinGgSUeQI/wz/9V7TiIo6xUJwnsND vBLYhtMHNYuBk6wvp9DzKOE1E8Tv6tKaHwNxmmG/EAbeZ8qd3qw7p7eSqbCPGQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1647844469; a=rsa-sha256; cv=none; b=Z5g0PMOzBFf3fL4ZCdDQZ4q85DUFgfgG+FGwCwI0K6d8vh1LLiOZcCZja07LUEwSqVvfH0 B0KUY7TkZ25KZewAkFQX74Q4VhPFvagtBabFvFfWYMkiLwOEkUZhh4T6aK/PE1hQZZR590 evDJzOERKLFkU5pnSxMJo1Lpl1TrCVv7PZnHvrfHCeRjzwg2f38fJxcD4UKMLE2aos5owM bpZQ8c3ylOHaodzhJ8CH0DbL1bFQzkxWJMSNFAxBu2WH3mcv2bUm3mPjo7eTfkyi+92DXj oy7RuOoFeZnvTix/D8OHt0SuWaTKXTTne91Gaj3WHm67Oy6MLf6wYvHkleg0SA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=Aa96GgT2; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -4.22 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=Aa96GgT2; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 28ABD2967A X-Spam-Score: -4.22 X-Migadu-Scanner: scn0.migadu.com X-TUID: /BTgdeqec167 I posted an initial message on help-guix about compiling a custom hardened gcc, but guix-devel is a better list to continue the discussion. I wanted to revisit compiling Guix packages with a hardened toolchain since many other distros do this to improve the security of their packages. Previous emails only mentioned passing hardening options to CFLAGS and LDFLAGS. Another important step is to compile features into GCC and binutils. Specifically: * gcc can be compiled with `--enable-default-ssp --enable-default-pie` to enforce ssp and pic * binutils can be compiled with `--enable-relro --enable-pic` to enforce relro and pic I'm not a toolchain expert by any means, but I think this is a good first step in improving Guix package security. 1. https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028405.html