From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id GAyiKngaPmJiHwAAgWs5BA (envelope-from ) for ; Fri, 25 Mar 2022 20:39:36 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id sDd4J3gaPmI31wAAauVa8A (envelope-from ) for ; Fri, 25 Mar 2022 20:39:36 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1F51CB842 for ; Fri, 25 Mar 2022 20:39:36 +0100 (CET) Received: from localhost ([::1]:40768 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nXpmZ-0007hO-CZ for larch@yhetil.org; Fri, 25 Mar 2022 15:39:35 -0400 Received: from eggs.gnu.org ([209.51.188.92]:38708) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nXpmG-0007h4-VB for guix-devel@gnu.org; Fri, 25 Mar 2022 15:39:16 -0400 Received: from w1.tutanota.de ([81.3.6.162]:41610) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nXpmE-0006Dc-ND for guix-devel@gnu.org; Fri, 25 Mar 2022 15:39:16 -0400 Received: from w3.tutanota.de (unknown [192.168.1.164]) by w1.tutanota.de (Postfix) with ESMTP id BD88EFA024D; Fri, 25 Mar 2022 19:39:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1648237150; s=s1; d=tutanota.com; h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender; bh=AHYSmdS3isGFtMN6xHKOryyOf6CwXYQBUIOdZAqUG4I=; b=1I8NpGyuNhHjGCas9HMAprPH+rnSSegedUId78/xEBmiVWpP0kvSX4z1bzy7EbAy p33M91ypWRdtwFjbKYqAGg8scgMwgkn+ZPre1f/06o7lEbooYpQBiYlHtHjJBSyXkQM C/c+rdrsU8m3DKRVc7iZHFTcUVk8tHy8SnPwzDVzh0Z8sQfbpPbS1FJ4TPnoTou0PtA ICh7fclOk7v1KdMd7zy7bDKchK8KqlCBAxrrEM2OzRy6HHODe0d9Gk/P4s4I+RxZ3Aw BHedqmeYlScuJhXFmXzFKe8R7UuJ50lixuWIpGCVZpojM/6ymQHQqq4S1XdSjGIRK7A AvTR+vy8lw== Date: Fri, 25 Mar 2022 20:39:10 +0100 (CET) To: zimoun Cc: Guix Devel Message-ID: In-Reply-To: References: <874k3r8m4m.fsf@gmail.com> <86y2119580.fsf@gmail.com> Subject: Re: Hardened toolchain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=81.3.6.162; envelope-from=kiasoc5@tutanota.com; helo=w1.tutanota.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" Reply-to: kiasoc5@tutanota.com From: kiasoc5--- via "Development of GNU Guix and the GNU System distribution." X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1648237176; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=AHYSmdS3isGFtMN6xHKOryyOf6CwXYQBUIOdZAqUG4I=; b=hizSKUqXnePYJg1pCBqYZitg6tQQmz+xNu2E0qspTnhc0sISt/4rkRZvmi2UnukVr6aaRM 8wZDhmE8AOWonezJYPUWz0VQYEW/hsj/cXtMpcT57FKvrcgec6qXwheOnMzZgPUZXVQoWe 2/ixmI7lNAkjDIBgOzimWMYLN//i5dqlyUIjBzPIucQAUlLmXvX5N7fqsI1I/aH4x9Yzc/ AFGdjxl7fifnKYtYVqR6dX+Ob5cD6fJv/CjUz+PMPqdcm7qhD9EuGhk1nnqO+Zw6UwsFbn Wd9URTazwzO/jO+NO2WF9eejqqicjvEcj/T97dnNCB95sAfJFvGPHGK0bw0AdA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1648237176; a=rsa-sha256; cv=none; b=jz6D6rdrlXlWSExF5nMjQxPCZs9DlsujCPUl4nFlIzoIxeKhRfMRfbw4wQYdy526UwVRnd MxomyIXuv8qUl4Ig1rHfZdqMydT/WgWEDMJO7Pu+u/exlAaI1oKlmygvTnRtyr54UFw0IT e0pDpcMROWZYNkXyP1Li6fVKMRUGT29TQr+RH2wqg87vdklbio4mIIVwhZduETYvcwUUcK FFgGVlpuxZQRSjg2JKlHf33XA0et5XBz6r1e6DdisALZ/bXWfnfhQOy3Kit0dJQxbtKTTq QzLSZqbd1hEzJ8lASf1rI5ZCEvldX3zSQTPbR4lHM4i58+N0gINJordr9/b44A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=1I8NpGyu; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.38 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=1I8NpGyu; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 1F51CB842 X-Spam-Score: -3.38 X-Migadu-Scanner: scn1.migadu.com X-TUID: h86zMTX0YuEV I managed to build hardened-gcc and hardened-binutils with the regular tool= chain. Now I'm building them with a hardened C toolchain: =3D=3D=3D=3Dhardened.scm=3D=3D=3D=3D (use-modules (gnu) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (g= uix) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (g= uix packages)) (use-package-modules gcc base commencement) (define (make-gcc-hardened gcc) =C2=A0 (package =C2=A0=C2=A0=C2=A0 (inherit gcc) =C2=A0=C2=A0=C2=A0 (arguments =C2=A0=C2=A0=C2=A0=C2=A0 (substitute-keyword-arguments (package-arguments g= cc) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ((#:configure-flags flags) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 `(append (list "--enable-default= -ssp" =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "--enable-default= -pie") =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ,f= lags)))))) (define-public gcc-hardened =C2=A0 (make-gcc-hardened gcc)) (define (make-binutils-hardened binutils) =C2=A0 (package =C2=A0=C2=A0=C2=A0 (inherit binutils) =C2=A0=C2=A0=C2=A0 (arguments =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (substitute-keyword-arguments (package-argum= ents binutils) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ((#:configure-flags flags) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 `(append (list "--enable-r= elro" =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "--enable-p= ic" =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "--with-pic= ") =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 ,flags)))))) (define-public binutils-hardened =C2=A0 (make-binutils-hardened binutils)) (define-public gcc-toolchain-hardened =C2=A0 (make-gcc-toolchain gcc-hardened)) ;; TODO: apply binutils hardening ;; TODO: recompile graph with this toolchain (define (package-with-c-toolchain-hardened package) =C2=A0 (package-with-c-toolchain package `(("toolchain" ,gcc-toolchain-hard= ened) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ("= binutils" ,binutils-hardened)))) (define c-toolchain-packages =C2=A0 (list gcc-hardened binutils-hardened)) ;; gcc-hardened fails (map package-with-c-toolchain-hardened c-toolchain-packages) =3D=3D=3D=3Dhardened.scm=3D=3D=3D=3D I can build binutils-hardened with the hardened toolchain but not gcc-harde= ned: =3D=3D=3D=3Dthe middle of guix build -f hardened.scm=3D=3D=3D=3D building /gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv... Backtrace: In ice-9/eval.scm: =C2=A0=C2=A0 217:50 19 (lp (# ?)) =C2=A0=C2=A0 217:50 18 (lp (# ?)) =C2=A0=C2=A0 217:50 17 (lp (# ?)) =C2=A0=C2=A0 217:50 16 (lp (# ?)) =C2=A0=C2=A0 217:50 15 (lp (# ?)) =C2=A0=C2=A0 217:50 14 (lp (# ?)) =C2=A0=C2=A0 217:50 13 (lp (# ?)) =C2=A0=C2=A0 217:50 12 (lp (# ?)) =C2=A0=C2=A0 217:50 11 (lp (# ?)) =C2=A0=C2=A0 217:50 10 (lp (# ?)) =C2=A0=C2=A0 217:50=C2=A0 9 (lp (# ?)) =C2=A0=C2=A0 217:50=C2=A0 8 (lp (# ?)) =C2=A0=C2=A0 217:50=C2=A0 7 (lp (# ?)) =C2=A0=C2=A0 217:50=C2=A0 6 (lp (# ?)) =C2=A0=C2=A0 217:50=C2=A0 5 (lp (# ?)) =C2=A0=C2=A0 217:50=C2=A0 4 (lp (# ?)) =C2=A0=C2=A0 217:33=C2=A0 3 (lp (# ?)) =C2=A0=C2=A0=C2=A0 159:9=C2=A0 2 (_ #(#(# #f) #f)) =C2=A0=C2=A0=C2=A0 159:9=C2=A0 1 (_ #(#(# #f) #f)) In unknown file: =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0 (string-appe= nd "LDFLAGS=3D" "-Wl,-rpath=3D" #f "/lib " "-W?" ?) ERROR: In procedure string-append: In procedure string-append: Wrong type (expecting string): #f builder for `/gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv' fa= iled with exit code 1 build of /gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv failed View build log at '/var/log/guix/drvs/1n/lrgg5ryl486haw0kdqnbp4wa17lhwh-gcc= -10.3.0.drv.gz'. guix build: error: build of `/gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gc= c-10.3.0.drv' failed =3D=3D=3D=3Dthe middle of guix build -f hardened.scm=3D=3D=3D=3D I think #f is here because (assoc-ref inputs "gcc") returns #f since the to= olchain uses gcc-hardened, not gcc. Any tips? Thanks! Mar 22, 2022, 20:02 by kiasoc5@tutanota.com: > Mar 22, 2022, 19:06 by zimon.toutoune@gmail.com: > >> Hi, >> >> (Although you know :) please keep CC guix-devel.)=20 >> > Will remember to CC guix-devel next time. > >> On Tue, 22 Mar 2022 at 18:23, kiasoc5@tutanota.com wrote: >> >>>> --8<---------------cut here---------------start------------->8--- >>>> (define (make-gcc-hardened gcc) >>>> (package >>>> (inherit gcc) >>>> (arguments >>>> (substitute-keyword-arguments (package-arguments gcc) >>>> ((#:configure-flags flags >>>> `(append (list "--enable-default-ssp" "--enable-default-pie") >>>> ,flags))))))) >>>> >>>> (define-public gcc-hardened >>>> (make-gcc-hardened gcc)) >>>> --8<---------------cut here---------------end--------------->8--- >>>> >> >> [...] >> >>> >>> I get an error when I build with guix, if you could help find it that >>> would be great. >>> >>> % ./pre-inst-env guix build -f hardened.scm >>> /home/kiasoc5/build/guix-notes/hardening/hardened.scm:11:10: error: (su= bstitute-keyword-arguments (package-arguments gcc) ((#:con=EF=AC=81gure-=EF= =AC=82ags =EF=AC=82ags (quasiquote (append (list "--enable-default-ssp" "--= enable-default-pie") (unquote =EF=AC=82ags)))))): source expression failed = to match any pattern >>> >> >> That=E2=80=99s because a typo. :-) >> > Silly me, thanks for the catch. I'll let you know how the hardened gcc go= es. > >> ((#:configure-flags flags >> ^missing closing parenthesis. Well, it looks like: >> >> --8<---------------cut here---------------start------------->8--- >> (use-modules (gnu) >> (guix) >> (guix packages)) >> >> (use-package-modules gcc) >> >> (define (make-gcc-hardened gcc) >> (package >> (inherit gcc) >> (arguments >> (substitute-keyword-arguments (package-arguments gcc) >> ((#:configure-flags flags) >> `(append (list "--enable-default-ssp" >> "--enable-default-pie") >> ,flags)))))) >> >> (define-public gcc-hardened >> (make-gcc-hardened gcc)) >> >> gcc-hardened >> --8<---------------cut here---------------end--------------->8--- >> >> Then, this command >> >> guix build -f hardened.scm -n >> >> returns: >> >> --8<---------------cut here---------------start------------->8--- >> substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0= % >> substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'...= 100.0% >> The following derivation would be built: >> /gnu/store/3i6i3pqr5r7l1568b3hswbgych974aqw-gcc-10.3.0.drv >> 81.4 MB would be downloaded: >> /gnu/store/7vrx4p62bkmxzrxwqdc4il9hqyh1yngh-libstdc++-10.3.0 >> /gnu/store/i459ksarhxysqb8gxa8hq6phl13d0q4a-libstdc++-headers-10.3.0 >> /gnu/store/d3js6699lc1p0sw7p0dkafi0cn33sig6-gcc-10.3.0.tar.xz >> --8<---------------cut here---------------end--------------->8--- >> >> I do not have tried to effectively build this gcc-hardened. :-) >> >> Hope that helps. >> >> Cheers, >> simon >> > >