From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id oNThF66NP2LF4AAAgWs5BA (envelope-from ) for ; Sat, 26 Mar 2022 23:03:26 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id QCFwEK6NP2Ju1wAAG6o9tA (envelope-from ) for ; Sat, 26 Mar 2022 23:03:26 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C5F5A4538F for ; Sat, 26 Mar 2022 23:03:25 +0100 (CET) Received: from localhost ([::1]:34310 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nYEVJ-0000cL-12 for larch@yhetil.org; Sat, 26 Mar 2022 18:03:25 -0400 Received: from eggs.gnu.org ([209.51.188.92]:33800) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nYEUh-0000b2-NU for guix-devel@gnu.org; Sat, 26 Mar 2022 18:02:47 -0400 Received: from w1.tutanota.de ([81.3.6.162]:56582) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nYEUf-0004YA-Cp for guix-devel@gnu.org; Sat, 26 Mar 2022 18:02:47 -0400 Received: from w3.tutanota.de (unknown [192.168.1.164]) by w1.tutanota.de (Postfix) with ESMTP id 3544BFBF8A1; Sat, 26 Mar 2022 22:02:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1648332161; s=s1; d=tutanota.com; h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender; bh=7VJ//bE/l/lj5bU6N3E7ffMSSVd9ZjnMeYy+tLXJm6o=; b=meFye5HdtNIH47j+pkFNL4bDI8DAEUEICdZ53WXO07fsoL6WUgh668SWWPwm1L0H GTqRMkdz+bTSgK5Z2L9duZsIopGohahiLWUhxpFPrVkBXdmxrNx1tldOXcCBoPupSd3 zhJi4kZMwtYRo0U2G9jVqJjSdkgWXyL07IGGbRl6htnbrnEOT9Vpv6LmRNBHw7ZljxO cIeo2aKGIDzcIoIrjusuIsdJt29FOy9i3htbn6za/A5RhULoGk5tO3ayxGKK/nSC67o kl6+nUVbqTwfsnNyzk3bl3lAEgXUuyqrJaG10hvK7OkMczxv6Ywljx6jA/H5cd87Oyw Oe8ge1HMmQ== Date: Sat, 26 Mar 2022 23:02:41 +0100 (CET) To: zimoun Cc: Guix Devel Message-ID: In-Reply-To: References: <874k3r8m4m.fsf@gmail.com> <86y2119580.fsf@gmail.com> <864k3l4p99.fsf@gmail.com> Subject: Re: Hardened toolchain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=81.3.6.162; envelope-from=kiasoc5@tutanota.com; helo=w1.tutanota.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" Reply-to: kiasoc5@tutanota.com From: kiasoc5--- via "Development of GNU Guix and the GNU System distribution." X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1648332205; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=7VJ//bE/l/lj5bU6N3E7ffMSSVd9ZjnMeYy+tLXJm6o=; b=RYZ1zdmBrwvwg9iX0m5Opnc4IO/kOkm0lZwpNci4S4vCoNqCMkhcdv1O1NoTF3JuKV/APL oEIWi9xUb5fJEuKlG+X1qMoq3O5+F2w8WrnW5y4jL6iUI9VZQNEqYl3kn+N6UXN68Wue91 WC7UIXUgs3MysVArypb/0v9+53ePaSjHuAzGkCf59OKvGJMOu+pmZYVkpQkkCpdAiLkYbU maAFtnmFDxDlHXNlIR+mrj9nFXIYzG5HXrWCpUZqcuwOTE7cJtLln8TkGFf76vj1yIRHke 5KaPsPkV0Kgudq3PV9diQ1f+A9IXY+1f8x2/sgjvhQXRsidXqAeV6+9YRPThWA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1648332205; a=rsa-sha256; cv=none; b=ogYKvm8tB0p0rGJx5cwaLCrP/JRi1Rl4qSqX1tG388Zd5E7AaCoO89mai3WVEKMt4IIGXd 8qaQznmep3RUvqFcqW3rBcWsP756Xs2xK+/sMl71aOsjI2VfnnVuuwjTL8rEeHYJEqgarz 3z2zvYnI0gGdOzGUnu+bsgJpYp+BAuNpcseubDm3X0mkwFansY6kevAv3Jh3JnuG0dJHJs ba4tyw/4PYqiSlNsFSuwqGH/cTSGQLGk22CX8ku26dwUGWkWx4Ekn1yuX9g2EZaHLli5R+ 1PjtDVDKCwVb1Lq/hVdvZKDKofMNv/kejsuNuO6rUV7y62Z+2Nhb69kQmKrzEg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=meFye5Hd; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.38 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tutanota.com header.s=s1 header.b=meFye5Hd; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: C5F5A4538F X-Spam-Score: -3.38 X-Migadu-Scanner: scn1.migadu.com X-TUID: 2ZSB0CDOVCCN Mar 26, 2022, 19:33 by kiasoc5@tutanota.com: > Hi Simon, > > Mar 25, 2022, 22:54 by zimon.toutoune@gmail.com: > >> Hi, >> >> On Fri, 25 Mar 2022 at 20:39, kiasoc5@tutanota.com wrote: >> >>> =3D=3D=3D=3Dthe middle of guix build -f hardened.scm=3D=3D=3D=3D >>> building /gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv... >>> Backtrace: >>> In ice-9/eval.scm: >>> =C2=A0=C2=A0 217:50 19 (lp (# ?)) >>> =C2=A0=C2=A0 217:50 18 (lp (# ?)) >>> =C2=A0=C2=A0 217:50 17 (lp (# ?)) >>> =C2=A0=C2=A0 217:50 16 (lp (# ?)) >>> =C2=A0=C2=A0 217:50 15 (lp (# ?)) >>> =C2=A0=C2=A0 217:50 14 (lp (# ?)) >>> =C2=A0=C2=A0 217:50 13 (lp (# ?)) >>> =C2=A0=C2=A0 217:50 12 (lp (# ?)) >>> =C2=A0=C2=A0 217:50 11 (lp (# ?)) >>> =C2=A0=C2=A0 217:50 10 (lp (# ?)) >>> =C2=A0=C2=A0 217:50=C2=A0 9 (lp (# ?)) >>> =C2=A0=C2=A0 217:50=C2=A0 8 (lp (# ?)) >>> =C2=A0=C2=A0 217:50=C2=A0 7 (lp (# ?)) >>> =C2=A0=C2=A0 217:50=C2=A0 6 (lp (# ?)) >>> =C2=A0=C2=A0 217:50=C2=A0 5 (lp (# ?)) >>> =C2=A0=C2=A0 217:50=C2=A0 4 (lp (# ?)) >>> =C2=A0=C2=A0 217:33=C2=A0 3 (lp (# ?)) >>> =C2=A0=C2=A0=C2=A0 159:9=C2=A0 2 (_ #(#(# #f) #f)) >>> =C2=A0=C2=A0=C2=A0 159:9=C2=A0 1 (_ #(#(# #f) #f)) >>> In unknown file: >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0 (string-= append "LDFLAGS=3D" "-Wl,-rpath=3D" #f "/lib " "-W?" ?) >>> >>> ERROR: In procedure string-append: >>> In procedure string-append: Wrong type (expecting string): #f >>> builder for `/gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv= ' failed with exit code 1 >>> build of /gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhwh-gcc-10.3.0.drv fai= led >>> View build log at '/var/log/guix/drvs/1n/lrgg5ryl486haw0kdqnbp4wa17lhwh= -gcc-10.3.0.drv.gz'. >>> guix build: error: build of `/gnu/store/1nlrgg5ryl486haw0kdqnbp4wa17lhw= h-gcc-10.3.0.drv' failed >>> =3D=3D=3D=3Dthe middle of guix build -f hardened.scm=3D=3D=3D=3D >>> Here's a smaller example that has the same error: =3D=3D=3Dthe file=3D=3D=3D (use-modules (gnu) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (g= uix) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (g= uix packages)) (use-package-modules gcc base commencement) (package-with-c-toolchain gcc `(("toolchain" ,(make-gcc-toolchain gcc)))) =3D=3D=3Dthe file=3D=3D=3D =3D=3D=3Dtry to build it=3D=3D=3D In unknown file: =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0 (string-appe= nd "LDFLAGS=3D" "-Wl,-rpath=3D" #f "/lib " "-W?" ?) ERROR: In procedure string-append: In procedure string-append: Wrong type (expecting string): #f =3D=3D=3Dtry to build it=3D=3D=3D The gcc package already exists! Why can't I build gcc with itself? >> You are creating a cycle, no? It is not a DAG and so the transformation >> fails, no? >> > Oh I didn't notice that. The example makes sense too. > >> For instance, this: >> >> --8<---------------cut here---------------start------------->8--- >> (use-modules (guix packages) >> (gnu packages gcc) >> (gnu packages base)) >> >> (define make-gcc-toolchain >> (@@ (gnu packages commencement) make-gcc-toolchain)) >> >> (define gcc-bis >> (package >> (inherit gcc) >> (version (string-append (package-version gcc) "-bis")))) >> >> (define gcc-toolchain-bis >> (make-gcc-toolchain gcc-bis glibc)) >> >> (define (package-with-c-toolchain-bis package) >> (package-with-c-toolchain >> package `(("toolchain" ,gcc-toolchain-bis)))) >> >> >> (package-with-c-toolchain-bis gcc-bis) >> --8<---------------cut here---------------end--------------->8--- >> >> fails with the same message. There is bootstrapping issue: the binary >> of gcc-bis is required to compile the source of gcc-bis; where does come >> from such binary of gcc-bis? >> >> >> Considering your use case, you need: >> >> - gcc considered as binary seed >> >> - use this binary gcc with the hardened options to compile the source >> of GCC; resulting to the binary gcc-hardened-1 >> >> - use this binary gcc-hardened-2 with the hardened options to recompile >> the source of GCC; resulting to the binary gcc-hardened-2 >> >> - if checksum(gcc-hardened-1) =3D=3D checksum(gcc-hardened-2) >> then use this binary to define a new toolchain >> else reach the fixed point >> >> fixed point: use this binary gcc-hardened-{n-1} to compile the source of >> GCC and output the binary gcc-hardened-{n}; compare the checksum of >> the binary {n-1} and {n} and repeat until equality is reached. >> > Just so I understand, in other (imperative) words: > > gcc-hardened-1 =3D gcc-hardened built with regular gcc > gcc-hardened-2 =3D gcc-hardened built with gcc-hardened-1 > n =3D 1 > while checksum(gcc-hardened-{n}) !=3D checksum(gcc-hardened-{n+1}): > =C2=A0=C2=A0 gcc-hardened-{n+1} =3D gcc-hardened built with gcc-hardened-= {n} > =C2=A0=C2=A0 n++ > define the new toolchain with gcc-hardened-{n+1} > > >> Guix is not auto-magically resolving the fixed-point, i.e., it does not >> unroll the cycle by magic. :-) You have to do it manually or write code >> for automatise the process; described above. >> > Thanks, are there any examples in the code base that would be a good refe= rence? > >> >> Hope that helps. >> >> Cheers, >> simon >> > >