[arch-dev-public] New CFLAGS/LDFLAGS plus complete toolchain rebuild
This has been discussed a couple of times previously on the mailing lists and there were no objections so I have finally gotten around to adding some hardening options to our CFLAGS/LDFLAGS. With pacman-3.5.4-4 the defaults in makepkg.conf become: CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,--hash-style=gnu" As discussed previously, the addition of -Wl,-O1,--sort-common to LDFLAGS is not hardening... but these are safe options and they do appear to more than counter the slight overhead that stack smashing protection adds. These are all fairly standard flags being used to build the major distros these days (other distros patch their toolchain to make these the default), so there should be few issues. Probably the only thing to watch out for is to disable them when building bootloaders. The toolchain and all its (real) dependencies has been rebuilt with these flags and the necessary adjustments made to the packages. See notes below: All toolchain dependencies (just rebuilds): cloog-0.16.2-2 gmp-5.0.2-3 isl-0.06-2 libmpc-0.9-2 mpfr-3.0.1.p4-2 ppl-0.11.2-2 zlib-1.2.5-4 Toolchain components: linux-api-headers-3.0.1-1 (upstream update) binutils-2.21.1-2 gcc{,-libs}-4.6.1-3 (do not build libssp with hardening flags) glibc-2.14-5 (do not build libraries with hardening flags) I intend to leave this in [testing] for a couple of weeks to make sure there are no issues. I have been running this locally for about a week and am fairly sure I have the kinks worked out now... I will call for the sign-off later. Allan
On Sun, 14 Aug 2011 21:42:37 +1000, Allan McRae wrote:
This has been discussed a couple of times previously on the mailing lists and there were no objections so I have finally gotten around to adding some hardening options to our CFLAGS/LDFLAGS. With pacman-3.5.4-4 the defaults in makepkg.conf become:
CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,--hash-style=gnu"
Note: you need at least devtools 0.9.25 in order to build with these flags using the wrapper tools. -- Pierre Schmitz, https://users.archlinux.de/~pierre
Am 14.08.2011 13:42, schrieb Allan McRae:
These are all fairly standard flags being used to build the major distros these days (other distros patch their toolchain to make these the default), so there should be few issues. Probably the only thing to watch out for is to disable them when building bootloaders.
What would be the problem with bootloaders and these flags?
On 14/08/11 23:13, Thomas Bächler wrote:
Am 14.08.2011 13:42, schrieb Allan McRae:
These are all fairly standard flags being used to build the major distros these days (other distros patch their toolchain to make these the default), so there should be few issues. Probably the only thing to watch out for is to disable them when building bootloaders.
What would be the problem with bootloaders and these flags?
It is fairly well known that grub does not work when compiled with stack smashing protection, but I have not investigated the details. I think syslinux should be fine these days, but a while back there were apparently issues. Just something to note... Allan
Am 14.08.2011 15:36, schrieb Allan McRae:
I think syslinux should be fine these days, but a while back there were apparently issues. Just something to note...
I even think syslinux overrides the flags with safe ones, though I am unsure.
There have been no issues that I have seen so far and I want to do some other toolchain updates so it is time for a signoff for all of this: pacman-3.5.4-4 (new CFLAGS + LDFALGS in makepkg.conf) cloog-0.16.2-2 gmp-5.0.2-3 isl-0.06-2 libmpc-0.9-2 mpfr-3.0.1.p4-2 ppl-0.11.2-2 zlib-1.2.5-4 linux-api-headers-3.0.1-1 (upstream update) binutils-2.21.1-2 gcc{,-libs}-4.6.1-3 (do not build libssp with hardening flags) glibc-2.14-5 (do not build libraries with hardening flags) Signoff both, Allan
On Sat, Aug 20, 2011 at 2:25 AM, Allan McRae <allan@archlinux.org> wrote:
There have been no issues that I have seen so far and I want to do some other toolchain updates so it is time for a signoff for all of this:
pacman-3.5.4-4 (new CFLAGS + LDFALGS in makepkg.conf) cloog-0.16.2-2 gmp-5.0.2-3 isl-0.06-2 libmpc-0.9-2 mpfr-3.0.1.p4-2 ppl-0.11.2-2 zlib-1.2.5-4 linux-api-headers-3.0.1-1 (upstream update) binutils-2.21.1-2 gcc{,-libs}-4.6.1-3 (do not build libssp with hardening flags) glibc-2.14-5 (do not build libraries with hardening flags)
Signoff both,
Signoff x86_64.
On Sat, Aug 20, 2011 at 09:25:02AM +1000, Allan McRae wrote:
There have been no issues that I have seen so far and I want to do some other toolchain updates so it is time for a signoff for all of this:
pacman-3.5.4-4 (new CFLAGS + LDFALGS in makepkg.conf) cloog-0.16.2-2 gmp-5.0.2-3 isl-0.06-2 libmpc-0.9-2 mpfr-3.0.1.p4-2 ppl-0.11.2-2 zlib-1.2.5-4 linux-api-headers-3.0.1-1 (upstream update) binutils-2.21.1-2 gcc{,-libs}-4.6.1-3 (do not build libssp with hardening flags) glibc-2.14-5 (do not build libraries with hardening flags)
Signoff both, Allan
Signoff x86_64. dave
[2011-08-20 09:25:02 +1000] Allan McRae:
There have been no issues that I have seen so far and I want to do some other toolchain updates so it is time for a signoff for all of this:
pacman-3.5.4-4 (new CFLAGS + LDFALGS in makepkg.conf) cloog-0.16.2-2 gmp-5.0.2-3 isl-0.06-2 libmpc-0.9-2 mpfr-3.0.1.p4-2 ppl-0.11.2-2 zlib-1.2.5-4 linux-api-headers-3.0.1-1 (upstream update) binutils-2.21.1-2 gcc{,-libs}-4.6.1-3 (do not build libssp with hardening flags) glibc-2.14-5 (do not build libraries with hardening flags)
Signoff both. -- Gaetan
Am 20.08.2011 07:58, schrieb Gaetan Bisson:
[2011-08-20 09:25:02 +1000] Allan McRae:
There have been no issues that I have seen so far and I want to do some other toolchain updates so it is time for a signoff for all of this:
pacman-3.5.4-4 (new CFLAGS + LDFALGS in makepkg.conf) cloog-0.16.2-2 gmp-5.0.2-3 isl-0.06-2 libmpc-0.9-2 mpfr-3.0.1.p4-2 ppl-0.11.2-2 zlib-1.2.5-4 linux-api-headers-3.0.1-1 (upstream update) binutils-2.21.1-2 gcc{,-libs}-4.6.1-3 (do not build libssp with hardening flags) glibc-2.14-5 (do not build libraries with hardening flags) Signoff both greetings tpowa
-- Tobias Powalowski Archlinux Developer & Package Maintainer (tpowa) http://www.archlinux.org tpowa@archlinux.org
On Sat, 20 Aug 2011 09:25:02 +1000, Allan McRae wrote:
There have been no issues that I have seen so far and I want to do some other toolchain updates so it is time for a signoff for all of this:
pacman-3.5.4-4 (new CFLAGS + LDFALGS in makepkg.conf) cloog-0.16.2-2 gmp-5.0.2-3 isl-0.06-2 libmpc-0.9-2 mpfr-3.0.1.p4-2 ppl-0.11.2-2 zlib-1.2.5-4 linux-api-headers-3.0.1-1 (upstream update) binutils-2.21.1-2 gcc{,-libs}-4.6.1-3 (do not build libssp with hardening flags) glibc-2.14-5 (do not build libraries with hardening flags)
Signoff both, Allan
signoff both -- Pierre Schmitz, https://users.archlinux.de/~pierre
participants (7)
-
Allan McRae
-
Dave Reisner
-
Evangelos Foutras
-
Gaetan Bisson
-
Pierre Schmitz
-
Thomas Bächler
-
Tobias Powalowski