From 0022bf59d8bd1a80864213f681415d49bad42eeb Mon Sep 17 00:00:00 2001 From: "Kevin F. Quinn" Date: Wed, 31 Jan 2007 01:23:03 +0000 Subject: Try creating crtbeginTS.o - crtbeginT.o +crtbeginS.o for static-pie svn path=/; revision=163 --- .../toolchain/branches/pieworld/pieworld.README | 1 + .../branches/pieworld/sys-devel/gcc/Manifest | 16 +-- .../gcc/files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch | 35 ++++- .../pieworld/sys-devel/gcc/files/specs/pie.specs | 2 +- .../branches/pieworld/sys-libs/glibc/Manifest | 8 +- .../glibc-2.4-hardened-inittls-nosysenter.patch | 6 +- .../toolchain/branches/pieworld/toolchain.README | 154 --------------------- 7 files changed, 45 insertions(+), 177 deletions(-) delete mode 100644 hardened/toolchain/branches/pieworld/toolchain.README diff --git a/hardened/toolchain/branches/pieworld/pieworld.README b/hardened/toolchain/branches/pieworld/pieworld.README index 8111dd9..93cbb6c 100644 --- a/hardened/toolchain/branches/pieworld/pieworld.README +++ b/hardened/toolchain/branches/pieworld/pieworld.README @@ -38,6 +38,7 @@ From hardened gcc-3/glibc-2.3: TODO ---- 1) Check all archive lib*.a that don't have a .so - should they be -fPIC rather than -fPIE? + Done: All those that don't have a .so are best off -fPIC, which is ok for being linked into shared libraries, and is also ok-enough for use in executables (whereas -fPIE isn't good for shared libraries). diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest b/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest index 5a582a9..b2691fb 100644 --- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest +++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest @@ -54,10 +54,10 @@ AUX 4.1.0/gcc-4.1.0-fast-math-i386-Os-workaround.patch 1686 RMD160 420e02e85e261 MD5 ab66a2c85bc3324fe4f0729927f63072 files/4.1.0/gcc-4.1.0-fast-math-i386-Os-workaround.patch 1686 RMD160 420e02e85e261759154daf5e3c149344be57af76 files/4.1.0/gcc-4.1.0-fast-math-i386-Os-workaround.patch 1686 SHA256 7547293b945808f63b70aafed644a43c99e19f82aaf1d2f2df8502d87ab3f01d files/4.1.0/gcc-4.1.0-fast-math-i386-Os-workaround.patch 1686 -AUX 4.1.1/gcc-4.1.1-nopie-crtstuff.patch 2211 RMD160 faba40fa9fcdec7c2c192d04cba49fc12961b5e2 SHA1 67b7594b37510172c3ba5e444d1679dbc94b7d45 SHA256 3f672da0da10fe614f7088959013b2391e908a3cfb778034661604d44e0e4cef -MD5 fa2fdf981de9250c1601226caa8c7c77 files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 2211 -RMD160 faba40fa9fcdec7c2c192d04cba49fc12961b5e2 files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 2211 -SHA256 3f672da0da10fe614f7088959013b2391e908a3cfb778034661604d44e0e4cef files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 2211 +AUX 4.1.1/gcc-4.1.1-nopie-crtstuff.patch 3175 RMD160 6fb7284e92d0ad45e4c7893ee03a6ccd53b5fcf9 SHA1 26ac6aaf342d89ecd36046b0cb372746aed27c97 SHA256 4fd4a0ff57e538bd08907b02474e14bdfb2d6653b2bd972b6c497d69fab5bea7 +MD5 1b6432af4fa17d57f50d7c2b56d21457 files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 3175 +RMD160 6fb7284e92d0ad45e4c7893ee03a6ccd53b5fcf9 files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 3175 +SHA256 4fd4a0ff57e538bd08907b02474e14bdfb2d6653b2bd972b6c497d69fab5bea7 files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch 3175 AUX awk/fixlafiles.awk 7865 RMD160 6283a91bfa309a91f46cbff3c1c4f0d848312ba4 SHA1 0bd923243492496eceb8ec1407ed9f4ac5ad8c1a SHA256 9fccd7f4ee7170a8f05d21777974efc3f23072f501cb7d2a8e9eeea15e541249 MD5 fed3620378df7a876d6709ddf3f7bbec files/awk/fixlafiles.awk 7865 RMD160 6283a91bfa309a91f46cbff3c1c4f0d848312ba4 files/awk/fixlafiles.awk 7865 @@ -118,10 +118,10 @@ AUX specs/nozrelro.specs 26 RMD160 e2262ae761f699fc682536fa419a20de8e7c6096 SHA1 MD5 3d7e9e4e50ca5244e15fecbe59aa6bb8 files/specs/nozrelro.specs 26 RMD160 e2262ae761f699fc682536fa419a20de8e7c6096 files/specs/nozrelro.specs 26 SHA256 a01b894e420761f5620eb050200e925a69d5e22b5fb9d34a6dbd1b5ef3e2021f files/specs/nozrelro.specs 26 -AUX specs/pie.specs 683 RMD160 5cdec57a67e014d9dbf2564d0b6037f5c4f92beb SHA1 bba8f07fc7b8e722103bce93f414de63164ef506 SHA256 9040684e347002e13c300e158e6ea49a86fd39761de3de0ffb4602bcc8bbcb2b -MD5 814adfa547fdc93725e7fca0a3c3e0c0 files/specs/pie.specs 683 -RMD160 5cdec57a67e014d9dbf2564d0b6037f5c4f92beb files/specs/pie.specs 683 -SHA256 9040684e347002e13c300e158e6ea49a86fd39761de3de0ffb4602bcc8bbcb2b files/specs/pie.specs 683 +AUX specs/pie.specs 762 RMD160 cabd92f256e467730f99dc5c241d6858252b5c28 SHA1 c0d7ad1983f60dd53600fd58f6b2e6f008fcaee0 SHA256 3680ff0614c9ce61117efcab72fe19cb8dfaf1d403b0e6fb9b682c0f07fb48a3 +MD5 fb084bc2f1d0f66325408f3e7999f7bd files/specs/pie.specs 762 +RMD160 cabd92f256e467730f99dc5c241d6858252b5c28 files/specs/pie.specs 762 +SHA256 3680ff0614c9ce61117efcab72fe19cb8dfaf1d403b0e6fb9b682c0f07fb48a3 files/specs/pie.specs 762 AUX specs/ssp.specs 148 RMD160 0e1a23ec7c9b6be5687d620fe4c93acb532b5c3c SHA1 7f3739c35c84df458c37d3355ddf50f746bddf1f SHA256 24dddc1260d89411294c60f3464c3b3aa14b8e7f81157a03cdf40d53cb97590a MD5 2bf1f08a7e56492b19340fffd7e7a3fd files/specs/ssp.specs 148 RMD160 0e1a23ec7c9b6be5687d620fe4c93acb532b5c3c files/specs/ssp.specs 148 diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch b/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch index 7b733d3..663a256 100644 --- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch +++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/4.1.1/gcc-4.1.1-nopie-crtstuff.patch @@ -1,11 +1,11 @@ Ensure that crtbegin.o/crtend.o/crtbeginT.o are built -fno-PIE, and - crtbeginS.o/crtendS.o are built -fPIC. Note that static PIEs use - crtbeginS.o, not crtbeginT.o. - Kevin F. Quinn 17 Jan 2007 + crtbeginS.o/crtendS.o are built -fPIC. Build a new file, crtbeginTS.o, + for linking in "static PIEs". + Kevin F. Quinn 30 Jan 2007 ---- gcc/Makefile.in.orig 2007-01-17 16:42:57.000000000 +0100 -+++ gcc/Makefile.in 2007-01-17 16:46:10.000000000 +0100 -@@ -1417,33 +1417,33 @@ +--- gcc/Makefile.in.orig 2007-01-30 20:12:09.000000000 +0100 ++++ gcc/Makefile.in 2007-01-30 20:13:48.000000000 +0100 +@@ -1417,36 +1417,43 @@ # constructors. $(T)crtbegin.o: crtstuff.c $(GCC_PASSES) $(TCONFIG_H) auto-host.h \ gbl-ctors.h stmp-int-hdrs tsystem.h coretypes.h $(TM_H) @@ -40,7 +40,28 @@ $(T)crtbeginT.o: crtstuff.c $(GCC_PASSES) $(TCONFIG_H) auto-host.h \ gbl-ctors.h stmp-int-hdrs tsystem.h coretypes.h $(TM_H) - $(GCC_FOR_TARGET) $(CRTSTUFF_CFLAGS) $(CRTSTUFF_T_CFLAGS) \ -+ $(GCC_FOR_TARGET) -fno-PIE $(CRTSTUFF_CFLAGS) $(CRTSTUFF_T_CFLAGS_S) \ ++ $(GCC_FOR_TARGET) -fno-PIE $(CRTSTUFF_CFLAGS) $(CRTSTUFF_T_CFLAGS) \ -c $(srcdir)/crtstuff.c -DCRT_BEGIN -DCRTSTUFFT_O \ -o $(T)crtbeginT$(objext) ++# This is a version of crtbegin for -static -fPIE links. ++$(T)crtbeginTS.o: crtstuff.c $(GCC_PASSES) $(TCONFIG_H) auto-host.h \ ++ gbl-ctors.h stmp-int-hdrs tsystem.h coretypes.h $(TM_H) ++ $(GCC_FOR_TARGET) -fno-PIE $(CRTSTUFF_CFLAGS) $(CRTSTUFF_T_CFLAGS_S) \ ++ -c $(srcdir)/crtstuff.c -DCRT_BEGIN -DCRTSTUFFT_O -DCRTSTUFFS_O \ ++ -o $(T)crtbeginTS$(objext) ++ + # Compile the start modules crt0.o and mcrt0.o that are linked with + # every program + crt0.o: s-crt0 ; @true +--- gcc/config.gcc.orig 2007-01-30 20:12:35.000000000 +0100 ++++ gcc/config.gcc 2007-01-30 20:12:53.000000000 +0100 +@@ -445,7 +445,7 @@ + ;; + *-*-linux* | frv-*-*linux* | *-*-kfreebsd*-gnu | *-*-knetbsd*-gnu) + # Must come before *-*-gnu* (because of *-*-linux-gnu* systems). +- extra_parts="crtbegin.o crtbeginS.o crtbeginT.o crtend.o crtendS.o" ++ extra_parts="crtbegin.o crtbeginS.o crtbeginT.o crtbeginTS.o crtend.o crtendS.o" + gas=yes + gnu_ld=yes + case ${enable_threads} in diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/specs/pie.specs b/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/specs/pie.specs index dec64d7..6d7388b 100644 --- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/specs/pie.specs +++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/specs/pie.specs @@ -14,7 +14,7 @@ %{fno-pie|fno-PIE|nopie:crtbegin.o%s;:crtbeginS.o%s} *startfile_pie_t: -%{fno-pie|fno-PIE|nopie:crtbegin.o%s;:crtbeginS.o%s} +%{static: %{fno-pie|fno-PIE|nopie:crtbeginT.o%s;crtbeginTS.o%s} } %{!static: %{fno-pie|fno-PIE|nopie:crtbegin.o%s;:crtbeginS.o%s} } *link_pie: %{pie:-pie} %{!pie: %{!A: %{!fno-pie:%{!fno-PIE: %{!shared:%{!static:%{!r: %{!nopie:-pie} }}} }} } } diff --git a/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest b/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest index 337758d..b52a47e 100644 --- a/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest +++ b/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest @@ -6,10 +6,10 @@ AUX 2.4/glibc-2.4-hardened-configure-picdefault.patch 955 RMD160 dfa5dd2c0907631 MD5 960090668e9700a4095a79907b227b3c files/2.4/glibc-2.4-hardened-configure-picdefault.patch 955 RMD160 dfa5dd2c09076318b7b6f53dbdf68877ebe7c258 files/2.4/glibc-2.4-hardened-configure-picdefault.patch 955 SHA256 3314216ca2994c80f223c091bee79a06f444faf317c16eb7bbc594fa23425657 files/2.4/glibc-2.4-hardened-configure-picdefault.patch 955 -AUX 2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9431 RMD160 a6881daff550a0ca5330e0f0c78a9232f3ea627f SHA1 f1c834b5095218ece4d37410d1058d622e646fc2 SHA256 faa692f71516ed94e6d0dce60e390a9eab97f0c862d6b61d6442b031b8e8d200 -MD5 d590b7cdf1b4367ee2f7c7216b9d32e9 files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9431 -RMD160 a6881daff550a0ca5330e0f0c78a9232f3ea627f files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9431 -SHA256 faa692f71516ed94e6d0dce60e390a9eab97f0c862d6b61d6442b031b8e8d200 files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9431 +AUX 2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9436 RMD160 7f0c48ca72deae8d5ae4074765c93117814f7eaa SHA1 3c5b5fb599d621b2803ef6ff93b355cd16929ddd SHA256 1f777d27370e1868db88a0801ee9f1acae5295b2ec87754e861fa934fd290645 +MD5 c76c013b30eff912af508f7274cb4dd8 files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9436 +RMD160 7f0c48ca72deae8d5ae4074765c93117814f7eaa files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9436 +SHA256 1f777d27370e1868db88a0801ee9f1acae5295b2ec87754e861fa934fd290645 files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch 9436 AUX 2.4/glibc-2.4-hardened-pie.patch 1629 RMD160 cd0dfdb10a86560d4c36ac04b7642b06ae41b3cd SHA1 990fc9a4f88d86f524030bdd2cb953eb781784a3 SHA256 a44ef5ef5490663fea6de10f9ecccbd45f1fb5bdb49abefb49527dfc14fa0977 MD5 51135a389633ff99dbd3f3d715821454 files/2.4/glibc-2.4-hardened-pie.patch 1629 RMD160 cd0dfdb10a86560d4c36ac04b7642b06ae41b3cd files/2.4/glibc-2.4-hardened-pie.patch 1629 diff --git a/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch b/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch index adea74e..dc7e9d2 100644 --- a/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch +++ b/hardened/toolchain/branches/pieworld/sys-libs/glibc/files/2.4/glibc-2.4-hardened-inittls-nosysenter.patch @@ -3,9 +3,9 @@ First, any syscalls in PIEs must be of the PIC variant, otherwise textrels ensue. Then, any syscalls made before the initialisation - of the TLS will fail on i386, as the sysenter variant on i386 use - the TLS, giving rise to a chicken-and-egg situation. This patcg - defines a syscall variant that doesn't use sysenter, even when the sysenter + of the TLS will fail on i386, as the sysenter variant on i386 uses + the TLS, giving rise to a chicken-and-egg situation. This patch + defines a PIC syscall variant that doesn't use sysenter, even when the sysenter version is normally used, and uses the non-sysenter version for the brk syscall that is performed by the TLS initialisation. Further, the TLS initialisation is moved in this case prior to the initialisation of diff --git a/hardened/toolchain/branches/pieworld/toolchain.README b/hardened/toolchain/branches/pieworld/toolchain.README deleted file mode 100644 index 6e65198..0000000 --- a/hardened/toolchain/branches/pieworld/toolchain.README +++ /dev/null @@ -1,154 +0,0 @@ -NOTES -===== - -Non-PIE support is a mess (well, strictly speaking it's broken) -So far, crt{begin,end}.o are now correctly built no-PIE. -However, libgcc.a/libgcc_eh.a, libc.a, libpthread.a, libieee.a, libgcov.a -are built PIE. This ok for linking PIEs, but rubbish for doing non-PIE -links (i.e. vanilla). Also crtfastmath.o is only built once (there's no -crtfastmathS.o) - so we build it PIE. - -So, what to do? - -For vanilla compiles, we need the .a's built -nopie. -For hardened compiles, we need the .a's built -fPIE - if they ever get used -that way. If we can convince ourselves that when building -fPIE the .so's -are used, then we don't need PIE versions of these .a's. -To do this, add '-nopie' to CFLAGS for libgcc.a in gcc/Makefile.in? - -For libc.a - we could treat hardened as a multilib system; with the normal no-PIE -ABI and our PIE ABI - and get glibc to build itself two ways; one for vanilla and -one for hardened. Or, we could try to force all .a's to be built -nopie - this -isn't easy, however, as you can't tell from normal compilation commands whether -it's for a .a or for an executable. - -I think the multiple-ABI approach is easier. We could then drop PIE from the -compiler variants, leaving just relro/now and ssp combinations, which don't change -the ABI, and do the -fPIE thing in the compiler wrapper, when ABI is PIE. -I'm thinking of doing MULTLIB_ABIS="x86 x86_pie" and defining -CFLAGS_x86_pie="-fpie -pie" -LDFLAGS_x86_pie="-fpie -pie" -LIBDIR_x86="lib" -LIBDIR_x86_pie="libpie" -note; the gcc-config wrapper adds CFLAGS_x86_pie to the command line, but doesn't look at LDFLAGS_ - - -Upgrade path for Hardened Gentoo users from glibc-2.3*/gcc-3* to glibc-2.4+/gcc-4.1+ -==================================================================================== - -Note; references to "hardened", "non-hardened" etc refer to the toolchain, not the -kernel. - - -Generic upgrade instructions ----------------------------- - -There are separate instructions depending on where you start. Instruction set (2) -should work in all cases, provided a vanilla compiler is set via gcc-config first. -However the most common case will be (1) - which is why it's listed first :) - - -1) HARDENED SYSTEMS with hardened gcc-3 and glibc-2.3 - Going from an existing hardened system (gcc-3.4.6 & glibc-2.3.6 hardened) - - .1) emerge --oneshot sys-libs/glibc - build the hardened version of glibc-2.4 (with the gcc-3 hardened compiler) - - .2) emerge --oneshot sys-devel/gcc - build the hardened gcc-4.1.1 with the hardened gcc-3.4.6 - - .3) emerge --oneshot sys-libs/glibc - rebuild the hardened version of glibc-2.4 (with the gcc-4 hardened compiler) - - -2) NON-HARDENED SYSTEMS with gcc-4.1.1 and glibc-2.4 (no -hardened compiler available) - Going from non-hardened stage3 2006.1: - This starts from non-hardened gcc-4.1.1 and glibc-2.4 - - .1) Switch profile to the hardened profile - This means remaking the softlink /etc/make.conf to a hardened profile. - Do not confuse this with selecting a hardened compiler with gcc-config (which - you can't do anyway from the standard 2006.1 stage3). - - .2) emerge --oneshot sys-libs/glibc - Build glibc with support for both gcc-3 and gcc-4 stack protectiona. - - .3) USE="-hardened" emerge --oneshot sys-devel/gcc - Build gcc-4 non-hardened, but including split-specs so it can build - hardened objects later. - - .4) gcc-config to the (now available) hardened variant of the compiler. - - .5) emerge --oneshot sys-libs/glibc - Build the hardened version of glibc-2.4 (with the gcc-4 hardened compiler) - - .6) emerge --oneshot sys-devel/gcc - This will build gcc itself hardened (in particular, building the static libraries PIE) - - -3) NON-HARDENED SYSTEMS with a -hardened gcc available - - .1) gcc-config to the -hardened gcc - - .2) emerge --oneshot sys-libs/glibc - Build glibc with support for both gcc-3 and gcc-4 stack protectiona. - - .3) emerge --oneshot sys-devel/gcc - build the hardened gcc-4.1.1 with a hardened gcc - - .4) emerge --oneshot sys-libs/glibc - rebuild the hardened version of glibc-2.4 (with the gcc-4 hardened compiler) - - -Platform-specific notes ------------------------ - -sparc -For gcc-4 SSP to work, glibc must be 2.4 or higher. Glibc-2.4 is nptl-only, so this means -it's not available on 32-bit sparc (sparcv8). - - - - -Toolchain mods for hardened gcc-4.x/glibc-2.4 -============================================= - -* glibc __stack_chk_fail implementation written so that it's ok when glibc built with SSP - Implement stderr & syslog messaging, SIGKILL and _exit to provide a secure termination - (the one supplied by glibc is for debug purposes only), and all via inline syscalls - avoiding any function calls (which would potentially invoke __stack_chk_fail). - Note; building glibc with ssp-all is causing too many problems at the moment, so for - now it's set to build without ssp. - Sorted out the PIE building better (replaces the filter-ldflags -pie with something - more sensible). - (done) Use SIG_ABRT instead of SIG_KILL - means doing the sigset stuff. - (done) Use INTERNAL_SYSCALL (check vsyscall page isn't user modifiable) - -* gcc minispecs for gcc-4.1.1 and gcc-3.4.6, from psm - Much simplified gcc patching for hardened compiler; use of minispecs to generate - the relevant specs files. Involves a few changes in toolchain.eclass and - flag-o-matic.eclass. - -* Specs switching handled by the wrappers, rather than the gcc-specs-env patch - (app-admin/eselect-compiler only). This gives us ccache reliability, as for - gcc itself the specs are specified on the command line as normal. - May not be a good idea - doing it gcc itself guarantees it'll happen even if - the wrappers aren't used (is that ever the case?). - Further investigation ongoing to manage filtering; considering doing this by - adjusting GCC_SPECS, although it may be better as a separate variable (perhaps - as part of COMPILER_FEATURES - see bug #128810) - -Still cooking - -* Look into -DFORTIFY_SOURCE=2, -msecure-plt for ppc - - -Status summary: -=============== - -glibc ok (builds itself non-ssp) -gcc ok (ish) - Needs distfile gcc-4.1.1-piepatches-v9.0.6.tar.bz2 from toolchain/distfiles - (or gcc-3.4.6-piepatches-v9.0.5.tar.bz2 for gcc-3.4.6) - - -- cgit v1.2.3-65-gdbad