Gentoo Archives: gentoo-dev

From: Sam James <sam@g.o>
To: gentoo-dev@l.g.o
Cc: hardened@g.o, toolchain@g.o, pr@g.o, Sam James <sam@g.o>
Subject: [gentoo-dev] [PATCH] 2022-12-28-hardening-fortify-assertions: add item
Date: Wed, 28 Dec 2022 19:35:04
Message-Id: 20221228193447.4141430-1-sam@gentoo.org
1 Bug: https://bugs.gentoo.org/876893
2 Bug: https://bugs.gentoo.org/876895
3 Signed-off-by: Sam James <sam@g.o>
4 ---
5 ...-12-28-hardening-fortify-assertions.en.txt | 57 +++++++++++++++++++
6 1 file changed, 57 insertions(+)
7 create mode 100644 2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt
8
9 diff --git a/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt b/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt
10 new file mode 100644
11 index 0000000..b339828
12 --- /dev/null
13 +++ b/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt
14 @@ -0,0 +1,57 @@
15 +Title: Hardened profiles improvements
16 +Author: Sam James <sam@g.o>
17 +Posted: 2022-12-27
18 +Revision: 1
19 +News-Item-Format: 2.0
20 +Display-If-Profile: features/hardened
21 +Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened
22 +Display-If-Profile: default/linux/ppc/17.0/musl/hardened
23 +Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened
24 +Display-If-Profile: default/linux/amd64/17.0/hardened
25 +Display-If-Profile: default/linux/amd64/17.0/musl/hardened
26 +Display-If-Profile: default/linux/amd64/17.1/hardened
27 +Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened
28 +Display-If-Profile: default/linux/x86/17.0/hardened
29 +Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened
30 +Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened
31 +Display-If-Profile: default/linux/arm/17.0/armv7a/hardened
32 +Display-If-Profile: default/linux/arm/17.0/armv6j/hardened
33 +Display-If-Profile: default/linux/ppc64/17.0/musl/hardened
34 +Display-If-Profile: default/linux/arm64/17.0/hardened
35 +Display-If-Profile: default/linux/arm64/17.0/musl/hardened
36 +
37 +Gentoo's hardened profiles are adopting two new modern toolchain hardening
38 +techniques:
39 +1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0]
40 +2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1]
41 +
42 +These will both be enabled by default with USE=hardened on sys-devel/gcc
43 +for >=sys-devel/gcc-12.2.1_p20221224-r1.
44 +
45 +To view the existing list of hardening changes applied by the profiles,
46 +see the wiki [2].
47 +
48 +Stable users may wish to add sys-devel/gcc-12.2.1_p20221224-r1 into
49 +/etc/portage/package.accept_keywords if they wish to take advantage
50 +of these improvements early, before GCC 12 is marked stable.
51 +
52 +## Migration
53 +
54 +To fully take advantage of these new settings, GCC must first
55 +be upgraded, and then all packages must be re-emerged:
56 +1. emerge --sync
57 +2. emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221224-r1"
58 +3. emerge --verbose --emptytree @world
59 +
60 +## Troubleshooting
61 +
62 +In the event that some packages fail at runtime, please file a bug
63 +with the full details. To temporarily workaround the problem,
64 +it should be possible to recompile broken packages with the
65 +following *FLAGS:
66 +CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
67 +CXXFLAGS="${CXXFLAGS} -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS"
68 +
69 +[0] https://bugs.gentoo.org/876893
70 +[1] https://bugs.gentoo.org/876895
71 +[2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes
72 --
73 2.39.0

Replies