1 |
Bug: https://bugs.gentoo.org/876893 |
2 |
Bug: https://bugs.gentoo.org/876895 |
3 |
Signed-off-by: Sam James <sam@g.o> |
4 |
--- |
5 |
...-12-28-hardening-fortify-assertions.en.txt | 57 +++++++++++++++++++ |
6 |
1 file changed, 57 insertions(+) |
7 |
create mode 100644 2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt |
8 |
|
9 |
diff --git a/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt b/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt |
10 |
new file mode 100644 |
11 |
index 0000000..b339828 |
12 |
--- /dev/null |
13 |
+++ b/2022-12-28-hardening-fortify-assertions/2022-12-28-hardening-fortify-assertions.en.txt |
14 |
@@ -0,0 +1,57 @@ |
15 |
+Title: Hardened profiles improvements |
16 |
+Author: Sam James <sam@g.o> |
17 |
+Posted: 2022-12-27 |
18 |
+Revision: 1 |
19 |
+News-Item-Format: 2.0 |
20 |
+Display-If-Profile: features/hardened |
21 |
+Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened |
22 |
+Display-If-Profile: default/linux/ppc/17.0/musl/hardened |
23 |
+Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened |
24 |
+Display-If-Profile: default/linux/amd64/17.0/hardened |
25 |
+Display-If-Profile: default/linux/amd64/17.0/musl/hardened |
26 |
+Display-If-Profile: default/linux/amd64/17.1/hardened |
27 |
+Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened |
28 |
+Display-If-Profile: default/linux/x86/17.0/hardened |
29 |
+Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened |
30 |
+Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened |
31 |
+Display-If-Profile: default/linux/arm/17.0/armv7a/hardened |
32 |
+Display-If-Profile: default/linux/arm/17.0/armv6j/hardened |
33 |
+Display-If-Profile: default/linux/ppc64/17.0/musl/hardened |
34 |
+Display-If-Profile: default/linux/arm64/17.0/hardened |
35 |
+Display-If-Profile: default/linux/arm64/17.0/musl/hardened |
36 |
+ |
37 |
+Gentoo's hardened profiles are adopting two new modern toolchain hardening |
38 |
+techniques: |
39 |
+1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0] |
40 |
+2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1] |
41 |
+ |
42 |
+These will both be enabled by default with USE=hardened on sys-devel/gcc |
43 |
+for >=sys-devel/gcc-12.2.1_p20221224-r1. |
44 |
+ |
45 |
+To view the existing list of hardening changes applied by the profiles, |
46 |
+see the wiki [2]. |
47 |
+ |
48 |
+Stable users may wish to add sys-devel/gcc-12.2.1_p20221224-r1 into |
49 |
+/etc/portage/package.accept_keywords if they wish to take advantage |
50 |
+of these improvements early, before GCC 12 is marked stable. |
51 |
+ |
52 |
+## Migration |
53 |
+ |
54 |
+To fully take advantage of these new settings, GCC must first |
55 |
+be upgraded, and then all packages must be re-emerged: |
56 |
+1. emerge --sync |
57 |
+2. emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221224-r1" |
58 |
+3. emerge --verbose --emptytree @world |
59 |
+ |
60 |
+## Troubleshooting |
61 |
+ |
62 |
+In the event that some packages fail at runtime, please file a bug |
63 |
+with the full details. To temporarily workaround the problem, |
64 |
+it should be possible to recompile broken packages with the |
65 |
+following *FLAGS: |
66 |
+CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2" |
67 |
+CXXFLAGS="${CXXFLAGS} -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS" |
68 |
+ |
69 |
+[0] https://bugs.gentoo.org/876893 |
70 |
+[1] https://bugs.gentoo.org/876895 |
71 |
+[2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes |
72 |
-- |
73 |
2.39.0 |