| 1 |
On 21 Jun 2004, Ned Ludd wrote: |
| 2 |
|
| 3 |
> Peter, |
| 4 |
> |
| 5 |
> Ok the only remaining things now are uClibc itself and any package that |
| 6 |
> conditionally has a PROVIDE=. For the ones that conditionally provide a |
| 7 |
> PROVIDE= I assume we can just leave them out of the profile in the first |
| 8 |
> place (not sure about the nocompress one till uclibc works). |
| 9 |
|
| 10 |
could be left out, the only that we really need (but can be replaced by a |
| 11 |
versioning condition is gnuconfig-uclibc) |
| 12 |
|
| 13 |
> |
| 14 |
> Next the uClibc. |
| 15 |
> I had to look around a bit but found the missing do_rem patch on the |
| 16 |
> uClibc mailing list, after getting that one in I went to merge the |
| 17 |
> uClibc on a hardened system and we failed with misc ssp errors. |
| 18 |
|
| 19 |
sorry, if I have forgotten to send it to you |
| 20 |
|
| 21 |
> |
| 22 |
> Attempted to drop the uclibc-patches tarball and compile without any of |
| 23 |
> those misc patches as they all seem pie-ssp related or unneeded cruft |
| 24 |
> that really does not apply to uClibc at all like -z relro. |
| 25 |
|
| 26 |
I do not use the relro/now patches, the ebuild removes them for now (they |
| 27 |
are only for completeness) |
| 28 |
|
| 29 |
> |
| 30 |
> USE="-*" ebuild uclibc-0.9.26-r1.ebuild clean unpack compile |
| 31 |
|
| 32 |
have you done this in a buildroot, or on a glibc portage based system? |
| 33 |
I do not support any glibc system, only uclibc based (cross-compiling and |
| 34 |
so on should be left out), also nls should be disabled (as I said nls the |
| 35 |
only usable way would be to have uclibc w/o locale and get libintl.* files |
| 36 |
from gettext. |
| 37 |
|
| 38 |
> .... |
| 39 |
> |
| 40 |
> * |
| 41 |
> * uClibc development/debugging options |
| 42 |
> * |
| 43 |
> Build uClibc with debugging symbols (DODEBUG) [N/y/?] n |
| 44 |
> Build uClibc with run-time assertion testing (DOASSERTS) [N/y/?] n |
| 45 |
> Build the shared library loader with debugging support |
| 46 |
> (SUPPORT_LD_DEBUG) [N/y/?] n |
| 47 |
> Build the shared library loader with early debugging support |
| 48 |
> (SUPPORT_LD_DEBUG_EARLY) [N/y/?] n |
| 49 |
> Manuel's hidden warnings (UCLIBC_MJN3_ONLY) [N/y/?] n |
| 50 |
> + ./extra/scripts/fix_includes.sh -k /usr -t i386 |
| 51 |
> |
| 52 |
> |
| 53 |
> The file /usr/Makefile is missing! |
| 54 |
|
| 55 |
you need kernel-headers installed in /usr/include and my Makefile patch |
| 56 |
|
| 57 |
> Perhaps your kernel source is broken? |
| 58 |
> ---------------------------------------------------- |
| 59 |
> |
| 60 |
> Next try with arch=arm (thanks spanky) |
| 61 |
> |
| 62 |
> Tested on an arm glibc system that's completely non hardened and |
| 63 |
> encountered more or less the same ssp problem. |
| 64 |
> |
| 65 |
> USE="-*" CFLAGS="-fno-stack-protector" |
| 66 |
> TARGET_CFLAGS="-fno-stack-protector" |
| 67 |
> DISTDIR=/home/solar/overlay/distfiles/ |
| 68 |
> PORTDIR_OVERLAY=/home/solar/overlay/ ebuild uclibc-0.9.26-r2.ebuild |
| 69 |
> clean unpack compile |
| 70 |
> And we fail with ldso errors. |
| 71 |
|
| 72 |
it's normal, because you haven't applied the ssp patches, that add |
| 73 |
-fno-stack-protector[-all] to ldso and libc build makefiles |
| 74 |
|
| 75 |
> |
| 76 |
> |
| 77 |
> Anyway if you care to take another stab at the uclibc ebuild I'd be more |
| 78 |
> than happy to test it on some arches and commit it when it's ready. |
| 79 |
|
| 80 |
maybe I can upload tomorrow my tbz2 files, so anybody could start from a |
| 81 |
"clean" uclibc env. |
| 82 |
|
| 83 |
Peter |
| 84 |
|
| 85 |
> On Tue, 2004-06-15 at 11:51, Ned Ludd wrote: |
| 86 |
> > I've mirrored two more of the files you have sent me to the following |
| 87 |
> > location so others can get to them. |
| 88 |
> > http://dev.gentoo.org/~solar/uclibc/peter_mirror/uClibc-0.9.26-cvs-update-20040613.patch.bz2 |
| 89 |
> > http://dev.gentoo.org/~solar/uclibc/peter_mirror/uClibc-0.9.26-patches-1.0.tar.bz2 |
| 90 |
> > |
| 91 |
> > I've merged a small portion of the app-arch -> sys-apps |
| 92 |
> > .ebuilds+uclibc/nls diffs last night till I about passed out. |
| 93 |
> > |
| 94 |
> > Saving binutils/gcc/uclibc for last. |
| 95 |
> > All the .ebuilds with use uclibc &&|| in the global context or requiring |
| 96 |
> > changes to virtual/* or PROVIDE= will likely be the ones that will take |
| 97 |
> > me/us longer to get in. I want ask SpanKY/vapier to QA those parts. |
| 98 |
> > |
| 99 |
> > On Tue, 2004-06-15 at 09:13, Peter S. Mazinger wrote: |
| 100 |
> > > On 15 Jun 2004, Ned Ludd wrote: |
| 101 |
> > > |
| 102 |
> > > > Quite impressive Peter. |
| 103 |
> > > > I have mirrored your files to |
| 104 |
> > > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/portage-uclibc-overlay-20040614.tar.bz2 |
| 105 |
> > > > and exploded the tarball to |
| 106 |
> > > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/portage-uclibc/ |
| 107 |
> > > > then diffed out the .org files and the .ebuilds the ebuild's patch is |
| 108 |
> > > > here |
| 109 |
> > > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/portage-uclibc-ebuilds-20040614.patch |
| 110 |
> > > |
| 111 |
> > > this is what I really meant, so others can check what changed |
| 112 |
> > > |
| 113 |
> > > > and the profile/script data is here |
| 114 |
> > > |
| 115 |
> > > the script data is yet untested, I have only removed glibc reference from |
| 116 |
> > > there |
| 117 |
> > > |
| 118 |
> > > > http://dev.gentoo.org/~solar/uclibc/peter_mirror/org-uclibc-20040614.patch |
| 119 |
> > > > This will be quite a bit of an undertaking I'm hoping mutex, dragonheat |
| 120 |
> > > > can help with some of these commits. |
| 121 |
> > > > |
| 122 |
> > > > How may megs is your resulting stage/images after the initial bootstrap |
| 123 |
> > > > process? |
| 124 |
> > > |
| 125 |
> > > I can't really tell, I do not have managed to build stages (any help |
| 126 |
> > > appreciated how to do it from tbz2 files), and my env. has left over files |
| 127 |
> > > from my earlier rpms (wouldn't be relevant if counted) |
| 128 |
> > > |
| 129 |
> > > I can tell that the packages/All directory is 58MB (for emerge system) + |
| 130 |
> > > ccache, catalyst |
| 131 |
> > > |
| 132 |
> > > bigger than 1MB are kbd (the keyboard files are next candidates to strip |
| 133 |
> > > down),miscfiles(although stripped, gzipped), ncurses (although not so |
| 134 |
> > > many terminfo files, and no additional libs, like menu,panel,form), db4, |
| 135 |
> > > automake |
| 136 |
> > > bigger than 2MB are libperl, openssl |
| 137 |
> > > bigger than 3MB are binutils |
| 138 |
> > > bigger than 4MB are python |
| 139 |
> > > bigger than 12MB gcc, perl (13MB) |
| 140 |
> > > |
| 141 |
> > > Is there some way to query portage to tell how much the installed stuff |
| 142 |
> > > is? |
| 143 |
> > > |
| 144 |
> > > I haven't checked how much of this is man-pages and info-files, if the |
| 145 |
> > > binaries are really stripped all of them where possible. |
| 146 |
> > > |
| 147 |
> > > I have attached 2 missing files from distfiles (for uClibc) |
| 148 |
> > > |
| 149 |
> > > Busybox is not used at all yet. |
| 150 |
> > > |
| 151 |
> > > There are some things that have to be decide: |
| 152 |
> > > 1. will gcc get a c++ use flag? |
| 153 |
> > > 2. should groff/man/man-pages/info/install-info be in a stage3 |
| 154 |
> > > 3. should ncurses include the full stuff (all libs) |
| 155 |
> > > 4. I would remove all the *.so handling by scripts, if they are installed |
| 156 |
> > > in /lib, they really only should be installed directly into /usr/lib. |
| 157 |
> > > 5. what to do w/ perl (mini/micro-perl are alternatives for the build |
| 158 |
> > > system (autotools should work w/ it) but not for a full featured one, no |
| 159 |
> > > support for addons) |
| 160 |
> > > 6. gettext: as I already said, I would put the *.m4 files into autotools |
| 161 |
> > > and remove gettext from the stages |
| 162 |
> > > 7. locale/nls support: the current only usable variant is to have uClibc |
| 163 |
> > > w/o locale support, and use libintl.{a,h,so} from gettext. |
| 164 |
> > > |
| 165 |
> > > Peter |
| 166 |
> > > |
| 167 |
> > > > I'm CC: the hardened mailing list as others there may have an interest |
| 168 |
> > > > in your work as this uses the hardened profile and all :) |
| 169 |
> > > > |
| 170 |
> > > > On Mon, 2004-06-14 at 19:25, Peter S. Mazinger wrote: |
| 171 |
> > > > > Hello! |
| 172 |
> > > > > |
| 173 |
> > > > > This is the overlay directory I used parallel to portage (it has to be |
| 174 |
> > > > > there for now, else the included links won't work), that allowed me to |
| 175 |
> > > > > build gentoo fully uclibc based (starting from a buildroot config, |
| 176 |
> > > > > building manually python/portage, running emerge sync ...) |
| 177 |
> > > > > |
| 178 |
> > > > > 1. the files directories have only new files and links to the originally |
| 179 |
> > > > > used (for x86), the digest/Manifest files were needed to rebuild fully |
| 180 |
> > > > > with these configs as an overlay directory, the links because portage |
| 181 |
> > > > > can't handle "properly (my opinion)" the overlay directory |
| 182 |
> > > > > |
| 183 |
> > > > > 2. the ebuilds can be diffed to the corresponding version (as of emerge |
| 184 |
> > > > > sync 20040613) to see what I have done |
| 185 |
> > > > > |
| 186 |
> > > > > 3. some of the changes are not directly uclibc related, they correct |
| 187 |
> > > > > typos etc. in the originals, add support to build w/o nls, or strip down |
| 188 |
> > > > > the package somewhat |
| 189 |
> > > > > |
| 190 |
> > > > > 4. the directories profiles, scripts include the original version (*.org) |
| 191 |
> > > > > of files too, the new ones have to be copied over the original tree, the |
| 192 |
> > > > > overlay support does not allow to have these files at another location. |
| 193 |
> > > > > |
| 194 |
> > > > > 5. distfiles include new patches for binutils-2.14.90/15.91 and gcc-3.3.3 |
| 195 |
> > > > > (these have to be copied to the main distfiles, because again the overlay |
| 196 |
> > > > > structure does not support it in another location) |
| 197 |
> > > > > |
| 198 |
> > > > > 6. I haven't tried yet cascaded profiles, the only profile tested is what |
| 199 |
> > > > > I delivered. |
| 200 |
> > > > > |
| 201 |
> > > > > 7. it builds as it is (haven't tried w/ nls, and that is not really |
| 202 |
> > > > > correct in uclibc yet), don't enable nls for now |
| 203 |
> > > > > |
| 204 |
> > > > > 8. stage building and bootstraping was not tested, because I didn't find |
| 205 |
> > > > > an "elegant" way to make a stage1/2/3 from .tbz2 files (any help |
| 206 |
> > > > > appreciated, then I could also provide a stage1) |
| 207 |
> > > > > |
| 208 |
> > > > > 9. for now gettext, yacc (replaced by bison -y), ncompress |
| 209 |
> > > > > (uncompress replaced by gzip), bc, bin86, groff, man[-pages] are not a |
| 210 |
> > > > > part of an 'emerge system', cracklib got support for gzipped files (so |
| 211 |
> > > > > miscfiles is much smaller), w/o groff and man-pages it is not a |
| 212 |
> > > > > requirement to have c++ compiler either (this is not implemented, should |
| 213 |
> > > > > probably be a flag in gcc, like f77, objc), gnuconfig_update is only |
| 214 |
> > > > > needed where configure is run directly, not by econf (econf is hacked to |
| 215 |
> > > > > provide the same functionality, as gnuconfig_update), ncurses does not |
| 216 |
> > > > > deliver the addon libraries (menu,panel,form). Some told me that gettext |
| 217 |
> > > > > can't be removed, else autotools won't run, well I think, the .m4 from |
| 218 |
> > > > > gettext could be added to autotools, and than it should be no problem w/o |
| 219 |
> > > > > it. |
| 220 |
> > > > > |
| 221 |
> > > > > 10. added also my make.conf and package.keywords, to show which versions |
| 222 |
> > > > > where used, the most is stable stuff, but some have to be ~x86. |
| 223 |
> > > > > |
| 224 |
> > > > > 11. mainly the shared libs will have problems, to add support for new |
| 225 |
> > > > > libs, look at the libtool patches (ltconfig-uclibc for older configures |
| 226 |
> > > > > and libtool-1.4.3-uclibc for newer ones) |
| 227 |
> > > > > |
| 228 |
> > > > > 12. be aware that you have to build the buildroot w/ the same config (and |
| 229 |
> > > > > patches), as deduced from the uclibc.ebuild (using in both places the |
| 230 |
> > > > > same cvs too). Do not start from uclibc-0.9.26 stable, because it is not |
| 231 |
> > > > > binary compatible w/ the current cvs. |
| 232 |
> > > > > |
| 233 |
> > > > > 13. hardened stuff: gcc uses pie and ssp, but relro/now are disabled, |
| 234 |
> > > > > relro is also completely removed from binutils, uclibc does not have |
| 235 |
> > > > > support for it (any volunteer to add this to the uclibc's ldso?) |
| 236 |
> > > > > |
| 237 |
> > > > > 14. CHOST has to be set to *linux-uclibc (not linux-gnu) |
| 238 |
> > > > > |
| 239 |
> > > > > Peter |
| 240 |
> > > > |
| 241 |
> |
| 242 |
|
| 243 |
|
| 244 |
|
| 245 |
-- |
| 246 |
gentoo-hardened@g.o mailing list |
Archives