| 1 |
On Friday 26 June 2009 14.36.04 klondike wrote: |
| 2 |
> 2009/6/26 Ed W <lists@××××××××××.com>: |
| 3 |
> > klondike wrote: |
| 4 |
> >>> Apologies for replying to my own post, but I just realised that you |
| 5 |
> >>> were posing the question in the context of klondike's blog post. I do |
| 6 |
> >>> not know what the status of SSP is in the overlays and/or experimental |
| 7 |
> >>> toolchains so I'll bow out and leave it to one of the toolchain gurus |
| 8 |
> >>> to provide a credible response. My answer applies to the gcc ebuild in |
| 9 |
> >>> the mainline tree. |
| 10 |
> >> |
| 11 |
> >> Although I may be wrong, AFAIK SSP works nice with almost anything |
| 12 |
> >> except libstdc++, also packages which need it to be disabled (ie |
| 13 |
> >> thunderbird) usually do it without a problem of after pattching a bit |
| 14 |
> >> the ebuild. Anyway, I think the best one to answer is Zorry or Xake as |
| 15 |
> >> they maintain it. |
| 16 |
> > |
| 17 |
> > So the Xake overlay is GCC 4.3.2 with the GCC 4 SSP enabled? |
| 18 |
> |
| 19 |
> Mainly I could say it is. |
| 20 |
> |
| 21 |
> > My limited understanding is that the GCC 4 (new) SSP implementation |
| 22 |
> > should be relatively benign and supported already by a modern toolchain |
| 23 |
> > with no further patches? I would naively assume that since Redhat (and |
| 24 |
> > others) seem to be building their distros with it turned on that most |
| 25 |
> > packages would already be largely patched upstream to cope with it? |
| 26 |
> > (certainly I am more interested in server packages than desktop |
| 27 |
> > packages) |
| 28 |
> |
| 29 |
> I think Ubuntu has enabled it too. But I don't know how well or bad |
| 30 |
> are packages usually supported upstream.. I have run an apache2 server |
| 31 |
> and a verlihub server with the toolchain without issues, but I can't |
| 32 |
> gurantee you nothing as the server still hasn't had heavy load. |
| 33 |
> |
| 34 |
> >> Anyway, at least on the overlay uclibc is still not supported :( |
| 35 |
> >> http://github.com/Xake/toolchain-overlay/blob/54581c25b74be5a5dc3d8c1de6 |
| 36 |
> >>1dba55db7c639f/README |
| 37 |
> > |
| 38 |
> > Does Xake hang out here? Curious as to what the issues will be found in |
| 39 |
> > uclibc. I'm not specially tied to uclibc, just that it seems to work |
| 40 |
> > nicely so far and I'm not desperately tight on drive space... |
| 41 |
> |
| 42 |
> I don't know the reasons for uclibc being not supported, but I think |
| 43 |
> it was because of some compilation problems. (Can't find the tickets, |
| 44 |
> sorry). |
| 45 |
The problem with uclibc is that it don't support TLS and GCC > 4.1 SSP use TLS |
| 46 |
See bug #149292 and #267335 on bugs.gentoo.org |
| 47 |
It may only need gcc4-stack-protector-uclibc-no-tls.patch but i can have wrong |
| 48 |
to. We are working hard to get GCC 4.4.0 with Hardened enabled and pass full |
| 49 |
gcc testsuite. I will try to get the patchset upstream in GCC 4.5 so we only |
| 50 |
need small patch to run it on Gentoo and it may get use by some more distros. |
| 51 |
To get SSP as default with no CFLAGS or CXXFLAGS with -fstack-protector, GCC |
| 52 |
need patches and some stuff in GCC sources don't compile well with SSP on. |
| 53 |
Gentoo's Hardened Toolchain for GCC 4.* have the SSP compile patches but don't |
| 54 |
have the needed spec and fixes in toolchain.eclass to use it as default and |
| 55 |
some packages in the tree don't have the GCC 4.* SSP support yet. A fix is to |
| 56 |
add -fstack-protector to the CFLAGS and CXXFLAGS but you can get PROBLEM TO. |
| 57 |
The overlay have SSP and PIE enable by default but lacks some fixes for |
| 58 |
packages and we still fix bugs and it can be b0rked time to time. :) |
| 59 |
|
| 60 |
Ubuntu and Debian use SSP as default with patched GCC source. |
| 61 |
But only -fstack-protector is enable and we use -fstack-protector-all as |
| 62 |
default in the Hardened Toolchain so we may hit more bugs. |
| 63 |
|
| 64 |
Xake do hang out her when he have time. |
| 65 |
If more info needed ask in the forum or on irc #gentoo-hardened @ Freenode or |
| 66 |
the ml. |
| 67 |
|
| 68 |
http://hardened.gentooexperimental.org/trac/secure/wiki |
| 69 |
/Zorry |
Archives