cvs commit: hints winter.txt

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Thu Apr 1 07:37:44 PST 2004


tushar      04/04/01 08:37:44

  Modified:    .        winter.txt
  Log:
  Updated: winter.txt
  
  Revision  Changes    Path
  1.7       +53 -289   hints/winter.txt
  
  Index: winter.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/winter.txt,v
  retrieving revision 1.6
  retrieving revision 1.7
  diff -u -u -r1.6 -r1.7
  --- winter.txt	20 Feb 2004 06:38:07 -0000	1.6
  +++ winter.txt	1 Apr 2004 15:37:44 -0000	1.7
  @@ -1,306 +1,68 @@
   AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
   
  -DATE:   2004-02-17
  +DATE:   2004-03-29
   
   LICENSE:        Public Domain
   
  -SYNOPSIS:       Position Independent Executables + Pax + SSP
  +SYNOPSIS:       Hardened cross compiling
   
  -PRIMARY URL:	https://twocents.mooo.com/
  -This hint changes often. The newest copy is here:
  -https://twocents.mooo.com/hints/downloads/files/winter.txt
  +PRIMARY URL:	http://www.linuxfromscratch.org/~robert/winter/
   
   DESCRIPTION:
  -Position independent executables (Pie) is the superset of position independent
  -code (Pic). Pie will be formally available with gcc-3.4, this hint uses the
  -original patch which made it in gcc-3.4. This provides extra security features
  -that can be used by Pax/Grsecurity, exec-shield, and others. It is also a good
  -idea to use Smashing Stack Protector together with this even though there is
  -overlapping functionality. PIE is only supported on ELF platforms.
  -
  -http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
  -http://pax.grsecurity.net/
  -http://www.grsecurity.net/
  -http://people.redhat.com/mingo/exec-shield/
  +The previous contents of this hint were added to Hardened Linux From Scratch
  +and the HLFS book is reccomended for native platform compiling for Linux.
  +http://www.linuxfromscratch.org/hlfs/
  +Also see:
  +http://www.linuxfromscratch.org/~robert/winter/Linux/
  +
  +This hint will continue to try to port position independent executables (pie)
  +and smashing stack protector (ssp), by default, to non-x86 and non-glibc
  +targets. For more information about pie and ssp please reffer to the HLFS
  +mailing list and book. The official homepage for ssp is here:
   http://www.research.ibm.com/trl/projects/security/ssp/
  +There isn't really an official homepage for pie, except for:
  +http://gcc.gnu.org/
  +http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
   
  -PREREQUISITES: LFS-5.0
  +Both of these features are related to GCC and are as portable as GCC, almost.
  +If my information is correct ssp does not work on hppa, but pie does. And pie
  +only works on elf systems.
  +
  +PREREQUISITES: none
   
   HINT:
  +These are basicly the same patches as for a native Linux build. The libc patch
  +is different but I am trying to find a way to make the same code work on all
  +platforms.
  +
  + - NetBSD
  +As you may already know, NetBSD will build on Linux. This is the complete hint
  +for building NetBSD with propolice smashing stack protector.
  +http://www.linuxfromscratch.org/~robert/winter/NetBSD/netbsd-ssp.txt
  +
  +Please note the XF4 patch only works on version 4.3. 4.4 is not yet supported.
  +Follow NetBSD's instructions for cross compiling.
  +
  + - FreeBSD
  +This isn't finished, there is a problem with filc(). If you want to
  +test it most of the patching is done, there is a hint here:
  +http://www.linuxfromscratch.org/~robert/winter/FreeBSD/freebsd-ssp.txt
  +
  + - Todo & Misc
  +Make a multiplatform autopie patch, test it against Linux and *bsd.
  +
  +Uclibc has ssp and pie support, but I have never tested it.
  +
  +I would like to support gcc-2.95.3 if there is any demand for it, so far none.
  +
  +Minix and ssp might get along. Either backport ssp to gcc-2.7, or port minix to
  +gcc-2.95.3 or gcc3. Minix is an a.out system, not elf, so pie will not work
  +because of the minix libc.
   
  -=======
  -Context
  -=======
  -
  -	Introduction
  -	Downloads
  -	Installation
  -	Testing
  -	Feedback
  -	Acknowledgments
  -
  -============
  -Introduction
  -============
  -Regular dynamic executables use predefined load addresses. Among other things
  -this means a bug or hole in software could be exploited repeatedly because
  -the program behaviour is completely predictable. Like shared libraries, PIE
  -objects are relocated by the dynamic linker with an independent load address
  -chosen by the kernel at runtime. Usually PIE objects are slightly larger and
  -slower compared to non-pie at runtime, but shared memory makes up for this.
  -When code is not position independent it normaly can be modified except in
  -extream cases. Running 'readelf -d /path/to/object | grep TEXTREL' on
  -applications or libraries will show if the shared object is completely
  -position independent. If an object contains TEXT RELocation then it is not
  -position independent. To take full advantage of this the entire system should
  -be built with the 'gcc -pie' flag, and the Pax kernel patch will add many
  -kernel level features for randomizing functions, disallowing executable stack,
  -even disallowing TEXTREL, and more.
  -
  -See ld man page for -pie
  -
  -Notes:
  -There is still much work to be done to get XFree86 working with notextrelocs.
  -Something like Grub will never build with PIE or SSP, but we can still build
  -Grub without them and use it to boot.
  -
  -HJL is the only supported binutils at the moment. You can try FSF cvs if you
  -want but I'm not supporting it right now. I will preffer it in the future so
  -HJL is optional.
  -
  -To make the PaX kernel option 'NOELFRELOCS' to work we need to get rid of
  -TEXTREL from our shared objects. You can search for them with:
  -readelf -d src/prog | grep TEXTREL
  -And while file() isn't installed you can use readelf -l to conferm all libs
  -and progs you install are shared objects.
  -
  -BTW, fpie and fPIE are the same thing on the x86, on some other platforms
  -they're a bit different. See the gcc man page for more info. fpie/fPIE are
  -suspect to TEXTREL, use them with caution. The general rule when using these
  -flags by hand is, gcc -fpie is for libs, ld -pie is for executables. Gcc -pie
  -tends to be the best choice, I think gcc figures out the specifics internaly.
  -
  -The 'ld -z now' flag has been added to the autopie patch (see below) and is not
  -expected to cause problems. -fforce-addr has also been added.
  -
  -TODO:
  -test 'ld -z relro'. Notextrel does a better job than this. Might be helpfull
  -on systems that are not completly PIE.
  -
  -=========
  -Downloads
  -=========
  -Get everything from this. The origin of each patch is printed on the top of the
  -patch.
  -https://twocents.mooo.com/patches/patches.tar.bz2
  ---------
  -Binutils
  ---------
  -HJL
  -ftp://ftp.kernel.org/pub/linux/devel/binutils/binutils-2.14.90.0.8.tar.bz2
  -
  ------
  -Glibc
  ------
  -In the patch.tar.bz2 above includes a 20031202-20040129 patch for glibc. This
  -is the alternitive.
  -
  -cvs -z3 -d :pserver:anoncvs at sources.redhat.com:/cvs/glibc login
  -passwd: anoncvs
  -cvs -z3 -d :pserver:anoncvs at sources.redhat.com:/cvs/glibc \
  -	co -D "04-01-29 00:00:00 UTC" libc
  -
  -mv libc glibc-2.3.3-20040129
  -find glibc-2.3.3-20040129 -type d -name "CVS" | xargs rm -rf
  -find glibc-2.3.3-20040129 -type f -name ".cvsignore" | xargs rm -f
  -tar jcf glibc-2.3.3-20040129.tar.bz2 glibc-2.3.3-20040129
  -rm -rf glibc-2.3.3-20040129
  -
  -----
  -Pax
  -----
  -This changes too often, I don't want to maintain a copy of it.
  -Check http://pax.grsecurity.net/ for updates.
  -Kernel 2.4
  -http://pax.grsecurity.net/pax-linux-2.4.23-200402042140.patch
  -
  -Kernel 2.6
  -http://pax.grsecurity.net/pax-linux-2.6.1-200401091905.patch
  -
  -This is an information leak patch. Its not public for 2.6 yet.
  -http://cr0.org/pax-obscure/pax+obs-linux-2.4.22-200308302223.tar.gz
  -
  -----
  -HGCC
  -----
  -No longer needed. Use the Gcc auto patch instead.
  -
  -The auto patch should build everything in the LFS base properly, BLFS packages
  -will pose more issues. It basicly adds cflags="-pie -fstack-protector-all".
  -
  -=====================
  -Installation
  -=====================
  ----------
  -Chapter 5
  ----------
  -This is almost the same procedure as with SSP. There is no point patching
  -GCC pass 1, unless of course your host system was built with this hint.
  -
  - - Binutils
  -Don't patch binutils pass 1.
  -
  - - GCC
  -Don't patch gcc pass 1.
  -
  - - Glibc-cvs
  -If you're using the lfs glibc-20031202 package, update it with this:
  -patch -Np1 -i ../glibc-2.3.3-20031202-20040129.diff
  -
  -Need all of these:
  -patch -Np1 -i ../glibc-2.3.3-pax-dl_execstack-1.patch
  -patch -Np1 -i ../glibc-2.3.3-pax-iconvconfig-1.patch
  -patch -Np1 -i ../glibc-2.3.3-pt_pax-1.patch
  -patch -Np1 -i ../glibc-2.3.3-ssp-functions-1.patch
  -
  -Checking for fpie may answer "no" in configure, that is expected.
  -
  - - Adjust toolchain, tcl, expect, dejagnu.
  -
  - - GCC pass 2
  -The gcc in chapter6 should not have textrel, this one will.
  -Notes: Maybe having a static gcc installed is the textrel bug???
  -This make bootstrap is important to help chap6 gcc testsuite.
  -
  -patch -Np1 -i ../gcc-3.3-pie-2.patch
  -patch -Np1 -i ../gcc-3.3.3-ssp-1.patch
  -patch -Np1 -i ../gcc-3.3.3-autopie-x86-1.patch
  -
  -make bootstrap
  -
  -After make install open /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs and
  -edit the line below "*cc1:" and append this:
  -%{!fno-stack-protector: -fstack-protector-all}
  -
  - - Binutils
  -You can make with -fstack-protector-all and in cc1. Have to use generic specs
  -for make check.
  -
  -patch -Np1 -i ../binutils-2.14.90.0.8-pt_pax-1.patch
  -...
  -cp gcc-3.3.3-chap5-generic.specs \
  -	/tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
  -make check
  -gcc -dumpspecs >/tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
  -...
  -
  -You can add -fstack-protector-all back after make check is done so the rest of
  -chap5 has SSP built in.
  -
  - - Gzip
  -gzip-1.3.5 uses asm deflate code, which is not position independent.
  -This should be optional but I don't know how to make it use C code instead.
  -Untill then use gzip-1.3.4 from:
  -ftp://alpha.gnu.org/gnu/gzip/gzip-1.3.4.tar.gz
  -
  -Don't forget m4, bison, and flex for hjl binutils.
  ----------
  -Chapter 6
  ----------
  - - Glibc-cvs
  -For now, don't build Glibc or GCC with -fstack-protector. PIE is fine, but
  -before building glibc remove the SSP flags from the specs file.
  -
  -If you're using the lfs glibc-20031202 package, update it with this:
  -patch -Np1 -i ../glibc-2.3.3-20031202-20040129.diff
  -
  -patch -Np1 -i ../glibc-2.3.3-pax-dl_execstack-1.patch
  -patch -Np1 -i ../glibc-2.3.3-pax-iconvconfig-1.patch
  -patch -Np1 -i ../glibc-2.3.3-pt_pax-1.patch
  -patch -Np1 -i ../glibc-2.3.3-ssp-functions-1.patch
  -
  -Checking for fpie should answer "yes" durring configure.
  -
  -Add SSP back in specs.
  -
  - - Adjust toolchain
  -
  - - Binutils
  -Use this patch anytime you install binutils from now on.
  -
  -patch -Np1 -i ../binutils-2.14.90.0.8-pt_pax-1.patch
  -
  -Haven't been able to shake these errors.
  -FAIL: TLS -fpic -shared transitions
  -FAIL: TLS -fpic and -fno-pic exec transitions
  -FAIL: TLS -fno-pic -shared
  -
  -Hopefully I can find a way to resolve this (it is bleeding edge, upstream might
  -fix it for me).
  -
  - - GCC
  -Take SSP out of specs.
  -
  -If you have unexpected failures from the testsuite, like binutils, I believe
  -they are bugs in the testsuite, not gcc itself. All the bugs in the Gcc
  -testsuite are from SSP, not PIE.
  -
  -patch -Np1 -i ../gcc-3.3-pie-2.patch
  -patch -Np1 -i ../gcc-3.3.3-ssp-1.patch
  -patch -Np1 -i ../gcc-3.3.3-auto-pie-ssp-x86-1.patch
  -
  -After make install add SSP specs to:
  -/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
  -
  - - Zlib
  -This patch lets zlib build with pic/pie. These have to be patched in this order.
  -patch -Np1 -i ../zlib-1.2.1-pax-glibc-1.patch
  -patch -Np1 -i ../zlib-1.2.1-pax-fPIC-1.patch
  -
  - - Grub
  -cp gcc-3.3.3-chap6-generic.specs \
  -	/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
  -
  -configure, make, and make install.
  -
  -gcc -dumpspecs >/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
  -
  - - Gzip
  -Remember to use v1.3.4 again
  -
  - - Util Linux
  -This adds fpic/fpie to util-linux (pivot_root bug).
  -patch -Np1 -i ../util-linux-2.12-pic-1.patch
  -
  - - GCC2
  -I think gcc2 should still work for building kernels.
  -patch -Np1 -i ../gcc-2.95.3-ssp-1.patch
  -
  ----------
  -Chapter 8
  ----------
  - - Linux Kernel
  -All PaX options should work. Read the help menus and play with it. Enabling
  -noelfrelocs will break gcc, but everything else should work. To get XFree86
  -working either find the patches or start disabling some options.
  -
  -patch -Np1 -i ../linux-2.4.25-ssp-1.patch
  -patch -Np1 -i ../pax-linux-2.4.23-200401091805.patch
  -...
  -make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" dep
  -make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" bzImage
  -
  -========
  -Testing
  -========
  -Download this, make generic, and run ./paxtest
  -http://pax.grsecurity.net/paxtest-0.9.5.tar.gz
  -
  -========
  -Feedback
  -========
  +Check status of newlib, dietlibc, and others. Ssp should work, maybe pie too.
   
  -<cendres at videotron dot ca>
  +Testers with funky systems are needed. If you want to help please email me at:
  +cendres at videotron dot ca
   
   ACKNOWLEDGMENTS:
   
  @@ -381,3 +143,5 @@
   * Upgrade to gcc-3.3.3
   * New auto patches. Hgcc is obsolete (I hope).
   * Got textrel out of gcc.
  +[2004-03-29]
  +* Plotted new goal of platform independence.
  
  
  



More information about the hints mailing list