cvs commit: hints winter.txt

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Sun Feb 15 15:05:33 PST 2004


tushar      04/02/15 16:05:33

  Modified:    .        winter.txt
  Log:
  Updated: winter.txt
  
  Revision  Changes    Path
  1.5       +181 -83   hints/winter.txt
  
  Index: winter.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/winter.txt,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -u -r1.4 -r1.5
  --- winter.txt	3 Feb 2004 22:18:58 -0000	1.4
  +++ winter.txt	15 Feb 2004 23:05:33 -0000	1.5
  @@ -1,15 +1,24 @@
   AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
   
  -DATE:   2004-02-02
  +DATE:   2004-02-08
   
   LICENSE:        Public Domain
  +Dedicated to the benefit of the public at large without condition.
   
  -SYNOPSIS:       Position independent executables + Pax
  +SYNOPSIS:       Position independent executables + Pax + SSP
   
  -PRIMARY URL:	ftp://twocents.mooo.com/pub/
  +PRIMARY URL:	https://twocents.mooo.com/
  +This hint changes often. The newest copy is here:
  +https://twocents.mooo.com/hints/downloads/files/winter.txt
   
  -DESCRIPTION:
  +STATUS:
   Experimental
  +This hint shows how to use toolchain and kernel patches and options to aquire
  +some of the best security options available to the public. I believe the
  +resulting system from this hint should be fairly stable and good for real world
  +testing. Reccomened for non-critical firewalls.
  +
  +DESCRIPTION:
   Position independent executables (pie) is the superset of position independent
   code (pic). Pie will be formally available with gcc-3.4, this hint uses the
   original patch which made it in gcc-3.4. This provides extra security features
  @@ -40,45 +49,40 @@
   ============
   Introduction
   ============
  -Follow the cvs book with this hint. Unfortunately -fpie is slightly broken in
  -the glibc-2.3.3 that is in the LFS cvs book. I tested this against 
  -glibc-2.3-20040129. You also need a binutils that understands -pie, either HJL,
  -or FSF-cvs. If you use FSF-cvs binutils you will have to comment out the sanity
  -code in glibc/configure. grep -n -e "too old" configure, and comment out the
  -whole test. HJL should work without that hassle. I don't have a relro patch for
  -FSF binutils yet either, so HJL is reccommended.
  +FIXME
  +HJL is the only supported binutils at the moment. You can try FSF cvs if you
  +want but I'm not supporting it right now. I will preffer it in the future so
  +HJL is optional.
  +
  +BTW, fpie and fPIE are the same thing on the x86, on some other platforms
  +they're a bit different. See the gcc man page for more info. fpie/fPIE are
  +suspect to TEXTREL, use them with caution.
  +
  +TODO:
  +test 'ld -z now relro'.
   
   =========
   Downloads
   =========
  +Get everything from this. The origin of each patch is printed on the top of the
  +patch.
  +https://twocents.mooo.com/patches/patches.tar.bz2
   -----
   Glibc
   -----
  -Thanks to Teemu Tervo nptl hint. This shouldn't be nessesary soon.
  +In the patch.tar.bz2 above includes a 20031202-20040129 patch for glibc. This
  +is the alternitive.
   
  -cvs -d :pserver:anoncvs at sources.redhat.com:/cvs/glibc -z3 co libc
  -mv libc glibc-2.3-`date +%Y%m%d`
  -tar cjf glibc-2.3-`date +%Y%m%d`.tar.bz2 glibc-2.3-`date +%Y%m%d`
  -rm -rf glibc-2.3-`date +%Y%m%d
  -
  -Glibc uses an executable stack in ld.so. To use Pax you will need this patch.
  -http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/ \
  -	sys-libs/glibc/files/2.3.3/glibc-2.3.3-dl_execstack-PaX-support.patch
  -http://www.linuxfromscratch.org/patches/downloads/glibc/ \
  -	glibc-2.3.3-dl_execstack-PaX-support-1.patch
  -ftp://twocents.mooo.com/pub/hcc/pie/glibc-2.3.3-dl_execstack-PaX-support-1.patch
  -
  -This gives us Pax friendly behaviour from iconvconfig. I don't think its completely
  -nessesary. (works on gcc-2.3.3 too)
  -http://mirror.calvin.edu/gentoo/gentoo-portage/sys-libs/glibc/files/ \
  -	2.3.2/glibc-2.3.2-iconvconfig-name_insert.patch
  -ftp://twocents.mooo.com/pub/hcc/pie/glibc-2.3.2-iconvconfig-name_insert.patch
  -
  -This is pt_gnu support for Pax. Needed to use softmode, will become obligatory
  -eventualy.
  -http://mirror.calvin.edu/gentoo/gentoo-portage/sys-libs/glibc/files/ \
  -	2.3.3/glibc-2.3.3_pre20040117-pt_pax.diff
  -ftp://twocents.mooo.com/pub/hcc/pie/glibc-2.3.3_pre20040117-pt_pax.diff
  +cvs -z3 -d :pserver:anoncvs at sources.redhat.com:/cvs/glibc login
  +passwd: anoncvs
  +cvs -z3 -d :pserver:anoncvs at sources.redhat.com:/cvs/glibc \
  +	co -D "04-01-29 00:00:00 UTC" libc
  +
  +mv libc glibc-2.3.3-20040129
  +find glibc-2.3.3-20040129 -type d -name "CVS" | xargs rm -rf
  +find glibc-2.3.3-20040129 -type f -name ".cvsignore" | xargs rm -f
  +tar jcf glibc-2.3.3-20040129.tar.bz2 glibc-2.3.3-20040129
  +rm -rf glibc-2.3.3-20040129
   
   --------
   Binutils
  @@ -86,106 +90,192 @@
   HJL
   ftp://ftp.kernel.org/pub/linux/devel/binutils/binutils-2.14.90.0.8.tar.bz2
   
  -This patch combines 3 patches temporarily. When 2.14.90.0.9 is released we will only
  -need to patch the pt_pax portion. I think I forgot to mention this hint is bleeding
  -edge :)
  -ftp://twocents.mooo.com/pub/hcc/pie/ \
  -	binutils-2.14.90.0.8-pt_pax-eh_frame-relro-1.patch
  -
  -----
  -PIE
  -----
  -Only need one on these.
  -http://cvs.mandrakesoft.com/cgi-bin/cvsweb.cgi/~checkout~/ \
  -        SPECS/gcc/gcc33-pie.patch
  -http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  -        gcc-3.3-pie-1.patch
  -ftp://twocents.mooo.com/pub/hcc/pie/gcc-3.3-pie-2.patch
  -
   ----
   Pax
   ----
  +This changes too often, I don't want to maintain a copy of it.
  +Check http://pax.grsecurity.net/ for updates.
   Kernel 2.4
  -http://pax.grsecurity.net/pax-linux-2.4.23-200401091805.patch
  +http://pax.grsecurity.net/pax-linux-2.4.23-200402042140.patch
   
   Kernel 2.6
   http://pax.grsecurity.net/pax-linux-2.6.1-200401091905.patch
   
  -This is an information leak patch. Its not available for 2.6 yet :(
  +This is an information leak patch. Its not public for 2.6 yet.
   http://cr0.org/pax-obscure/pax+obs-linux-2.4.22-200308302223.tar.gz
   
   ----
   HGCC
   ----
  -This is a specs file editor for changing the default behavior of gcc to use
  --fpie and -ftack-protector-all. Check for newer versions. If anyone wants to
  -write this script better email me. hgcc3 has added ld -z relro and combreloc.
  -ftp://twocents.mooo.com/pub/hcc/hgcc3.sh
  +Not currently working. If any of you are good at sh scripting please email me
  +to get this script working again.
   
   =====================
   Installation
   =====================
  +For now, glibc and gcc are skipped from SSP untill hgcc is fixed.
  +
   ---------
   Chapter 5
   ---------
  +This is almost the same procedure as with SSP. There is no point patching
  +GCC pass 1, unless of course your host system was built with this hint.
  +
  +To make the PaX kernel option 'NOELFRELOCS' to work we need to get rid of
  +TEXTREL from our shared objects. You can search for them with:
  +readelf -d src/prog | grep TEXTREL
  +And while file() isn't installed you can use readelf -l to conferm all libs
  +and progs you install are shared objects (before you install them).
  +
    - Binutils
  -Use this everytime you build binutils.
  -patch -Np1 -i ../binutils-2.14.90.0.8-pt_pax-eh_frame-relro-1.patch
  +Don't patch binutils pass 1.
   
  -Before make check do hgcc -r. After make check do hgcc -pa-fpie
  -Repeat this for any binutils make check. No other packages are known to have
  -issues like this.
  + - GCC
  +Don't patch gcc pass 1.
   
    - Glibc-cvs
  -If you plan to use the programs in /tools after you reboot, then use the patches
  -from chap6 glibc below.
  +If you're using the lfs glibc-20031202 package, update it with this:
  +patch -Np1 -i ../glibc-2.3.3-20031202-20040129.diff
  +
  +patch -Np1 -i ../glibc-2.3.3-pax-dl_execstack-1.patch
  +patch -Np1 -i ../glibc-2.3.3-pax-iconvconfig-1.patch
  +patch -Np1 -i ../glibc-2.3.3-pt_pax-1.patch
  +patch -Np1 -i ../glibc-2.3.3-ssp-functions-1.patch
  +
  +Checking for fpie may answer "no" in configure, that is expected.
   
    - GCC pass 2
  +These flags and a make boostrap insure gcc is a shared object when installed.
  +You can expect TEXTREL in the installed gcc, its a known bug.
  +
   patch -Np1 -i ../gcc-3.3-pie-2.patch
  +patch -Np1 -i ../gcc-3.3.2-ssp-1.patch
  +
  +CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" ../gcc-3.3.2/configure...
  +make CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" BOOT_CFLAGS="-O2 -pie" \
  +	BOOT_CXXFLAGS="-O2 -pie" bootstrap
  +make CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" -k check
   
    - HGCC
  -cp hgcc3.sh /tools/bin/hgcc
  -chmod +x /tools/bin/hgcc
  -hgcc -pa-fpie
  +I would like you to look at the diffs between this and your original. It works
  +for me on my athlon, different platforms may differ. This adds ssp and pie by
  +default without filters. (still do 'locking in')
  +
  +cp gcc-3.3.2-chap5-1.specs /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +
  + - Binutils
  +Don't worry about this make check.
  +patch -Np1 -i ../binutils-2.14.90.0.8-pt_pax-1.patch
  +
  + - Gzip
  +gzip-1.3.5 uses asm deflate code, which is not be position independent.
  +This should be optional but I don't know how to make it use C code instead.
  +Untill then use gzip-1.3.4 from:
  +ftp://alpha.gnu.org/gnu/gzip/gzip-1.3.4.tar.gz
   
  +Don't forget m4, bison, and flex for hjl binutils.
   ---------
   Chapter 6
   ---------
  - - Glibc
  -patch -Np1 -i ../glibc-2.3.3-dl_execstack-PaX-support-1.patch
  -patch -Np1 -i ../glibc-2.3.2-iconvconfig-name_insert.patch
  -patch -Np1 -i ../glibc-2.3.3_pre20040117-pt_pax.diff
  + - Glibc-cvs
  +If you're using the lfs glibc-20031202 package, update it with this:
  +patch -Np1 -i ../glibc-2.3.3-20031202-20040129.diff
  +
  +patch -Np1 -i ../glibc-2.3.3-pax-dl_execstack-1.patch
  +patch -Np1 -i ../glibc-2.3.3-pax-iconvconfig-1.patch
  +patch -Np1 -i ../glibc-2.3.3-pt_pax-1.patch
  +patch -Np1 -i ../glibc-2.3.3-ssp-functions-1.patch
  +
  +Checking for fpie should answer "yes" durring configure.
  +
  +Glibc is a bit picky about the specs, for now do this.
  +Before configure clear the specs file for SSP. FIXME
  +Make check will fail unless pie/pic is cleared from specs. FIXME
  +
  +gcc -dumpspecs > /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +
  +CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" ../glibc-2.3.3/configure...
  +make CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie"
  +make CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" check
  +
  +Restore SSP and PIE to the specs after make install. (Still using chap5 specs
  +because we're still linking to /tools at this stage)
  +
  +cp gcc-3.3.2-chap5-1.specs /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +
  + - Binutils
  +FIXME - Testsuite failures are testsuite bugs, not binutils bugs. The installed
  +programs should be perfectly stable.
  +Use this patch anytime you install binutils from now on.
  +
  +patch -Np1 -i ../binutils-2.14.90.0.8-pt_pax-1.patch
  +
  +Haven't been able to shake these errors.
  +FAIL: TLS -fpic -shared transitions
  +FAIL: TLS -fpic and -fno-pic exec transitions
  +FAIL: TLS -fno-pic -shared
   
  -Checking for fpie and relro should answer "yes" durring configure.
  +Hopefully I can find a way to resolve this (it is bleeding edge, upstream might
  +fix it for me).
   
    - GCC
  +Build fails with fpie in the specs. And I can't get textrel out of gcc. This
  +might take some work to fix for NOELFRELOCS.
  +Remove SSP from specs FIXME
  +
   patch -Np1 -i ../gcc-3.3-pie-2.patch
  +patch -Np1 -i ../gcc-3.3.2-ssp-1.patch
   
  - - HGCC
  -cp hgcc3.sh /usr/bin/hgcc
  -chmod +x /usr/bin/hgcc
  -hgcc -pa-fpie
  +gcc -dumpspecs > /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +
  +* Adding this to cc1 is fine, dont know if it helps anything though:
  +	%{fPIC: -fPIE} %{fpic: -fpie}
  +
  +CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" ../gcc-3.3.2/configure...
  +make CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie"
  +
  +After make install
  +cp gcc-3.3.2-chap6-1.specs /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +
  + - Zlib
  +This patch lets zlib build with pic/pie. These have to be patched in this order.
  +patch -Np1 -i ../zlib-1.2.1-pax-glibc-1.patch
  +patch -Np1 -i ../zlib-1.2.1-pax-fPIC-1.patch
   
    - Grub
  -hgcc -r before configure, hgcc -pa-fpie after make install.
  +gcc -dumpspecs > /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +Do make install
  +cp gcc-3.3.2-chap6-1.specs /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +
  + - Gzip
  +Remember to use v1.3.4 again
   
    - Util Linux
  -For now pivot_root doesn't build with fpie. Needs investigation, maybe patch.
  -hgcc -r before configure, hgcc -pa-fpie after make install.
  +This adds fpic/fpie to util-linux (pivot_root bug).
  +patch -Np1 -i ../util-linux-2.12-pic-1.patch
  +
  + - GCC2
  +I think gcc2 should still work for building kernels.
  +patch -Np1 -i ../gcc-2.95.3-ssp-1.patch
   
   ---------
   Chapter 8
   ---------
    - Linux Kernel
  -patch -Np1 -i ../pax-linux-2.4.23-200401091805.patch
  +All PaX options should work. Read the help menus and play with it. Enabling
  +noelfrelocs will break gcc, but everything else should work. To get XFree86
  +working either find the patches or start disabling some options.
   
  -I can boot using all the options except:
  -CONFIG_PAX_EMUSIGRT and CONFIG_PAX_NOELFRELOCS
  +patch -Np1 -i ../linux-2.4.24-ssp-1.patch
  +patch -Np1 -i ../pax-linux-2.4.23-200401091805.patch
  +...
  +make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" dep
  +make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" bzImage
   
   ========
   Testing
   ========
  -Download:
  +Download this, make generic, and run ./paxtest
   http://pax.grsecurity.net/paxtest-0.9.5.tar.gz
   
   ========
  @@ -199,6 +289,9 @@
   * Thanks to Gnu for the GNU toolchain. http://www.gnu.org/
   * Thanks to Redhat for contributions to the GNU toolchain.
   	http://www.redhat.com/
  +* Thanks to Hiroaki Etoh for providing the SSP patch to IBM
  +* Thanks to IBM for providing the SSP patch at
  +        http://www.research.ibm.com/trl/projects/security/ssp/
   * Thanks to the Pax team. http://pax.grsecurity.net/
   * Thanks to Gentoo and the Hardended Gentoo team for development,
     testing, and patches. http://www.gentoo.org/proj/en/hardened/
  @@ -261,3 +354,8 @@
   * Add gnu_pt patches.
   * Add ld -z relro support.
   * Added relro and combreloc to hgcc3.sh
  +[2004-02-08]
  +* Couple new patches, glibc bugfix
  +* Add propolice patch commands
  +* Boots with all PaX options now
  +* Cleanup - Fix urls/website
  
  
  



More information about the hints mailing list