cvs commit: hints winter.txt

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Thu Feb 19 22:38:07 PST 2004


tushar      04/02/19 23:38:07

  Modified:    .        winter.txt
  Log:
  Updated: winter.txt
  
  Revision  Changes    Path
  1.6       +107 -85   hints/winter.txt
  
  Index: winter.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/winter.txt,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -u -r1.5 -r1.6
  --- winter.txt	15 Feb 2004 23:05:33 -0000	1.5
  +++ winter.txt	20 Feb 2004 06:38:07 -0000	1.6
  @@ -1,35 +1,28 @@
   AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
   
  -DATE:   2004-02-08
  +DATE:   2004-02-17
   
   LICENSE:        Public Domain
  -Dedicated to the benefit of the public at large without condition.
   
  -SYNOPSIS:       Position independent executables + Pax + SSP
  +SYNOPSIS:       Position Independent Executables + Pax + SSP
   
   PRIMARY URL:	https://twocents.mooo.com/
   This hint changes often. The newest copy is here:
   https://twocents.mooo.com/hints/downloads/files/winter.txt
   
  -STATUS:
  -Experimental
  -This hint shows how to use toolchain and kernel patches and options to aquire
  -some of the best security options available to the public. I believe the
  -resulting system from this hint should be fairly stable and good for real world
  -testing. Reccomened for non-critical firewalls.
  -
   DESCRIPTION:
  -Position independent executables (pie) is the superset of position independent
  -code (pic). Pie will be formally available with gcc-3.4, this hint uses the
  +Position independent executables (Pie) is the superset of position independent
  +code (Pic). Pie will be formally available with gcc-3.4, this hint uses the
   original patch which made it in gcc-3.4. This provides extra security features
   that can be used by Pax/Grsecurity, exec-shield, and others. It is also a good
  -idea to use ProPolice together with this even though there is overlapping
  -functionality.
  +idea to use Smashing Stack Protector together with this even though there is
  +overlapping functionality. PIE is only supported on ELF platforms.
   
   http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
   http://pax.grsecurity.net/
   http://www.grsecurity.net/
   http://people.redhat.com/mingo/exec-shield/
  +http://www.research.ibm.com/trl/projects/security/ssp/
   
   PREREQUISITES: LFS-5.0
   
  @@ -49,17 +42,50 @@
   ============
   Introduction
   ============
  -FIXME
  +Regular dynamic executables use predefined load addresses. Among other things
  +this means a bug or hole in software could be exploited repeatedly because
  +the program behaviour is completely predictable. Like shared libraries, PIE
  +objects are relocated by the dynamic linker with an independent load address
  +chosen by the kernel at runtime. Usually PIE objects are slightly larger and
  +slower compared to non-pie at runtime, but shared memory makes up for this.
  +When code is not position independent it normaly can be modified except in
  +extream cases. Running 'readelf -d /path/to/object | grep TEXTREL' on
  +applications or libraries will show if the shared object is completely
  +position independent. If an object contains TEXT RELocation then it is not
  +position independent. To take full advantage of this the entire system should
  +be built with the 'gcc -pie' flag, and the Pax kernel patch will add many
  +kernel level features for randomizing functions, disallowing executable stack,
  +even disallowing TEXTREL, and more.
  +
  +See ld man page for -pie
  +
  +Notes:
  +There is still much work to be done to get XFree86 working with notextrelocs.
  +Something like Grub will never build with PIE or SSP, but we can still build
  +Grub without them and use it to boot.
  +
   HJL is the only supported binutils at the moment. You can try FSF cvs if you
   want but I'm not supporting it right now. I will preffer it in the future so
   HJL is optional.
   
  +To make the PaX kernel option 'NOELFRELOCS' to work we need to get rid of
  +TEXTREL from our shared objects. You can search for them with:
  +readelf -d src/prog | grep TEXTREL
  +And while file() isn't installed you can use readelf -l to conferm all libs
  +and progs you install are shared objects.
  +
   BTW, fpie and fPIE are the same thing on the x86, on some other platforms
   they're a bit different. See the gcc man page for more info. fpie/fPIE are
  -suspect to TEXTREL, use them with caution.
  +suspect to TEXTREL, use them with caution. The general rule when using these
  +flags by hand is, gcc -fpie is for libs, ld -pie is for executables. Gcc -pie
  +tends to be the best choice, I think gcc figures out the specifics internaly.
  +
  +The 'ld -z now' flag has been added to the autopie patch (see below) and is not
  +expected to cause problems. -fforce-addr has also been added.
   
   TODO:
  -test 'ld -z now relro'.
  +test 'ld -z relro'. Notextrel does a better job than this. Might be helpfull
  +on systems that are not completly PIE.
   
   =========
   Downloads
  @@ -67,6 +93,12 @@
   Get everything from this. The origin of each patch is printed on the top of the
   patch.
   https://twocents.mooo.com/patches/patches.tar.bz2
  +--------
  +Binutils
  +--------
  +HJL
  +ftp://ftp.kernel.org/pub/linux/devel/binutils/binutils-2.14.90.0.8.tar.bz2
  +
   -----
   Glibc
   -----
  @@ -84,12 +116,6 @@
   tar jcf glibc-2.3.3-20040129.tar.bz2 glibc-2.3.3-20040129
   rm -rf glibc-2.3.3-20040129
   
  ---------
  -Binutils
  ---------
  -HJL
  -ftp://ftp.kernel.org/pub/linux/devel/binutils/binutils-2.14.90.0.8.tar.bz2
  -
   ----
   Pax
   ----
  @@ -107,26 +133,20 @@
   ----
   HGCC
   ----
  -Not currently working. If any of you are good at sh scripting please email me
  -to get this script working again.
  +No longer needed. Use the Gcc auto patch instead.
  +
  +The auto patch should build everything in the LFS base properly, BLFS packages
  +will pose more issues. It basicly adds cflags="-pie -fstack-protector-all".
   
   =====================
   Installation
   =====================
  -For now, glibc and gcc are skipped from SSP untill hgcc is fixed.
  -
   ---------
   Chapter 5
   ---------
   This is almost the same procedure as with SSP. There is no point patching
   GCC pass 1, unless of course your host system was built with this hint.
   
  -To make the PaX kernel option 'NOELFRELOCS' to work we need to get rid of
  -TEXTREL from our shared objects. You can search for them with:
  -readelf -d src/prog | grep TEXTREL
  -And while file() isn't installed you can use readelf -l to conferm all libs
  -and progs you install are shared objects (before you install them).
  -
    - Binutils
   Don't patch binutils pass 1.
   
  @@ -137,6 +157,7 @@
   If you're using the lfs glibc-20031202 package, update it with this:
   patch -Np1 -i ../glibc-2.3.3-20031202-20040129.diff
   
  +Need all of these:
   patch -Np1 -i ../glibc-2.3.3-pax-dl_execstack-1.patch
   patch -Np1 -i ../glibc-2.3.3-pax-iconvconfig-1.patch
   patch -Np1 -i ../glibc-2.3.3-pt_pax-1.patch
  @@ -144,31 +165,40 @@
   
   Checking for fpie may answer "no" in configure, that is expected.
   
  + - Adjust toolchain, tcl, expect, dejagnu.
  +
    - GCC pass 2
  -These flags and a make boostrap insure gcc is a shared object when installed.
  -You can expect TEXTREL in the installed gcc, its a known bug.
  +The gcc in chapter6 should not have textrel, this one will.
  +Notes: Maybe having a static gcc installed is the textrel bug???
  +This make bootstrap is important to help chap6 gcc testsuite.
   
   patch -Np1 -i ../gcc-3.3-pie-2.patch
  -patch -Np1 -i ../gcc-3.3.2-ssp-1.patch
  +patch -Np1 -i ../gcc-3.3.3-ssp-1.patch
  +patch -Np1 -i ../gcc-3.3.3-autopie-x86-1.patch
   
  -CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" ../gcc-3.3.2/configure...
  -make CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" BOOT_CFLAGS="-O2 -pie" \
  -	BOOT_CXXFLAGS="-O2 -pie" bootstrap
  -make CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" -k check
  -
  - - HGCC
  -I would like you to look at the diffs between this and your original. It works
  -for me on my athlon, different platforms may differ. This adds ssp and pie by
  -default without filters. (still do 'locking in')
  +make bootstrap
   
  -cp gcc-3.3.2-chap5-1.specs /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +After make install open /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs and
  +edit the line below "*cc1:" and append this:
  +%{!fno-stack-protector: -fstack-protector-all}
   
    - Binutils
  -Don't worry about this make check.
  +You can make with -fstack-protector-all and in cc1. Have to use generic specs
  +for make check.
  +
   patch -Np1 -i ../binutils-2.14.90.0.8-pt_pax-1.patch
  +...
  +cp gcc-3.3.3-chap5-generic.specs \
  +	/tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
  +make check
  +gcc -dumpspecs >/tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
  +...
  +
  +You can add -fstack-protector-all back after make check is done so the rest of
  +chap5 has SSP built in.
   
    - Gzip
  -gzip-1.3.5 uses asm deflate code, which is not be position independent.
  +gzip-1.3.5 uses asm deflate code, which is not position independent.
   This should be optional but I don't know how to make it use C code instead.
   Untill then use gzip-1.3.4 from:
   ftp://alpha.gnu.org/gnu/gzip/gzip-1.3.4.tar.gz
  @@ -178,6 +208,9 @@
   Chapter 6
   ---------
    - Glibc-cvs
  +For now, don't build Glibc or GCC with -fstack-protector. PIE is fine, but
  +before building glibc remove the SSP flags from the specs file.
  +
   If you're using the lfs glibc-20031202 package, update it with this:
   patch -Np1 -i ../glibc-2.3.3-20031202-20040129.diff
   
  @@ -188,24 +221,11 @@
   
   Checking for fpie should answer "yes" durring configure.
   
  -Glibc is a bit picky about the specs, for now do this.
  -Before configure clear the specs file for SSP. FIXME
  -Make check will fail unless pie/pic is cleared from specs. FIXME
  +Add SSP back in specs.
   
  -gcc -dumpspecs > /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  -
  -CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" ../glibc-2.3.3/configure...
  -make CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie"
  -make CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" check
  -
  -Restore SSP and PIE to the specs after make install. (Still using chap5 specs
  -because we're still linking to /tools at this stage)
  -
  -cp gcc-3.3.2-chap5-1.specs /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  + - Adjust toolchain
   
    - Binutils
  -FIXME - Testsuite failures are testsuite bugs, not binutils bugs. The installed
  -programs should be perfectly stable.
   Use this patch anytime you install binutils from now on.
   
   patch -Np1 -i ../binutils-2.14.90.0.8-pt_pax-1.patch
  @@ -219,23 +239,18 @@
   fix it for me).
   
    - GCC
  -Build fails with fpie in the specs. And I can't get textrel out of gcc. This
  -might take some work to fix for NOELFRELOCS.
  -Remove SSP from specs FIXME
  -
  -patch -Np1 -i ../gcc-3.3-pie-2.patch
  -patch -Np1 -i ../gcc-3.3.2-ssp-1.patch
  +Take SSP out of specs.
   
  -gcc -dumpspecs > /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +If you have unexpected failures from the testsuite, like binutils, I believe
  +they are bugs in the testsuite, not gcc itself. All the bugs in the Gcc
  +testsuite are from SSP, not PIE.
   
  -* Adding this to cc1 is fine, dont know if it helps anything though:
  -	%{fPIC: -fPIE} %{fpic: -fpie}
  -
  -CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie" ../gcc-3.3.2/configure...
  -make CFLAGS="-O2 -pie" CXXFLAGS="-O2 -pie"
  +patch -Np1 -i ../gcc-3.3-pie-2.patch
  +patch -Np1 -i ../gcc-3.3.3-ssp-1.patch
  +patch -Np1 -i ../gcc-3.3.3-auto-pie-ssp-x86-1.patch
   
  -After make install
  -cp gcc-3.3.2-chap6-1.specs /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +After make install add SSP specs to:
  +/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
   
    - Zlib
   This patch lets zlib build with pic/pie. These have to be patched in this order.
  @@ -243,9 +258,12 @@
   patch -Np1 -i ../zlib-1.2.1-pax-fPIC-1.patch
   
    - Grub
  -gcc -dumpspecs > /tools/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  -Do make install
  -cp gcc-3.3.2-chap6-1.specs /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/specs
  +cp gcc-3.3.3-chap6-generic.specs \
  +	/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
  +
  +configure, make, and make install.
  +
  +gcc -dumpspecs >/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.3/specs
   
    - Gzip
   Remember to use v1.3.4 again
  @@ -266,7 +284,7 @@
   noelfrelocs will break gcc, but everything else should work. To get XFree86
   working either find the patches or start disabling some options.
   
  -patch -Np1 -i ../linux-2.4.24-ssp-1.patch
  +patch -Np1 -i ../linux-2.4.25-ssp-1.patch
   patch -Np1 -i ../pax-linux-2.4.23-200401091805.patch
   ...
   make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" dep
  @@ -286,15 +304,15 @@
   
   ACKNOWLEDGMENTS:
   
  +* Thanks to the Open Source Community for everything.
   * Thanks to Gnu for the GNU toolchain. http://www.gnu.org/
  -* Thanks to Redhat for contributions to the GNU toolchain.
  -	http://www.redhat.com/
   * Thanks to Hiroaki Etoh for providing the SSP patch to IBM
   * Thanks to IBM for providing the SSP patch at
           http://www.research.ibm.com/trl/projects/security/ssp/
  -* Thanks to the Pax team. http://pax.grsecurity.net/
  -* Thanks to Gentoo and the Hardended Gentoo team for development,
  +* Thanks to Pappy and the Hardended Gentoo team for development,
     testing, and patches. http://www.gentoo.org/proj/en/hardened/
  +* Thanks to the Pax team for kernel patch. http://pax.grsecurity.net/
  +* Thanks to Solar for docs http://dev.gentoo.org/~solar/pax/pie/
   
   CHANGELOG:
   [2003-10-18]
  @@ -359,3 +377,7 @@
   * Add propolice patch commands
   * Boots with all PaX options now
   * Cleanup - Fix urls/website
  +[2004-02-08]
  +* Upgrade to gcc-3.3.3
  +* New auto patches. Hgcc is obsolete (I hope).
  +* Got textrel out of gcc.
  
  
  



More information about the hints mailing list