I have been building HLFS from HLFS for the last 1/2 year without
problems. There
are a few changes to the book which are necessary, though. Maybe its
possible
to update the book on those points, since I believe it is vitally necessary
to be able to build HLFS from HLFS since this is a good way to test the
stability
of HLFS.
Note that glibc documentation says, that the results of the testsuite
depend both
on hardware (eg. maths tests) and the kernel. I myself have found that
the testsuite
passes on LFS 6.1 but fails on the "glibc-build/rt/tst-mqueue8x.out"
test when
running with the current 2.6.14.6 kernel - both
were using the exactly same toolchain. I have not checked whether this
result depends
on certain patches or whether its a kernel issue.
Basically, when all tests pass when compiling HLFS from some distro does
not guaranty that
the tests pass when compiling HLFS from HLFS which means that as soon as
you boot into
your new HLFS distro with a kernel different to the one you used to run
your testsuites from,
you might be left with an unstable or buggy system!
To compile HLFS from HLFS:
1) You can compile HLFS from HLFS with all security options in grsec/PAX
enabled.
2) You will have to disable "PAX/Enforce non-executable pages" on the
running kernel
if you want to run the testsuites
There are problems with localedef both in Chapter-05 and 06. Basically
it gets killed
on a PAX enabled kernel, so the locales don't get build. Either you use the
glibc-segfault patch (which I haven't tried) or you disable PAX for
localedef.
With "Emutramp" enabled, "paxctl -m" should do to run localedef,
otherwise you need "paxctl -sp". To get
it working with any kernel settings use "paxctl -spme".
Chapter-05 does not build the cross compiler with PAX enabled ELF
headers, so we cannot
change the PAX settings for localedef when glibc is build. This is fixed
by applying the
PAX patch to binutils-cross. Also I build paxctl in chapter-05 so I can
use it to fix
localedef in chapter-06.
Note: Its probably easier to use the glibc-segfault patch.
Chapter-05:
===========
linux-libc-headers:
- add (I'm not sure whether this is needed!)
patch --no-backup-if-mismatch -Np1 -i \
../linux-libc-headers-2.6.12.0-unistd_x86_PIC-1.patch
binutils-cross:
- add
patch -Np1 -i ../binutils-2.16.1-pt_pax-1.patch
glibc:
- add before generating the locales
if [[ -x /sbin/paxctl ]]; then
/sbin/paxctl -spme /tools/bin/localedef
fi
Note: I don't recommend building full locales in the toolchain. There is
no need
and you need a different paxctl command for full locales (it does not use
/tools/bin/localedef) - so it would be easier to remove the description
on how to
build full locales from chapter-05!
Add building paxctl in chapter-05:
make
cp paxctl /tools/bin
Chapter-06:
===========
kernfs:
Their is a sysctl command missing in the "sysctl -w
kernel.grsecurity.*", which causes
"/sbin/udevstart" to be killed (although it still creates all device
nodes correctly). I believe
it has to do with grsec not allowing to change the nice level within a
chroot.
I use the following command to disable all chroot restrictions - they
are not needed at all during
a compile:
"sysctl -a 2>/dev/null | grep grsecurity | sed -e "s@ = [01]@@" | grep
chroot | xargs -I abc sysctl -w abc=0"
There should be no problems at all with grsec within the chroot as
described by some postings to this mailing list -
even when using the sysctl commands from the book (appart from that
annoying error message with udevstart)..
So there is no need to change the mount commands, etc.
glibc:
- After "make install" add
paxctl -spme /usr/bin/localedef
paxctl -spme elf/ld.so
paxctl -spme locale/localedef
which allows localedef to run independendly of the kernel settings and
for both the full and limited set of locales.
Note: paxctl changes the settings of ld.so only in the build directory -
the installed version is unaffected.
kernel:
- use the frandom patch for kernel 2.6.14.3 (or the fixed one which is
basically the same)
- "PAX/Non-executable pages/Paging based non-executable pages" can make
the kernel unbootable
on some architectures (Pentium 4). Use "Segmentation based
non-executable pages" instead.
Testsuite results:
==================
- Basically all testsuites should pass as described in the book - even
when all PAX/grsec options are enabled (except for "PAX/Enforce
non-executable pages").
Only gcc and grub are expected to fail.
- gcc: More tests than expected for a similar architecture should pass.
- glibc: glibc-build/rt/tst-mqueue8x.out failes with current kernels
with patches applied (even
when PAX/GRsec is disabled). I do not know whether this test passes
without the patches. I also
don't know what the consequences are if this test fails. Using the LFS
6.1 kernel passes the test.
- bash: "run-read" produces different output as expected. I don't know
what the consequences are.
I have not encountered any problems with bash yet.
General:
========
If you have message logging turned on in grsec, you will see signal 6 or
signal 11 messages appear
on your console/syslog created by grsec. This is not PAX/grsec killing
anything. Grsec just displays what
is going on. Also grsec will disallow those processes creating core
dumps. Again this does not affect
the build or the testsuites. Most of those signals are created during
testsuites (eg. the additional gcc
tests in the book create such signals).
The current HLFS compiled from HLFS appears to be very stable. Also all
packages I have tried sofar from BLFS compile
without problems.
Sebastian Faulborn
Homepage: http://www.secure-slinux.org
--
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
