On Thursday 04 November 2010 17:35:43 Gilles Espinasse wrote:
> ----- Original Message -----
> From: "Robert Connolly" <rob...@linuxfromscratch.org>
> To: <hlfs-dev@linuxfromscratch.org>
> Sent: Tuesday, November 02, 2010 4:22 AM
> Subject: development
>
> > Do any of you have opinions about anything here?
>
> A choice has to be made as to live in the edge of the development, or use
> more common method.
> Less patching mean upgrade is easier and bug fix release are simplier to
> use without headache.
>
> We have used on ipcop some of the hardening method used on HLFS but far
> from everything.
>
> Our base code is LFS with a few differences in binutils/gcc/glibc.
> Basically we are like LFS plus a general
> CFLAGS="-Os -march=${MACHINE} -mtune=pentium -pipe -fomit-frame-pointer
> -D_F ORTIFY_SOURCE=2 -fstack-protector-all -fPIE -Wl,-z,now"
> LDFLAGS="-Wl,--hash-style=gnu"-pie should be added to LDFLAGS, or CFLAGS, too. > and glibc compiled with > --enable-bind-now \ > --enable-stackguard-randomization \ > --enable-omitfp \ > > We have good test suite result with glibc-2.11.2, gcc-4.4.5 and every other > packages (a bit less good on pcc and sparc-64). > > I haven't twisted yet gcc spec (for -D_FORTIFY_SOURCE=2, pie, > fstack-protector-all) mostly because I try to start simple and check > everything is fine before continuing with more sophisticated changes. > > Is this really better to change gcc spec instead of giving CFLAGS with same > requirement? > I suppose the difference may come from packages that somehow filter CFLAGS > content. Same package may still be hardened if gcc default behavior is to > be hardened except when explicitely required not to compile hardened. One > drawback of changing gcc spec is that the testsuite need to be changed to > support the new behavior. It has been reported (on Amanda backup system package, for example) that -fpie causes relocation errors when building a shared library. This might only happen with -finline-functions, but I'm not sure. Using gcc specs, the specs rules can be setup not to use -fpie when -fpic is used, so shared libraries are built only with -fpic. When -fpie is used in CFLAGS, with -fpic added by the package's makefiles, both are enabled in gcc and the shared library can be miscompiled. I'm having trouble find out exactly why this happens, and the relationship between -fpie and shared libraries. I'm guessing that -finline-functions is used more aggressively with -fpie because functions are not expected to be exported, and so their addresses become static. This would be fine for a position independent executable, but not for a library. robert
signature.asc
Description: This is a digitally signed message part.
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
