Thursday, August 27, 2009

Making Gentoo Even Harder: 64-bit Hardened Gentoo

As I mentioned in my last post, I recently upgraded my Gentoo laptop to use the hardened toolchain. I put Hardened Gentoo, with SELinux, on my servers at work, but those are all configured with the base system profile (selinux/2007.0/x86/hardened), which is stable but kinda old. With my personal laptop, I was a bit more daring, and grabbed the hardened-overlay.

The gory details of why there is a hardened-overlay in the first place can be found at the home page of the overlay -- particularly the bug report and forum discussion linked from there. But to summarize:

With gcc 4 and glibc 2.4, there were major changes in how the hardening features (PIE/PIC, stack-smash protection, etc) worked. The Gentoo hardened and toolchain teams had things working with the previous versions, but the effort involved in updating everything drove more than one developer to the brink of insanity. The end result was that gcc 4 was masked off on all of the hardened profiles in Gentoo, leaving us stuck with gcc 3.4 while the rest of the world moved on.

Fast forward a few years, and a some interested Gentoo users (Xake, Zorry, a couple others) picked up the where previous devs had left off, and published the "experimental" hardened toolchain overlay. The overlay, which was just recently moved to overlays.gentoo.org, renamed to hardened-development, and added to layman, contains updated ebuilds for gcc and  glibc that build everything with SSP + PIE. So, having had good results using this overlay on my x86 desktop in the past, I decided to give it a try on my amd64 laptop.

Sunday, August 23, 2009

Adventures in Gentoo Lisp, Part 1: Hardened Lisp

As part of my ongoing quest to make things as difficult for myself as possible, I recently upgraded my Gentoo laptop to the hardened toolchain. (Perhaps more on this later.)

At any rate, during my marathon post-upgrade rebuild of the entire system, only three packages failed to build: mplayer, openoffice, and gcl.  The first two I expected -- mplayer is a perpetual problem for hardened gcc, and openoffice's build fails if you look at it funny.  gcl grabbed my interest, not the least because I'd forgotten all about installing it a couple of months ago, and in the interm it'd been masked.

Just for kicks, I unmasked it and tried to rebuild anyway, and of course it failed.  The package doesn't even get through the configure stage if you have a hardened compiler, for a number of reasons.  Even GNU seems to have abandoned gcl about 4 years ago, so out it went. 

CMUCL doesn't run on my amd64, so let try SBCL.