Hardened toolchain

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hardened toolchain

From:	kiasoc5
Subject:	Hardened toolchain
Date:	Mon, 21 Mar 2022 05:31:01 +0100 (CET)

I posted an initial message on help-guix about compiling a custom hardened gcc, 
but guix-devel is a better list to continue the discussion. I wanted to revisit 
compiling Guix packages with a hardened toolchain since many other distros do 
this to improve the security of their packages.

Previous emails  only mentioned passing hardening options to CFLAGS and 
LDFLAGS. Another important step is to compile features into GCC and binutils. 
Specifically:

* gcc can be compiled with `--enable-default-ssp --enable-default-pie` to 
enforce ssp and pic
* binutils can be compiled with `--enable-relro --enable-pic` to enforce relro 
and pic

I'm not a toolchain expert by any means, but I think this is a good first step 
in improving Guix package security.

1. 
https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028405.html

[Prev in Thread]

Current Thread

[Next in Thread]

Hardened toolchain, kiasoc5 <=
- Hardened toolchain, zimoun, 2022/03/21
  - Message not available
    - Re: Hardened toolchain, zimoun, 2022/03/22
    - Re: Hardened toolchain, kiasoc5, 2022/03/22
    - Re: Hardened toolchain, kiasoc5, 2022/03/25
    - Re: Hardened toolchain, zimoun, 2022/03/25
    - Re: Hardened toolchain, kiasoc5, 2022/03/26
    - Re: Hardened toolchain, kiasoc5, 2022/03/26
    - Re: Hardened toolchain, zimoun, 2022/03/27
  - Re: Hardened toolchain, Maxime Devos, 2022/03/27
    - Re: Hardened toolchain, Maxim Cournoyer, 2022/03/27

Prev by Date: Re: Guix as a system vs as an end-user dev tool (re: Building a software toolchain that works)
Next by Date: Re: Assisting reviewing & committing with tags?
Previous by thread: Fixing xen build
Next by thread: Hardened toolchain
Index(es):
- Date
- Thread