[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Hardened toolchain
From: |
kiasoc5 |
Subject: |
Hardened toolchain |
Date: |
Mon, 21 Mar 2022 05:31:01 +0100 (CET) |
I posted an initial message on help-guix about compiling a custom hardened gcc,
but guix-devel is a better list to continue the discussion. I wanted to revisit
compiling Guix packages with a hardened toolchain since many other distros do
this to improve the security of their packages.
Previous emails only mentioned passing hardening options to CFLAGS and
LDFLAGS. Another important step is to compile features into GCC and binutils.
Specifically:
* gcc can be compiled with `--enable-default-ssp --enable-default-pie` to
enforce ssp and pic
* binutils can be compiled with `--enable-relro --enable-pic` to enforce relro
and pic
I'm not a toolchain expert by any means, but I think this is a good first step
in improving Guix package security.
1.
https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028405.html
- Hardened toolchain,
kiasoc5 <=
- Hardened toolchain, zimoun, 2022/03/21
- Message not available
- Re: Hardened toolchain, zimoun, 2022/03/22
- Re: Hardened toolchain, kiasoc5, 2022/03/22
- Re: Hardened toolchain, kiasoc5, 2022/03/25
- Re: Hardened toolchain, zimoun, 2022/03/25
- Re: Hardened toolchain, kiasoc5, 2022/03/26
- Re: Hardened toolchain, kiasoc5, 2022/03/26
- Re: Hardened toolchain, zimoun, 2022/03/27
Re: Hardened toolchain, Maxime Devos, 2022/03/27