Re: Hardened toolchain

[Ludovic Courtès]

Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> Maxime Devos <maximedevos@telenet.be> writes:
>
>> zimoun schreef op ma 21-03-2022 om 14:34 [+0100]:
>>> > * gcc can be compiled with `--enable-default-ssp --enable-default-
>>> > pie`
>>> > to enforce ssp and pic
>>> 
>>> You wrote [1]:
>>> 
>>> --8<---------------cut here---------------start------------->8---
>>> (define-public gcc
>>>   (package
>>>     (inherit gcc)
>>>     (arguments
>>>      (substitute-keyword-arguments (package-arguments gcc)
>>>      ((#:configure-flags flags
>>>        `(append (list "--enable-default-ssp" "--enable-default-pie")
>>>             ,flags)))))))
>>> --8<---------------cut here---------------end--------------->8---
>>
>> I think it would be a lot simpler to just add this to the 'standard'
>> gcc configure flags, in (gnu packages gcc), given that probably the
>> idea is to do this hardening for all packages?  Needs a world-rebuild
>> though.
>
> +1.  The whole distribution can probably benefit from this hardening.

That’s something worth trying in a branch off ‘core-updates’.

Stack smashing protection (SSP) may incur measurable run-time overhead
though so enabling that one by default may be less consensual.

There are other things that could be done in this area, often with no or
little overhead, such as building with -D_FORTIFY_SOURCE.  Doing that
transparently (without changing build systems) is a bit of a challenge
though.

Ludo’.