This is the mail archive of the crossgcc@sourceware.org mailing list for the crossgcc project.

See the CrossGCC FAQ for lots more information.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: adding support for hardened toolchain

From: Bryan Hundven <bryanhundven at gmail dot com>
To: Heiko Zuerker <heiko at zuerker dot org>
Cc: crossgcc at sourceware dot org
Date: Wed, 5 Jan 2011 11:56:15 -0800
Subject: Re: adding support for hardened toolchain
References: <20101229131529.152749nes31253v4@www.home.zuerker.org> <AANLkTikaZLpN2VcL_Tiub8J=FmuWBACTJ9H7ccnWNn6u@mail.gmail.com> <AANLkTi=ejx-1+mRFDCEhfPU7M2TzAwr2LOPwDq3kGE9=@mail.gmail.com> <20101230064328.12881kdwk2y28mlc@www.home.zuerker.org> <AANLkTikrghq3qBLE0vQ6JgX8rfJmHquEbSEGcPfhzBhp@mail.gmail.com> <20101230082022.58657auavndxwnoc@www.home.zuerker.org> <AANLkTi=LtdNeyqLYjVeJr-iprqFfoe4-4emn4sPr6h1-@mail.gmail.com> <20110105135029.128643b314b98ack@www.home.zuerker.org>

Heiko, All,

On Wed, Jan 5, 2011 at 11:50 AM, Heiko Zuerker <heiko@zuerker.org> wrote:
> Quoting Bryan Hundven <bryanhundven@gmail.com>:
>
> [.............]
>
>>> The hardened toolchain is not anything folks would look at on their own
>>> usually. Adding it to ct-ng would give it more exposure and more folks
>>> may
>>> tend to try it out. We really need to get to a place where things get
>>> more
>>> secure for everybody.
>>>
>>> We'll see when I actually get a chance to look into writing a patch for
>>> this...
>>
>> After looking into this a bit more, I think I get it now, and I would
>> like to see this get into crosstool-ng.
>
> Cool :)
>
>> It seems to me that the patch directory needs to be refactored. I
>> would suggest something like:
>>
>> patches/
>> Â<architecture>/
>> Â Â Â<program>/
>> Â Â Â Â Â<version>/
>> Â Â Â Â Â Â <patch>.patch
>>
>> Where one of the "architecture"s would be "any" and another would be
>> "security", besides just x86, powerpc, arm, etc...
>>
>> This makes sense, because my x86 toolchain doesn't need patches that
>> are specific to powerpc, and if the CT_TOOLCHAIN_HARDENING is enabled,
>> it will apply patches from "security". Patches that would be applied
>> regardless of architecture would go in "any".
>
> On one hand I really like the idea of separating the architectures out, but
> on the other hand I'm a bit worried about inter-dependencies. Of course this
> could also simply be solved by moving these specific patches into "any". We
> need to be careful not to turn this whole thing into a maintenance nightmare
> whenever a new i.e. gcc comes out.

It pretty much already is. This is one reason why everyone is so
touchy about patches, and why no one has ported any patches forward to
gcc-4.5.x.

Basically, we need to verify/validate each patch with gcc developers
to make sure the patch is doing what we expect them to.

By all means, I'm not saying that my suggestion is how it should be,
but maybe if I stir up the bees nest by putting the idea out there, we
can make progress on the "correct" path.

> --
>
> Regards
> ÂHeiko Zuerker
> Âhttp://www.devil-linux.org
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
> --
> For unsubscribe information see http://sourceware.org/lists.html#faq
>
>

-Bryan

--
For unsubscribe information see http://sourceware.org/lists.html#faq

References:
- Re: adding support for hardened toolchain
  - From: Bryan Hundven
- Re: adding support for hardened toolchain
  - From: Heiko Zuerker

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]