This is the mail archive of the crossgcc@sourceware.org mailing list for the crossgcc project.

See the CrossGCC FAQ for lots more information.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: adding support for hardened toolchain

From: Heiko Zuerker <heiko at zuerker dot org>
To: crossgcc at sourceware dot org
Date: Wed, 05 Jan 2011 13:50:29 -0600
Subject: Re: adding support for hardened toolchain
References: <20101229131529.152749nes31253v4@www.home.zuerker.org> <AANLkTikaZLpN2VcL_Tiub8J=FmuWBACTJ9H7ccnWNn6u@mail.gmail.com> <AANLkTi=ejx-1+mRFDCEhfPU7M2TzAwr2LOPwDq3kGE9=@mail.gmail.com> <20101230064328.12881kdwk2y28mlc@www.home.zuerker.org> <AANLkTikrghq3qBLE0vQ6JgX8rfJmHquEbSEGcPfhzBhp@mail.gmail.com> <20101230082022.58657auavndxwnoc@www.home.zuerker.org> <AANLkTi=LtdNeyqLYjVeJr-iprqFfoe4-4emn4sPr6h1-@mail.gmail.com>

Quoting Bryan Hundven <bryanhundven@gmail.com>:

[.............]

The hardened toolchain is not anything folks would look at on their own
usually. Adding it to ct-ng would give it more exposure and more folks may
tend to try it out. We really need to get to a place where things get more
secure for everybody.

We'll see when I actually get a chance to look into writing a patch for
this...


After looking into this a bit more, I think I get it now, and I would
like to see this get into crosstool-ng.

Cool :)

It seems to me that the patch directory needs to be refactored. I
would suggest something like:

patches/
  <architecture>/
      <program>/
          <version>/
             <patch>.patch

Where one of the "architecture"s would be "any" and another would be
"security", besides just x86, powerpc, arm, etc...

This makes sense, because my x86 toolchain doesn't need patches that
are specific to powerpc, and if the CT_TOOLCHAIN_HARDENING is enabled,
it will apply patches from "security". Patches that would be applied
regardless of architecture would go in "any".

On one hand I really like the idea of separating the architectures out, but on the other hand I'm a bit worried about inter-dependencies. Of course this could also simply be solved by moving these specific patches into "any". We need to be careful not to turn this whole thing into a maintenance nightmare whenever a new i.e. gcc comes out.

--

Regards
  Heiko Zuerker
  http://www.devil-linux.org


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--
For unsubscribe information see http://sourceware.org/lists.html#faq

Follow-Ups:
- Re: adding support for hardened toolchain
  - From: Bryan Hundven

References:
- Re: adding support for hardened toolchain
  - From: Bryan Hundven

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]