adding support for hardened toolchain

Heiko Zuerker heiko@zuerker.org
Wed Jan 5 19:50:00 GMT 2011


Quoting Bryan Hundven <bryanhundven@gmail.com>:

[.............]

>> The hardened toolchain is not anything folks would look at on their own
>> usually. Adding it to ct-ng would give it more exposure and more folks may
>> tend to try it out. We really need to get to a place where things get more
>> secure for everybody.
>>
>> We'll see when I actually get a chance to look into writing a patch for
>> this...
>
> After looking into this a bit more, I think I get it now, and I would
> like to see this get into crosstool-ng.

Cool :)

> It seems to me that the patch directory needs to be refactored. I
> would suggest something like:
>
> patches/
>   <architecture>/
>       <program>/
>           <version>/
>              <patch>.patch
>
> Where one of the "architecture"s would be "any" and another would be
> "security", besides just x86, powerpc, arm, etc...
>
> This makes sense, because my x86 toolchain doesn't need patches that
> are specific to powerpc, and if the CT_TOOLCHAIN_HARDENING is enabled,
> it will apply patches from "security". Patches that would be applied
> regardless of architecture would go in "any".

On one hand I really like the idea of separating the architectures  
out, but on the other hand I'm a bit worried about inter-dependencies.  
Of course this could also simply be solved by moving these specific  
patches into "any". We need to be careful not to turn this whole thing  
into a maintenance nightmare whenever a new i.e. gcc comes out.

-- 

Regards
   Heiko Zuerker
   http://www.devil-linux.org


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



--
For unsubscribe information see http://sourceware.org/lists.html#faq



More information about the crossgcc mailing list