r1600 - in trunk/BOOK: . chapter01 chapter06

robert at linuxfromscratch.org robert at linuxfromscratch.org
Mon Nov 29 21:11:58 PST 2010


Author: robert
Date: 2010-11-29 22:11:51 -0700 (Mon, 29 Nov 2010)
New Revision: 1600

Modified:
   trunk/BOOK/chapter01/changelog.xml
   trunk/BOOK/chapter06/glibc.xml
   trunk/BOOK/general.ent
Log:
Modified the chapter 6 Glibc page to build with hardened GCC options.

Modified: trunk/BOOK/chapter01/changelog.xml
===================================================================
--- trunk/BOOK/chapter01/changelog.xml	2010-11-28 02:51:39 UTC (rev 1599)
+++ trunk/BOOK/chapter01/changelog.xml	2010-11-30 05:11:51 UTC (rev 1600)
@@ -38,6 +38,17 @@
 -->
 
     <listitem>
+      <para>2010-11-30</para>
+      <itemizedlist>
+        <listitem>
+          <para>[robert] - Modified the chapter 6 Glibc page to build with
+          hardened GCC options.
+          </para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
+    <listitem>
       <para>2010-11-27</para>
       <itemizedlist>
         <listitem>

Modified: trunk/BOOK/chapter06/glibc.xml
===================================================================
--- trunk/BOOK/chapter06/glibc.xml	2010-11-28 02:51:39 UTC (rev 1599)
+++ trunk/BOOK/chapter06/glibc.xml	2010-11-30 05:11:51 UTC (rev 1600)
@@ -120,6 +120,15 @@
   i?86) echo "CFLAGS += -march=i486 -mtune=native -O3 -pipe" > configparms ;;
 esac</userinput></screen>
 
+    <para>Configure the <filename>configparms</filename> file to build the Glibc
+    libraries with hardening disabled:</para>
+
+<screen><userinput remap="configure">cat >> configparms << "EOF"
+build-programs=no
+CC += -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie
+CXX += -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie
+EOF</userinput></screen>
+
     <para>Prepare Glibc for compilation:</para>
 
 <screen><userinput remap="configure">../glibc-&glibc-version;/configure --prefix=/usr \
@@ -141,15 +150,53 @@
 
     </variablelist>
 
-    <para>Compile the package:</para>
+    <para>Compile the libraries:</para>
 
 <screen><userinput remap="make">make</userinput></screen>
 
+    <para>Prepare the <filename>configparms</filename> file to build the Glibc
+    programs:</para>
+
+<screen><userinput remap="configure">cat > configparms << "EOF"
+<literal>CC += -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2
+CXX += -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2
+CFLAGS-sln.c += -fno-PIC -fno-PIE
++link = $(CC) -pie -Wl,-O1 -nostdlib -nostartfiles -o $@ \
+    $(sysdep-LDFLAGS) $(config-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
+    $(combreloc-LDFLAGS) $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \
+    -Wl,-z,now -Wl,--warn-shared-textrel,--fatal-warnings \
+    $(addprefix $(csu-objpfx),S$(start-installed-name)) \
+    $(+preinit) $(+prectorS) \
+    $(filter-out $(addprefix $(csu-objpfx),start.o \
+    S$(start-installed-name))\
+    $(+preinit) $(link-extra-libs) \
+    $(common-objpfx)libc% $(+postinit),$^) \
+    $(link-extra-libs) $(link-libc) $(+postctorS) $(+postinit)</literal>
+EOF
+case `uname -m` in
+  i?86) echo "CFLAGS += -march=i486 -mtune=native" >> configparms ;;
+esac</userinput></screen>
+
+    <para>Compile the programs:</para>
+
+<screen><userinput remap="make">make</userinput></screen>
+
     <important>
       <para>In this section, the test suite for Glibc is considered critical.
       Do not skip it under any circumstance.</para>
     </important>
 
+    <para>To test the results first create a new
+    <filename>configparms</filename> file to disable most hardening options:</para>
+
+<screen><userinput remap="configure">cat > configparms << "EOF"
+CC += -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie -no-fatal-warnings
+CXX += -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie -no-fatal-warnings
+EOF
+case `uname -m` in
+  i?86) echo "CFLAGS += -march=i486 -mtune=native" >> configparms ;;
+esac</userinput></screen>
+
     <para>Before running the tests, copy a file from the source tree into our
     build tree to prevent a couple of test failures, then test the
     results:</para>

Modified: trunk/BOOK/general.ent
===================================================================
--- trunk/BOOK/general.ent	2010-11-28 02:51:39 UTC (rev 1599)
+++ trunk/BOOK/general.ent	2010-11-30 05:11:51 UTC (rev 1600)
@@ -1,5 +1,5 @@
-<!ENTITY version "SVN-20101127">
-<!ENTITY releasedate "November 27, 2010">
+<!ENTITY version "SVN-20101130">
+<!ENTITY releasedate "November 30, 2010">
 <!ENTITY copyrightdate "1999-2010"><!-- jhalfs needs a literal dash, not – -->
 <!ENTITY milestone "1.0">
 <!ENTITY generic-version "development"> <!-- Use "development", "testing", or "x.y[-pre{x}]" -->




More information about the hlfs-book mailing list