Hardened LFS - GCC4

Andreas Turriff andi598d at gmail.com
Thu Aug 18 10:22:35 PDT 2005

[Responses snipped]

Right. Basically, the Gentoo specfiles are designed to remove the need
to change Makefiles to include "-pie -fpie" on the PIE end and include
-fstack-protector-all on the SSP end - the latter just like Robert's
specfile for HLFS. I've been following the GCC-4 LFS branch
instructions except for those specfile changes and hardwired those
specfile changes into gcc (no patch for that yet, I'm still trying to
sort a minimal set of patches out to get Jakub's SSP backport working
with vanilla 4.0.x - I'm using almost the full Red Hat branch, and I
doubt that'd be what the book wants).
Building glibc, there's a snag buried somewhere in the includes - if
you build with Gentoo's hardened specs, it'll blow up on trying to
compile iconv/gconv_cache.c. As near as I could isolate, it's an
assembly problem deeply buried in not-cancel.h in the sysdeps folders,
but that's way over my head to fix. Since one of Gentoo's glibc
patches fixes this, maybe I can chase down which one. Another thing to
note is that if you build GCC with -fstack-protector-all hardwired in,
you'll need to force glibc to link libc_nonshared.a into its
applications, or it won't find the stack protector symbols and bomb
out. That's a simple Makefile change, though.
I haven't had too much pain with the rest of the system, although a
couple gcc4-fixes are needed - those are all in the Patches project.
One thing that won't work is Java, but I'm not worried about /that/


