As I wrote previously, I’m going to use a virtualized environment to run my desktop machine and the Direct Connect server for the Campus Party. In this first document I’ll try to cover a hardened multilib amd64 installation using gcc-4.x from a stage 3 following the gentoo handbook.
As usual we got through chapters 1 to 4 to get a working system from a Live CD, then configure its network connection and partition its hard disks (as a side note I like to comment that I have made boot being in the same partition as the main gentoo system).
After that I downloaded the hardened multilib stage3 (remember it can be found at the hardened directory inside the stages dir) file and uncompressed it following the instructions in the handbook.
Next thing I did was installing portage and then configuring the make.conf to my likes.
After that I selected a Mirror and followed the chroot process explained at section 6.a
Next, was changing the profile to the appropriate one (hardened/amd64/multilib/ now it is hardened/linux/amd64/10.0) as indicated at 6.b I also added the multilib USE as it doesn’t seems to work properly with that profile (see BUG #261482). Now adding the multilib USE seem unnecessary as the bug was fixed. And generated the appropriate locales (es-ES in my case).
After that and following part 6 I passed to adding gcc-4* to my system before going for the kernel.
First thing you need is layman and git so start by emerging both:
# emerge -v dev-util/git app-portage/layman
Also you should configure your make.conf so it reads data from layman:
# echo “source /usr/portage/local/layman/make.conf” >> /etc/make.conf
On new versions of layman this moved so use:
# echo “source /usr/local/portage/layman/make.conf” >> /etc/make.conf
After that we added the overlay using layman:
# layman -o http://github.com/Xake/toolchain-overlay.git/xake-toolchain.xml -fa xake-toolchain
As the overlay has moved,you’d better use
# layman -kfa hardened-development
Then we add a few thing to our make.conf to solve a few problems:
# echo ‘FEATURES=”metadata-transfer”‘ >> /etc/make.conf
#echo ‘PORTAGE_ECLASS_WARNING_ENABLE=”0″ >> /etc/make.conf
As of today the gcc-4.x with PIE and SSP is available on >=sys-devel/gcc-4.4.4-r1 and >=sys-devel/gcc-4.4.3-r3 for the 4.4.4 and 4.4.3 versions respectively. So the overlay is not required.
And we unmask the 4.3 version of gcc (as 4.2 is gone) and the required glibc-2.7* version we also unmask a few packages required by the toolchain to work properly:
# echo =sys-devel/gcc-4.3* >> /etc/portage/package.unmask
# echo =sys-libs/glibc-2.7* >> /etc/portage/package.unmask
# echo =sys-devel/gcc-4.3* >> /etc/portage/package.keywords
# echo =sys-libs/glibc-2.7* >> /etc/portage/package.keywords
# echo “=sys-devel/binutils-2.18-r4” >>/etc/portage/package.keywords
# echo “=sys-boot/grub-0.97-r10” >>/etc/portage/package.keywords
As of today only removing the keyword is removed and if no bug is filled against those versions in less than a month this won’t even be necessary.
For gcc-4.4.4 We should use:
# echo =sys-devel/gcc-4.4.4-r1 >> /etc/portage/package.keywords
# echo “=sys-boot/grub-0.97-r10” >>/etc/portage/package.keywords
And for gcc-4.4.3 use instead:
# echo =sys-devel/gcc-4.4.3-r3 >> /etc/portage/package.keywords
# echo “=sys-boot/grub-0.97-r10” >>/etc/portage/package.keywords
Now we build our fancy new toolchain:
# emerge gcc-config linux-headers glibc binutils gcc portage -1
And set up the system so it uses it. For gcc 4.4.4:
# gcc-config x86_64-pc-linux-gnu-4.4.4
# source /etc/profile
# export PS1=”(chroot) $PS1″
Or for gcc 4.4.3:
# gcc-config x86_64-pc-linux-gnu-4.4.3
# source /etc/profile
# export PS1=”(chroot) $PS1″
So now we have a hardened install with a gcc-4.3 compiler. We could remove the old gcc version but we are keeping it just in case.
With our new gcc version it would be a good idea recompiling our stage3 so it uses the new gcc version, SSP and PIE. For that we’d run:
# emerge -ev1 world
Next steep is following chapter 7 (configure and compile the kernel).
After following step 7.a to set the time we got the hardened sources:
emerge hardened-sources
And then jumped to step 7.c to configure the hardened kernel where I enabled PAX and Grsec.
After that (as I didn’t use modules) I jumped to chapter 8. and followed until the end.
I’ll report on how well or bad it works as it ends compiling kde 😉
As report I have to say that I have been used this hardened system since I wrote this article without any major problems 😀
[offtopic]
Eh tu, que hemos abierto las inscripciones de la mlp!
a ver si nos vemos por allí 😀
[/offtopic]
[flame]
debian rox
[/flame]
xD
Lo intentaré n0p