Gentoo hardened and gcc-4.x (I) Installation

As I wrote previously, I’m going to use a virtualized environment to run my desktop machine and the Direct Connect server for the Campus Party. In this first document I’ll try to cover a hardened multilib amd64 installation using gcc-4.x from a stage 3 following the gentoo handbook.

As usual we got through chapters 1 to 4 to get a working system from a Live CD, then configure its network connection and partition its hard disks (as a side note I like to comment that I have made boot being in the same partition as the main gentoo system).

After that I downloaded the hardened multilib stage3 (remember it can be found at the hardened directory inside the stages dir) file and uncompressed it following the instructions in the handbook.

Next thing I did was installing portage and then configuring the make.conf to my likes.

After that I selected a Mirror and followed the chroot process explained at section 6.a

Next, was changing the profile to the appropriate one (hardened/amd64/multilib/ now it is hardened/linux/amd64/10.0) as indicated at 6.b I also added the multilib USE as it doesn’t seems to work properly with that profile (see BUG #261482). Now adding the multilib USE seem unnecessary as the bug was fixed. And generated the appropriate locales (es-ES in my case).

After that and following part 6 I passed to adding gcc-4* to my system before going for the kernel.

First thing you need is layman and git so start by emerging both:

# emerge -v dev-util/git app-portage/layman

Also you should configure your make.conf so it reads data from layman:

# echo “source /usr/portage/local/layman/make.conf” >> /etc/make.conf

On new versions of layman this moved so use:

# echo “source /usr/local/portage/layman/make.conf” >> /etc/make.conf

After that we added the overlay using layman:

# layman -o -fa xake-toolchain

As the overlay has moved,you’d better use

# layman -kfa hardened-development

Then we add a few thing to our make.conf to solve a few problems:

# echo ‘FEATURES=”metadata-transfer”‘ >> /etc/make.conf
#echo ‘PORTAGE_ECLASS_WARNING_ENABLE=”0″ >> /etc/make.conf

As of today the gcc-4.x with PIE and SSP is available on >=sys-devel/gcc-4.4.4-r1 and >=sys-devel/gcc-4.4.3-r3 for the 4.4.4 and 4.4.3 versions respectively. So the overlay is not required.

And we unmask the 4.3 version of gcc (as 4.2 is gone) and the required glibc-2.7* version we also unmask a few packages required by the toolchain to work properly:

# echo =sys-devel/gcc-4.3* >> /etc/portage/package.unmask
# echo =sys-libs/glibc-2.7* >> /etc/portage/package.unmask
# echo =sys-devel/gcc-4.3* >> /etc/portage/package.keywords
# echo =sys-libs/glibc-2.7* >> /etc/portage/package.keywords
# echo “=sys-devel/binutils-2.18-r4” >>/etc/portage/package.keywords
# echo “=sys-boot/grub-0.97-r10” >>/etc/portage/package.keywords

As of today only removing the keyword is removed and if no bug is filled against those versions in less than a month this won’t even be necessary.

For gcc-4.4.4 We should use:

# echo =sys-devel/gcc-4.4.4-r1 >> /etc/portage/package.keywords
# echo “=sys-boot/grub-0.97-r10” >>/etc/portage/package.keywords

And for gcc-4.4.3 use instead:

# echo =sys-devel/gcc-4.4.3-r3 >> /etc/portage/package.keywords
# echo “=sys-boot/grub-0.97-r10” >>/etc/portage/package.keywords

Now we build our fancy new toolchain:

# emerge gcc-config linux-headers glibc binutils gcc portage -1

And set up the system so it uses it. For gcc 4.4.4:

# gcc-config x86_64-pc-linux-gnu-4.4.4
# source /etc/profile
# export PS1=”(chroot) $PS1″

Or for gcc 4.4.3:

# gcc-config x86_64-pc-linux-gnu-4.4.3
# source /etc/profile
# export PS1=”(chroot) $PS1″

So now we have a hardened install with a gcc-4.3 compiler. We could remove the old gcc version but we are keeping it just in case.

With our new gcc version it would be a good idea recompiling our stage3 so it uses the new gcc version, SSP and PIE. For that we’d run:

# emerge -ev1 world

Next steep is following chapter 7 (configure and compile the kernel).

After following step 7.a to set the time we got the hardened sources:

emerge hardened-sources

And then jumped to step 7.c to configure the hardened kernel where I enabled PAX and Grsec.

After that (as I didn’t use modules) I jumped to chapter 8. and followed until the end.

I’ll report on how well or bad it works as it ends compiling kde 😉

As report I have to say that I have been used this hardened system since I wrote this article without any major problems 😀

2 Replies to “Gentoo hardened and gcc-4.x (I) Installation”

  1. [offtopic]
    Eh tu, que hemos abierto las inscripciones de la mlp!
    a ver si nos vemos por allí 😀

    debian rox


Comments are closed.