{"id":97,"date":"2009-03-07T02:16:11","date_gmt":"2009-03-07T01:16:11","guid":{"rendered":"http:\/\/klondike.xiscosoft.es\/klog\/?p=97"},"modified":"2010-06-27T19:00:31","modified_gmt":"2010-06-27T18:00:31","slug":"gentoo-hardened-and-gcc-4x-i-installation","status":"publish","type":"post","link":"https:\/\/klondike.es\/klog\/2009\/03\/07\/gentoo-hardened-and-gcc-4x-i-installation\/","title":{"rendered":"Gentoo hardened and gcc-4.x (I) Installation"},"content":{"rendered":"

As I wrote previously, I’m going to use a virtualized environment to run my desktop machine and the Direct Connect server for the Campus Party. In this first document I’ll try to cover a hardened multilib amd64 installation using gcc-4.x from a stage 3 following the gentoo handbook.<\/p>\n

As usual we got through chapters 1 to 4 to get a working system from a Live CD, then configure its network connection and partition its hard disks (as a side note I like to comment that I have made boot being in the same partition as the main gentoo system).<\/p>\n

After that I downloaded the hardened multilib stage3 (remember it can be found at the hardened directory inside the stages dir) file and uncompressed it following the instructions in the handbook.<\/p>\n

Next thing I did was installing portage and then configuring the make.conf to my likes.<\/p>\n

After that I selected a Mirror and followed the chroot process explained at section 6.a<\/p>\n

Next, was changing the profile to the appropriate one (hardened\/amd64\/multilib\/<\/span> now it is hardened\/linux\/amd64\/10.0) as indicated at 6.b I also added the multilib USE as it doesn’t seems to work properly with that profile (see BUG #261482<\/a>).<\/span> Now adding the multilib USE seem unnecessary as the bug was fixed. And generated the appropriate locales (es-ES in my case).<\/p>\n

After that and following part 6 I passed to adding gcc-4* to my system before going for the kernel.<\/span><\/p>\n

First thing you need is layman and git so start by emerging both:<\/span><\/p>\n

# emerge -v dev-util\/git app-portage\/layman<\/span><\/p><\/blockquote>\n

Also you should configure your make.conf so it reads data from layman:<\/span><\/p>\n

# echo “source \/usr\/portage\/local\/layman\/make.conf” >> \/etc\/make.conf<\/del><\/span><\/p><\/blockquote>\n

On new versions of layman this moved so use:<\/span><\/p>\n

# echo “source \/usr\/local\/portage\/layman\/make.conf” >> \/etc\/make.conf<\/span><\/p><\/blockquote>\n

After that we added the overlay using layman:<\/span><\/p>\n

# layman -o http:\/\/github.com\/Xake\/toolchain-overlay.git\/xake-toolchain.xml -fa xake-toolchain<\/del><\/span><\/p><\/blockquote>\n

As the overlay has moved,you’d better use<\/span><\/p>\n

# layman -kfa hardened-development<\/span><\/p><\/blockquote>\n

Then we add a few thing to our make.conf to solve a few problems:<\/span><\/p>\n

# echo ‘FEATURES=”metadata-transfer”‘ >> \/etc\/make.conf
\n#echo ‘PORTAGE_ECLASS_WARNING_ENABLE=”0″ >> \/etc\/make.conf<\/span><\/p><\/blockquote>\n

As of today the gcc-4.x with PIE and SSP is available on >=sys-devel\/gcc-4.4.4-r1 and >=sys-devel\/gcc-4.4.3-r3 for the 4.4.4 and 4.4.3 versions respectively. So the overlay is not required.<\/p>\n

And we unmask the 4.3 version of gcc (as 4.2 is gone) and the required glibc-2.7* version we also unmask a few packages required by the toolchain to work properly:<\/span><\/p>\n

# echo =sys-devel\/gcc-4.3* >> \/etc\/portage\/package.unmask
\n# echo =sys-libs\/glibc-2.7* >> \/etc\/portage\/package.unmask
\n# echo =sys-devel\/gcc-4.3* >> \/etc\/portage\/package.keywords
\n# echo =sys-libs\/glibc-2.7* >> \/etc\/portage\/package.keywords
\n# echo “=sys-devel\/binutils-2.18-r4” >>\/etc\/portage\/package.keywords
\n# echo “=sys-boot\/grub-0.97-r10” >>\/etc\/portage\/package.keywords<\/span><\/p><\/blockquote>\n

As of today only removing the keyword is removed and if no bug is filled against those versions in less than a month this won’t even be necessary.<\/p>\n

For gcc-4.4.4 We should use:<\/p>\n

# echo =sys-devel\/gcc-4.4.4-r1 >> \/etc\/portage\/package.keywords
\n# echo “=sys-boot\/grub-0.97-r10” >>\/etc\/portage\/package.keywords<\/p><\/blockquote>\n

And for gcc-4.4.3 use instead:<\/p>\n

# echo =sys-devel\/gcc-4.4.3-r3 >> \/etc\/portage\/package.keywords
\n# echo “=sys-boot\/grub-0.97-r10” >>\/etc\/portage\/package.keywords<\/p><\/blockquote>\n

Now we build our fancy new toolchain:<\/p>\n

# emerge gcc-config linux-headers glibc binutils gcc portage -1<\/p><\/blockquote>\n

And set up the system so it uses it. For gcc 4.4.4:<\/p>\n

# gcc-config x86_64-pc-linux-gnu-4.4.4
\n# source \/etc\/profile
\n# export PS1=”(chroot) $PS1″<\/p><\/blockquote>\n

Or for gcc 4.4.3:<\/p>\n

# gcc-config x86_64-pc-linux-gnu-4.4.3
\n# source \/etc\/profile
\n# export PS1=”(chroot) $PS1″<\/p><\/blockquote>\n

So now we have a hardened install with a gcc-4.3 compiler. We could remove the old gcc version but we are keeping it just in case.<\/p>\n

With our new gcc version it would be a good idea recompiling our stage3 so it uses the new gcc version, SSP and PIE. For that we’d run:<\/p>\n

# emerge -ev1 world<\/p><\/blockquote>\n

Next steep is following chapter 7 (configure and compile the kernel).<\/p>\n

After following step 7.a to set the time we got the hardened sources:<\/p>\n

emerge hardened-sources<\/p><\/blockquote>\n

And then jumped to step 7.c to configure the hardened kernel where I enabled PAX and Grsec.<\/p>\n

After that (as I didn’t use modules) I jumped to chapter 8. and followed until the end.<\/p>\n

I’ll report on how well or bad it works as it ends compiling kde \ud83d\ude09<\/p>\n

As report I have to say that I have been used this hardened system since I wrote this article without any major problems \ud83d\ude00<\/p>\n","protected":false},"excerpt":{"rendered":"

As I wrote previously, I’m going to use a virtualized environment to run my desktop machine and the Direct Connect server for the Campus Party. In this first document I’ll try to cover a hardened multilib amd64 installation using gcc-4.x from a stage 3 following the gentoo handbook.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-97","post","type-post","status-publish","format-standard","hentry","category-otras-cosas"],"_links":{"self":[{"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/posts\/97","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/comments?post=97"}],"version-history":[{"count":7,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/posts\/97\/revisions"}],"predecessor-version":[{"id":99,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/posts\/97\/revisions\/99"}],"wp:attachment":[{"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/media?parent=97"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/categories?post=97"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/tags?post=97"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}