Automatic merge of trunk into multilib

chapter01/changelog.xml

@@ -40,6 +40,18 @@
     appropriate for the entry or if needed the entire day's listitem.
     -->
 
+    <listitem>
+      <para>2022-09-10</para>
+      <itemizedlist>
+        <listitem>
+          <para>[pierre] - Add <option>--enable-default-pie</option> and
+          <option>--enable-default-ssp</option> to GCC build. Rationale
+          and some reports at
+          <ulink url="&lfs-ticket-root;5107">#5107</ulink>.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
     <listitem>
       <para>2022-09-07</para>
       <itemizedlist>

chapter05/gcc-pass1.xml

@@ -173,10 +173,10 @@ cd       build</userinput></screen>
         <listitem>
           <para>Those switches allow GCC to compile programs with
            some hardening security features (more information on those in
-	  the <xref linkend="pie-ssp-info"/> in chapter 8). They are not
+           the <xref linkend="pie-ssp-info"/> in chapter 8) by default. The
-	  strictly needed at this stage, since the compiler will only produce
+           are not strictly needed at this stage, since the compiler will
-	  temporary executables. But it is cleaner to have the temporary
+           only produce temporary executables. But it is cleaner to have the
-	  packages be as close as possible to the final ones.
+           temporary packages be as close as possible to the final ones.
           </para>
         </listitem>
       </varlistentry>

chapter08/binutils.xml

@@ -178,6 +178,10 @@ cd       build</userinput></screen>
 
 <screen><userinput remap="test">make -k check</userinput></screen>
 
+<para>Twelve tests fail in the <command>gold</command> testsuite when the
+    <option>--enable-default-pie</option> and
+    <option>--enable-default-ssp</option> options are passed to GCC. There
+    is also a known failure in the <command>as</command> tests.</para>
     <!-- Fixed in 2.39
          https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=01ae03b
     <para>One gold test, <filename>pr17704a_test</filename>, is known to

chapter08/gcc.xml

@@ -124,20 +124,24 @@ cd       build</userinput></screen>
       </varlistentry>
     </variablelist>
 
-    <note id="pie-ssp-info" xreflabel="note on PIE and SSP">
+    <note>
+      <anchor id="pie-ssp-info" xreflabel="note on PIE and SSP"/>
       <para>
-        PIE (position independent executable) is a technique to produce
+        PIE (position-independent executable) is a technique to produce
-        binary programs that can be loaded anywhere in memory. Together
+        binary programs that can be loaded anywhere in memory.  Without PIE,
-        with a feature named ASLR (Address Space Layout Randomization),
+        the security feature named ASLR (Address Space Layout Randomization)
-        this allows programs to never have the same memory layout,
+        can be applied for the shared libraries, but not the exectutable
-        thus defeating attacks based on reproducible memory patterns.
+        itself.  Enabling PIE allows ASLR for the executables in addition to
+        the shared libraries, and mitigates some attacks based on fixed
+        addresses of sensitive code or data in the executables.
       </para>
       <para>
         SSP (Stack Smashing Protection) is a technique to ensure
         that the parameter stack is not corrupted. Stack corruption can
         for example alter the return address of a subroutine,
-        which would allow transferring control to an attacker program instead
+        which would allow transferring control to some dangerous code
-        of the original one.
+        (existing in the program or shared libraries, or injected by the
+        attacker somehow) instead of the original one.
       </para>
     </note>
 

chapter08/openssl.xml

@@ -43,7 +43,7 @@
   <sect2 role="installation">
     <title>Installation of OpenSSL</title>
 <!--
-    <para>First fix a problem with some advanced arcitectures with avx512 
+    <para>First fix a problem with some advanced architectures with avx512
     capability:</para>
 
  <screen><userinput remap="pre">sed -e '/bn_reduce.*m1/i\    factor_size /= sizeof(BN_ULONG) * 8;' \

chapter08/vim.xml

@@ -170,8 +170,9 @@ EOF</userinput></screen>
       To install spell files for your preferred language, download the
       <filename>*.spl</filename> and optionally, the <filename>*.sug</filename>
       files for your language and character encoding from <ulink
-      url="ftp://ftp.vim.org/pub/vim/runtime/spell/"/> and save them to
+        url="https://github.com/vim/vim/tree/master/runtime/spell/"/> and save
-      <filename class='directory'>/usr/share/&vim-docdir;/spell/</filename>.</para>
+      them to <filename class='directory'>
+        /usr/share/&vim-docdir;/spell/</filename>.</para>
 
       <para>To use these spell files, some configuration in
       <filename>/etc/vimrc</filename> is needed, e.g.:</para>

chapter10/kernel.xml

@@ -105,9 +105,15 @@
       <para>Be sure to enable/disable/set the following features or the system might
       not work correctly or boot at all:</para>
 
-      <screen role="nodump" revision="sysv">General setup -->
+      <screen role="nodump" revision="sysv">Processor type and features ---&gt;
+   [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
+   [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
+General setup ---&gt;
    [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
    &lt; &gt; Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS]
+General architecture-dependent options  ---&gt;
+   [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
+   [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
 Device Drivers  ---&gt;
   Graphics support ---&gt;
    Frame buffer Devices ---&gt;
@@ -117,7 +123,10 @@ Device Drivers  ---&gt;
    [*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS]
    [*]   Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen>
 
-      <screen role="nodump" revision="systemd">General setup -->
+      <screen role="nodump" revision="systemd">Processor type and features ---&gt;
+   [*] Build a relocatable kernel [CONFIG_RELOCATABLE]
+   [*]   Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
+General setup ---&gt;
    [ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
    [ ] Auditing Support [CONFIG_AUDIT]
    CPU/Task time and stats accounting ---&gt;
@@ -130,6 +139,8 @@ Device Drivers  ---&gt;
       [*] open by fhandle syscalls [CONFIG_FHANDLE]
 General architecture-dependent options  ---&gt;
    [*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP]
+   [*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
+   [*]   Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
 Networking support  ---&gt;
   Networking options  ---&gt;
    &lt;*&gt; The IPv6 protocol [CONFIG_IPV6]
@@ -159,8 +170,6 @@ File systems  ---&gt;
 
       <screen role="nodump">Processor type and features ---&gt;
   [*] Support x2apic [CONFIG_X86_X2APIC]
-Memory Management options  ---&gt;
-  [ ] Enable userfaultfd() system call [CONFIG_USERFAULTFD]
 Device Drivers ---&gt;
   [*] PCI Support ---&gt; [CONFIG_PCI]
     [*] Message Signaled Interrupts (MSI and MSI-X) [CONFIG_PCI_MSI]
@@ -222,6 +231,14 @@ Device Drivers ---&gt;
     <variablelist>
       <title>The rationale for the above configuration items:</title>
 
+      <varlistentry>
+        <term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term>
+        <listitem>
+          <para>Enable ASLR for kernel image, to mitigate some attacks based
+          on fixed addresses of sensitive data or code in the kernel.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>
           <parameter>
@@ -247,6 +264,16 @@ Device Drivers ---&gt;
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><parameter>Strong Stack Protector</parameter></term>
+        <listitem>
+          <para>Enable SSP for the kernel.  We've enabled it for the entire
+          userspace with <parameter>--enable-default-ssp</parameter>
+          configuring GCC, but the kernel does not use GCC default setting
+          for SSP.  We enable it explicitly here.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><parameter>Support for uevent helper</parameter></term>
         <listitem>
@@ -286,16 +313,6 @@ Device Drivers ---&gt;
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><parameter>Enable userfaultfd() system call</parameter></term>
-        <listitem>
-          <para>If this option is enabled, a security vulnerability not
-          resolved in Linux-&linux-version; yet will be exploitable.
-          Disable this option to avoid the vulnerability.  This system call
-          is not used by any part of LFS or BLFS.</para>
-        </listitem>
-      </varlistentry>
-
     </variablelist>
 
     <para>Alternatively, <command>make oldconfig</command> may be more

packages.ent

@@ -207,10 +207,10 @@
 <!ENTITY flex-fin-du "33 MB">
 <!ENTITY flex-fin-sbu "0.4 SBU">
 
-<!ENTITY gawk-version "5.1.1">
+<!ENTITY gawk-version "5.2.0">
-<!ENTITY gawk-size "3,075 KB">
+<!ENTITY gawk-size "3,306 KB">
 <!ENTITY gawk-url "&gnu;gawk/gawk-&gawk-version;.tar.xz">
-<!ENTITY gawk-md5 "83650aa943ff2fd519b2abedf8506ace">
+<!ENTITY gawk-md5 "2f724d925873fc82f5e7b1d605ba9a42">
 <!ENTITY gawk-home "&gnu-software;gawk/">
 <!ENTITY gawk-tmp-du "45 MB">
 <!ENTITY gawk-tmp-sbu "0.2 SBU">