mirror of
https://git.linuxfromscratch.org/lfs.git
synced 2025-06-19 03:39:20 +01:00
Automatic merge of trunk into multilib
This commit is contained in:
Thomas Trepl (Moody)
commit
c49c1fb77f
@ -40,6 +40,18 @@
|
||||
appropriate for the entry or if needed the entire day's listitem.
|
||||
-->
|
||||
|
||||
<listitem>
|
||||
<para>2022-09-10</para>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>[pierre] - Add <option>--enable-default-pie</option> and
|
||||
<option>--enable-default-ssp</option> to GCC build. Rationale
|
||||
and some reports at
|
||||
<ulink url="&lfs-ticket-root;5107">#5107</ulink>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>2022-09-07</para>
|
||||
<itemizedlist>
|
||||
|
||||
@ -173,10 +173,10 @@ cd build</userinput></screen>
|
||||
<listitem>
|
||||
<para>Those switches allow GCC to compile programs with
|
||||
some hardening security features (more information on those in
|
||||
the <xref linkend="pie-ssp-info"/> in chapter 8). They are not
|
||||
strictly needed at this stage, since the compiler will only produce
|
||||
temporary executables. But it is cleaner to have the temporary
|
||||
packages be as close as possible to the final ones.
|
||||
the <xref linkend="pie-ssp-info"/> in chapter 8) by default. The
|
||||
are not strictly needed at this stage, since the compiler will
|
||||
only produce temporary executables. But it is cleaner to have the
|
||||
temporary packages be as close as possible to the final ones.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -178,6 +178,10 @@ cd build</userinput></screen>
|
||||
|
||||
<screen><userinput remap="test">make -k check</userinput></screen>
|
||||
|
||||
<para>Twelve tests fail in the <command>gold</command> testsuite when the
|
||||
<option>--enable-default-pie</option> and
|
||||
<option>--enable-default-ssp</option> options are passed to GCC. There
|
||||
is also a known failure in the <command>as</command> tests.</para>
|
||||
<!-- Fixed in 2.39
|
||||
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=01ae03b
|
||||
<para>One gold test, <filename>pr17704a_test</filename>, is known to
|
||||
|
||||
@ -124,20 +124,24 @@ cd build</userinput></screen>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<note id="pie-ssp-info" xreflabel="note on PIE and SSP">
|
||||
<note>
|
||||
<anchor id="pie-ssp-info" xreflabel="note on PIE and SSP"/>
|
||||
<para>
|
||||
PIE (position independent executable) is a technique to produce
|
||||
binary programs that can be loaded anywhere in memory. Together
|
||||
with a feature named ASLR (Address Space Layout Randomization),
|
||||
this allows programs to never have the same memory layout,
|
||||
thus defeating attacks based on reproducible memory patterns.
|
||||
PIE (position-independent executable) is a technique to produce
|
||||
binary programs that can be loaded anywhere in memory. Without PIE,
|
||||
the security feature named ASLR (Address Space Layout Randomization)
|
||||
can be applied for the shared libraries, but not the exectutable
|
||||
itself. Enabling PIE allows ASLR for the executables in addition to
|
||||
the shared libraries, and mitigates some attacks based on fixed
|
||||
addresses of sensitive code or data in the executables.
|
||||
</para>
|
||||
<para>
|
||||
SSP (Stack Smashing Protection) is a technique to ensure
|
||||
that the parameter stack is not corrupted. Stack corruption can
|
||||
for example alter the return address of a subroutine,
|
||||
which would allow transferring control to an attacker program instead
|
||||
of the original one.
|
||||
which would allow transferring control to some dangerous code
|
||||
(existing in the program or shared libraries, or injected by the
|
||||
attacker somehow) instead of the original one.
|
||||
</para>
|
||||
</note>
|
||||
|
||||
|
||||
@ -43,7 +43,7 @@
|
||||
<sect2 role="installation">
|
||||
<title>Installation of OpenSSL</title>
|
||||
<!--
|
||||
<para>First fix a problem with some advanced arcitectures with avx512
|
||||
<para>First fix a problem with some advanced architectures with avx512
|
||||
capability:</para>
|
||||
|
||||
<screen><userinput remap="pre">sed -e '/bn_reduce.*m1/i\ factor_size /= sizeof(BN_ULONG) * 8;' \
|
||||
|
||||
@ -170,8 +170,9 @@ EOF</userinput></screen>
|
||||
To install spell files for your preferred language, download the
|
||||
<filename>*.spl</filename> and optionally, the <filename>*.sug</filename>
|
||||
files for your language and character encoding from <ulink
|
||||
url="ftp://ftp.vim.org/pub/vim/runtime/spell/"/> and save them to
|
||||
<filename class='directory'>/usr/share/&vim-docdir;/spell/</filename>.</para>
|
||||
url="https://github.com/vim/vim/tree/master/runtime/spell/"/> and save
|
||||
them to <filename class='directory'>
|
||||
/usr/share/&vim-docdir;/spell/</filename>.</para>
|
||||
|
||||
<para>To use these spell files, some configuration in
|
||||
<filename>/etc/vimrc</filename> is needed, e.g.:</para>
|
||||
|
||||
@ -105,9 +105,15 @@
|
||||
<para>Be sure to enable/disable/set the following features or the system might
|
||||
not work correctly or boot at all:</para>
|
||||
|
||||
<screen role="nodump" revision="sysv">General setup -->
|
||||
<screen role="nodump" revision="sysv">Processor type and features --->
|
||||
[*] Build a relocatable kernel [CONFIG_RELOCATABLE]
|
||||
[*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
|
||||
General setup --->
|
||||
[ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
|
||||
< > Enable kernel headers through /sys/kernel/kheaders.tar.xz [CONFIG_IKHEADERS]
|
||||
General architecture-dependent options --->
|
||||
[*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
|
||||
[*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
|
||||
Device Drivers --->
|
||||
Graphics support --->
|
||||
Frame buffer Devices --->
|
||||
@ -117,7 +123,10 @@ Device Drivers --->
|
||||
[*] Maintain a devtmpfs filesystem to mount at /dev [CONFIG_DEVTMPFS]
|
||||
[*] Automount devtmpfs at /dev, after the kernel mounted the rootfs [CONFIG_DEVTMPFS_MOUNT]</screen>
|
||||
|
||||
<screen role="nodump" revision="systemd">General setup -->
|
||||
<screen role="nodump" revision="systemd">Processor type and features --->
|
||||
[*] Build a relocatable kernel [CONFIG_RELOCATABLE]
|
||||
[*] Randomize the address of the kernel image (KASLR) [CONFIG_RANDOMIZE_BASE]
|
||||
General setup --->
|
||||
[ ] Compile the kernel with warnings as errors [CONFIG_WERROR]
|
||||
[ ] Auditing Support [CONFIG_AUDIT]
|
||||
CPU/Task time and stats accounting --->
|
||||
@ -130,6 +139,8 @@ Device Drivers --->
|
||||
[*] open by fhandle syscalls [CONFIG_FHANDLE]
|
||||
General architecture-dependent options --->
|
||||
[*] Enable seccomp to safely compute untrusted bytecode [CONFIG_SECCOMP]
|
||||
[*] Stack Protector buffer overflow detection [CONFIG_STACKPROTECTOR]
|
||||
[*] Strong Stack Protector [CONFIG_STACKPROTECTOR_STRONG]
|
||||
Networking support --->
|
||||
Networking options --->
|
||||
<*> The IPv6 protocol [CONFIG_IPV6]
|
||||
@ -159,8 +170,6 @@ File systems --->
|
||||
|
||||
<screen role="nodump">Processor type and features --->
|
||||
[*] Support x2apic [CONFIG_X86_X2APIC]
|
||||
Memory Management options --->
|
||||
[ ] Enable userfaultfd() system call [CONFIG_USERFAULTFD]
|
||||
Device Drivers --->
|
||||
[*] PCI Support ---> [CONFIG_PCI]
|
||||
[*] Message Signaled Interrupts (MSI and MSI-X) [CONFIG_PCI_MSI]
|
||||
@ -222,6 +231,14 @@ Device Drivers --->
|
||||
<variablelist>
|
||||
<title>The rationale for the above configuration items:</title>
|
||||
|
||||
<varlistentry>
|
||||
<term><parameter>Randomize the address of the kernel image (KASLR)</parameter></term>
|
||||
<listitem>
|
||||
<para>Enable ASLR for kernel image, to mitigate some attacks based
|
||||
on fixed addresses of sensitive data or code in the kernel.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>
|
||||
<parameter>
|
||||
@ -247,6 +264,16 @@ Device Drivers --->
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><parameter>Strong Stack Protector</parameter></term>
|
||||
<listitem>
|
||||
<para>Enable SSP for the kernel. We've enabled it for the entire
|
||||
userspace with <parameter>--enable-default-ssp</parameter>
|
||||
configuring GCC, but the kernel does not use GCC default setting
|
||||
for SSP. We enable it explicitly here.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><parameter>Support for uevent helper</parameter></term>
|
||||
<listitem>
|
||||
@ -286,16 +313,6 @@ Device Drivers --->
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><parameter>Enable userfaultfd() system call</parameter></term>
|
||||
<listitem>
|
||||
<para>If this option is enabled, a security vulnerability not
|
||||
resolved in Linux-&linux-version; yet will be exploitable.
|
||||
Disable this option to avoid the vulnerability. This system call
|
||||
is not used by any part of LFS or BLFS.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
|
||||
<para>Alternatively, <command>make oldconfig</command> may be more
|
||||
|
||||
@ -207,10 +207,10 @@
|
||||
<!ENTITY flex-fin-du "33 MB">
|
||||
<!ENTITY flex-fin-sbu "0.4 SBU">
|
||||
|
||||
<!ENTITY gawk-version "5.1.1">
|
||||
<!ENTITY gawk-size "3,075 KB">
|
||||
<!ENTITY gawk-version "5.2.0">
|
||||
<!ENTITY gawk-size "3,306 KB">
|
||||
<!ENTITY gawk-url "&gnu;gawk/gawk-&gawk-version;.tar.xz">
|
||||
<!ENTITY gawk-md5 "83650aa943ff2fd519b2abedf8506ace">
|
||||
<!ENTITY gawk-md5 "2f724d925873fc82f5e7b1d605ba9a42">
|
||||
<!ENTITY gawk-home "&gnu-software;gawk/">
|
||||
<!ENTITY gawk-tmp-du "45 MB">
|
||||
<!ENTITY gawk-tmp-sbu "0.2 SBU">
|
||||
|
||||
Loading…
Reference in New Issue
Block a user