diff options
| author |   Kevin F. Quinn <kevquinn@gentoo.org> | 2007-01-09 23:59:16 +0000 |
|---|---|---|
| committer | Kevin F. Quinn <kevquinn@gentoo.org> | 2007-01-09 23:59:16 +0000 |
| commit | 75afa12c9fe60dee1d5b9cdc4597ac9b9c5c79e1 (patch) | |
| tree | bc7db284c3fffb6958f544f679e791eaeb0c9339 | |
| parent | Update manifest (diff) | |
| download | kevquinn-75afa12c9fe60dee1d5b9cdc4597ac9b9c5c79e1.tar.gz kevquinn-75afa12c9fe60dee1d5b9cdc4597ac9b9c5c79e1.tar.bz2 kevquinn-75afa12c9fe60dee1d5b9cdc4597ac9b9c5c79e1.zip | |
CVS update; add branch readmes
svn path=/; revision=143
13 files changed, 148 insertions, 203 deletions
diff --git a/hardened/toolchain/branches/gcc-glibc-nopie/eclass/flag-o-matic.eclass b/hardened/toolchain/branches/gcc-glibc-nopie/eclass/flag-o-matic.eclass index 2f9d1a4..64fc778 100644 --- a/hardened/toolchain/branches/gcc-glibc-nopie/eclass/flag-o-matic.eclass +++ b/hardened/toolchain/branches/gcc-glibc-nopie/eclass/flag-o-matic.eclass @@ -1,6 +1,6 @@ # Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/eclass/flag-o-matic.eclass,v 1.114 2006/12/27 00:52:12 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/eclass/flag-o-matic.eclass,v 1.115 2006/12/29 21:30:38 vapier Exp $ # # Maintainer: base-system@gentoo.org @@ -113,7 +113,7 @@ setup-allowed-flags() { -mflat -mno-flat -mno-faster-structs -mfaster-structs \ -m32 -m64 -mabi -mlittle-endian -mbig-endian -EL -EB -fPIC \ -mlive-g0 -mcmodel -mstack-bias -mno-stack-bias \ - -msecure-plt" + -msecure-plt -D*" # C[XX]FLAGS that we are think is ok, but needs testing # NOTE: currently -Os have issues with gcc3 and K6* arch's diff --git a/hardened/toolchain/branches/gcc-glibc-nopie/eclass/toolchain-binutils.eclass b/hardened/toolchain/branches/gcc-glibc-nopie/eclass/toolchain-binutils.eclass index 90d056b..d5394b2 100644 --- a/hardened/toolchain/branches/gcc-glibc-nopie/eclass/toolchain-binutils.eclass +++ b/hardened/toolchain/branches/gcc-glibc-nopie/eclass/toolchain-binutils.eclass @@ -1,6 +1,6 @@ # Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/eclass/toolchain-binutils.eclass,v 1.66 2006/09/20 01:11:54 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/eclass/toolchain-binutils.eclass,v 1.69 2007/01/01 22:27:01 swegener Exp $ # We install binutils into CTARGET-VERSION specific directories. This lets # us easily merge multiple versions for multiple targets (if we wish) and @@ -36,7 +36,7 @@ else BVER=${BINUTILS_VER} fi -inherit eutils libtool flag-o-matic gnuconfig multilib versionator ${extra_eclass} +inherit eutils libtool flag-o-matic gnuconfig multilib ${extra_eclass} EXPORT_FUNCTIONS src_unpack src_compile src_test src_install pkg_postinst pkg_postrm export CTARGET=${CTARGET:-${CHOST}} @@ -177,7 +177,11 @@ toolchain-binutils_src_compile() { use multitarget && myconf="${myconf} --enable-targets=all" [[ -n ${CBUILD} ]] && myconf="${myconf} --build=${CBUILD}" is_cross && myconf="${myconf} --with-sysroot=/usr/${CTARGET}" - version_is_at_least 2.17 && +# glibc-2.3.6 lacks support for this ... +# --enable-secureplt + # Conditional on presence of glibc-2.4 (this is not cross-target safe) + # When uclibc supports it, add its version here. + has_version '>=glibc-2.4' && myconf="${myconf} --enable-secureplt" myconf="--prefix=/usr \ --host=${CHOST} \ diff --git a/hardened/toolchain/branches/gcc-glibc-nopie/eclass/toolchain.eclass b/hardened/toolchain/branches/gcc-glibc-nopie/eclass/toolchain.eclass index 302f0bf..6b617a0 100644 --- a/hardened/toolchain/branches/gcc-glibc-nopie/eclass/toolchain.eclass +++ b/hardened/toolchain/branches/gcc-glibc-nopie/eclass/toolchain.eclass @@ -1,6 +1,6 @@ # Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/eclass/toolchain.eclass,v 1.319 2006/12/27 06:04:03 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/eclass/toolchain.eclass,v 1.320 2006/12/30 09:12:36 vapier Exp $ HOMEPAGE="http://gcc.gnu.org/" LICENSE="GPL-2 LGPL-2.1" @@ -102,7 +102,6 @@ if [[ ${GCC_VAR_TYPE} == "versioned" ]] ; then else LIBPATH=${TOOLCHAIN_LIBPATH:-${PREFIX}/lib/gcc-lib/${CTARGET}/${GCC_CONFIG_VER}} fi - LIBEXECPATH=${TOOLCHAIN_LIBEXE:-${PREFIX}/libexec/gcc/${CTARGET}/${GCC_CONFIG_VER}} INCLUDEPATH=${TOOLCHAIN_INCLUDEPATH:-${LIBPATH}/include} if is_crosscompile ; then BINPATH=${TOOLCHAIN_BINPATH:-${PREFIX}/${CHOST}/${CTARGET}/gcc-bin/${GCC_CONFIG_VER}} @@ -120,7 +119,6 @@ elif [[ ${GCC_VAR_TYPE} == "non-versioned" ]] ; then # specific gcc targets, like libffi. Note that we dont override the value # returned by get_libdir here. LIBPATH=${TOOLCHAIN_LIBPATH:-${PREFIX}/$(get_libdir)} - LIBEXECPATH=${TOOLCHAIN_LIBEXE:-${PREFIX}/libexec/gcc} INCLUDEPATH=${TOOLCHAIN_INCLUDEPATH:-${PREFIX}/include} BINPATH=${TOOLCHAIN_BINPATH:-${PREFIX}/bin} DATAPATH=${TOOLCHAIN_DATAPATH:-${PREFIX}/share} @@ -1138,11 +1136,13 @@ gcc_src_unpack() { eend $? done - einfo "Touching generated files" - ./contrib/gcc_update --touch | \ - while read f ; do - einfo " ${f%%...}" - done + if [[ -x contrib/gcc_update ]] ; then + einfo "Touching generated files" + ./contrib/gcc_update --touch | \ + while read f ; do + einfo " ${f%%...}" + done + fi disable_multilib_libjava || die "failed to disable multilib java" } @@ -1684,9 +1684,10 @@ gcc-compiler_src_install() { S=${WORKDIR}/build \ make DESTDIR="${D}" install || die # Punt some tools which are really only useful while building gcc - rm -r "${D}${LIBEXECPATH}"/install-tools + find "${D}" -name install-tools -type d -exec rm -rf "{}" \; # This one comes with binutils - find "${D}" -name libiberty.a -exec rm -f {} \; + find "${D}" -name libiberty.a -exec rm -f "{}" \; + # Move libgcj.pc to libgcj-${PV} mv ${D}/usr/lib/pkgconfig/libgcj.pc ${D}/usr/lib/pkgconfig/libgcj-${PV}.pc @@ -1725,38 +1726,38 @@ gcc-compiler_src_install() { # Make sure we dont have stuff lying around that # can nuke multiple versions of gcc if ! use build ; then - cd ${D}${LIBPATH} + cd "${D}"${LIBPATH} # Move Java headers to compiler-specific dir - for x in ${D}${PREFIX}/include/gc*.h ${D}${PREFIX}/include/j*.h ; do - [[ -f ${x} ]] && mv -f "${x}" ${D}${LIBPATH}/include/ + for x in "${D}"${PREFIX}/include/gc*.h "${D}"${PREFIX}/include/j*.h ; do + [[ -f ${x} ]] && mv -f "${x}" "${D}"${LIBPATH}/include/ done for x in gcj gnu java javax org ; do if [[ -d ${D}${PREFIX}/include/${x} ]] ; then dodir /${LIBPATH}/include/${x} - mv -f ${D}${PREFIX}/include/${x}/* ${D}${LIBPATH}/include/${x}/ - rm -rf ${D}${PREFIX}/include/${x} + mv -f "${D}"${PREFIX}/include/${x}/* "${D}"${LIBPATH}/include/${x}/ + rm -rf "${D}"${PREFIX}/include/${x} fi done if [[ -d ${D}${PREFIX}/lib/security ]] ; then dodir /${LIBPATH}/security - mv -f ${D}${PREFIX}/lib/security/* ${D}${LIBPATH}/security - rm -rf ${D}${PREFIX}/lib/security + mv -f "${D}"${PREFIX}/lib/security/* "${D}"${LIBPATH}/security + rm -rf "${D}"${PREFIX}/lib/security fi # Move libgcj.spec to compiler-specific directories [[ -f ${D}${PREFIX}/lib/libgcj.spec ]] && \ - mv -f ${D}${PREFIX}/lib/libgcj.spec ${D}${LIBPATH}/libgcj.spec + mv -f "${D}"${PREFIX}/lib/libgcj.spec "${D}"${LIBPATH}/libgcj.spec # Rename jar because it could clash with Kaffe's jar if this gcc is # primary compiler (aka don't have the -<version> extension) - cd ${D}${BINPATH} + cd "${D}"${BINPATH} [[ -f jar ]] && mv -f jar gcj-jar # Move <cxxabi.h> to compiler-specific directories [[ -f ${D}${STDCXX_INCDIR}/cxxabi.h ]] && \ - mv -f ${D}${STDCXX_INCDIR}/cxxabi.h ${D}${LIBPATH}/include/ + mv -f "${D}"${STDCXX_INCDIR}/cxxabi.h "${D}"${LIBPATH}/include/ # These should be symlinks dodir /usr/bin @@ -1796,8 +1797,11 @@ gcc-compiler_src_install() { fi # Now do the fun stripping stuff - env RESTRICT="" CHOST=${CHOST} prepstrip "${D}${BINPATH}" "${D}${LIBEXECPATH}" + env RESTRICT="" CHOST=${CHOST} prepstrip "${D}${BINPATH}" env RESTRICT="" CHOST=${CTARGET} prepstrip "${D}${LIBPATH}" + # gcc used to install helper binaries in lib/ but then moved to libexec/ + [[ -d ${D}${PREFIX}/libexec/gcc ]] && \ + env RESTRICT="" CHOST=${CHOST} prepstrip "${D}${PREFIX}/libexec/gcc/${CTARGET}/${GCC_CONFIG_VER}" cd "${S}" if use build || is_crosscompile; then @@ -1864,6 +1868,9 @@ gcc-compiler_src_install() { # when installing gcc, it dumps internal libraries into /usr/lib # instead of the private gcc lib path gcc_movelibs() { + # older versions of gcc did not support --print-multi-os-directory + tc_version_is_at_least 3.0 || return 0 + local multiarg removedirs="" for multiarg in $($(XGCC) -print-multi-lib) ; do multiarg=${multiarg#*;} @@ -1905,7 +1912,7 @@ gcc_movelibs() { # make sure the libtool archives have libdir set to where they actually # -are-, and not where they -used- to be. - fix_libtool_libdir_paths "$(find ${D}${LIBPATH} -name *.la)" + fix_libtool_libdir_paths $(find "${D}"${LIBPATH} -name *.la) } #----<< src_* >>---- diff --git a/hardened/toolchain/branches/gcc-glibc-nopie/gcc-glibc-nopie.README b/hardened/toolchain/branches/gcc-glibc-nopie/gcc-glibc-nopie.README new file mode 100644 index 0000000..45a3ebb --- /dev/null +++ b/hardened/toolchain/branches/gcc-glibc-nopie/gcc-glibc-nopie.README @@ -0,0 +1,6 @@ +This is gcc-glibc-nopie +======================= + +Hardened toolchain, where lib*a, crtbegin.o, crtend.o are normal (neither PIC nor PIE). + +Better for building static binaries, and being able to switch to a vanilla compiler. diff --git a/hardened/toolchain/branches/gcc-glibc-nopie/toolchain.README b/hardened/toolchain/branches/gcc-glibc-nopie/toolchain.README index 6e65198..41eb5aa 100644 --- a/hardened/toolchain/branches/gcc-glibc-nopie/toolchain.README +++ b/hardened/toolchain/branches/gcc-glibc-nopie/toolchain.README @@ -1,111 +1,56 @@ -NOTES -===== +GCC-4.1/GLIBC-2.4 Hardened Gentoo +================================= -Non-PIE support is a mess (well, strictly speaking it's broken) -So far, crt{begin,end}.o are now correctly built no-PIE. -However, libgcc.a/libgcc_eh.a, libc.a, libpthread.a, libieee.a, libgcov.a -are built PIE. This ok for linking PIEs, but rubbish for doing non-PIE -links (i.e. vanilla). Also crtfastmath.o is only built once (there's no -crtfastmathS.o) - so we build it PIE. +Several things are changed from the GCC-3/GLIBC-2.3 hardened toolchain. In brief; -So, what to do? +1) The specs management has changed, to make maintenance and management of the + modified specs much easier. From the user's perspective, things should operate + in much the same way. Under the hood, however, the built-in specs are modified + to separate out the bits we modify into new definitions. The built-in specs are + functionally identical to the vanilla compiler; a full set of hardened specs + is created in the install directory to cause the compiler to default to the + hardened specs. This specs file is always (unconditionally) read by the compiler. -For vanilla compiles, we need the .a's built -nopie. -For hardened compiles, we need the .a's built -fPIE - if they ever get used -that way. If we can convince ourselves that when building -fPIE the .so's -are used, then we don't need PIE versions of these .a's. -To do this, add '-nopie' to CFLAGS for libgcc.a in gcc/Makefile.in? +2) The compiler itself is not built PIE. This now means that the crt* files used + when building vanilla or static executables are correct - previously they were + PIE objects which is of no use, and is actually fatal on some architectures. + The fact things seemed to work ok on x86, amd64 and (maybe) ppc was down to + pure luck. -For libc.a - we could treat hardened as a multilib system; with the normal no-PIE -ABI and our PIE ABI - and get glibc to build itself two ways; one for vanilla and -one for hardened. Or, we could try to force all .a's to be built -nopie - this -isn't easy, however, as you can't tell from normal compilation commands whether -it's for a .a or for an executable. +3) Similarly glibc is built with the PIE default switched back off again. This + means that the crt* files provided by glibc are correct (like gcc, they were + previously PIE when not PIC), and libc.a and friends now contain normal objects + instead of PIE objects. + Glibc is also built with the stack protector switched off (as far as libc.so, + ld.so and friends are concerned this is the same as happened previously). -I think the multiple-ABI approach is easier. We could then drop PIE from the -compiler variants, leaving just relro/now and ssp combinations, which don't change -the ABI, and do the -fPIE thing in the compiler wrapper, when ABI is PIE. -I'm thinking of doing MULTLIB_ABIS="x86 x86_pie" and defining -CFLAGS_x86_pie="-fpie -pie" -LDFLAGS_x86_pie="-fpie -pie" -LIBDIR_x86="lib" -LIBDIR_x86_pie="libpie" -note; the gcc-config wrapper adds CFLAGS_x86_pie to the command line, but doesn't look at LDFLAGS_<abi> +4) The stack smash handler (now called '__stack_chk_fail') installed for hardened + toolchains is different than the upstream standard one; it logs failures to + syslog, and goes to some lengths to ensure the handler itself cannot be + exploited. -Upgrade path for Hardened Gentoo users from glibc-2.3*/gcc-3* to glibc-2.4+/gcc-4.1+ -==================================================================================== +The result of this approach is that the toolchain is actually much closer to the +standard toolchain. The hardened toolchain can now build static binaries properly, +and the -vanilla compiler also builds code the same way it would on a non-hardened +system. From the hardened perspective, nothing has been lost; the defaults when +the -hardened compiler is selected are just as robust as they were previously. -Note; references to "hardened", "non-hardened" etc refer to the toolchain, not the -kernel. -Generic upgrade instructions ----------------------------- -There are separate instructions depending on where you start. Instruction set (2) -should work in all cases, provided a vanilla compiler is set via gcc-config first. -However the most common case will be (1) - which is why it's listed first :) +Upgrade path +============ +To upgrade from gcc-3/glibc-2.3, it is necessary to have glibc-2.4 or higher installed +before trying to build gcc. So, after the new gcc/gclibc have been unmasked from the +hardened profile, the sequence is simply: -1) HARDENED SYSTEMS with hardened gcc-3 and glibc-2.3 - Going from an existing hardened system (gcc-3.4.6 & glibc-2.3.6 hardened) +emerge --oneshot sys-libs/glibc +emerge --oneshot sys-devel/gcc +emerge --oneshot sys-libs/glibc - .1) emerge --oneshot sys-libs/glibc - build the hardened version of glibc-2.4 (with the gcc-3 hardened compiler) - - .2) emerge --oneshot sys-devel/gcc - build the hardened gcc-4.1.1 with the hardened gcc-3.4.6 - - .3) emerge --oneshot sys-libs/glibc - rebuild the hardened version of glibc-2.4 (with the gcc-4 hardened compiler) - - -2) NON-HARDENED SYSTEMS with gcc-4.1.1 and glibc-2.4 (no -hardened compiler available) - Going from non-hardened stage3 2006.1: - This starts from non-hardened gcc-4.1.1 and glibc-2.4 - - .1) Switch profile to the hardened profile - This means remaking the softlink /etc/make.conf to a hardened profile. - Do not confuse this with selecting a hardened compiler with gcc-config (which - you can't do anyway from the standard 2006.1 stage3). - - .2) emerge --oneshot sys-libs/glibc - Build glibc with support for both gcc-3 and gcc-4 stack protectiona. - - .3) USE="-hardened" emerge --oneshot sys-devel/gcc - Build gcc-4 non-hardened, but including split-specs so it can build - hardened objects later. - - .4) gcc-config to the (now available) hardened variant of the compiler. - - .5) emerge --oneshot sys-libs/glibc - Build the hardened version of glibc-2.4 (with the gcc-4 hardened compiler) - - .6) emerge --oneshot sys-devel/gcc - This will build gcc itself hardened (in particular, building the static libraries PIE) - - -3) NON-HARDENED SYSTEMS with a -hardened gcc available - - .1) gcc-config to the -hardened gcc - - .2) emerge --oneshot sys-libs/glibc - Build glibc with support for both gcc-3 and gcc-4 stack protectiona. - - .3) emerge --oneshot sys-devel/gcc - build the hardened gcc-4.1.1 with a hardened gcc - - .4) emerge --oneshot sys-libs/glibc - rebuild the hardened version of glibc-2.4 (with the gcc-4 hardened compiler) - - -Platform-specific notes ------------------------ - -sparc -For gcc-4 SSP to work, glibc must be 2.4 or higher. Glibc-2.4 is nptl-only, so this means -it's not available on 32-bit sparc (sparcv8). +The second re-emerge of glibc is to get glibc itself built with the gcc-4 compiler. @@ -142,13 +87,3 @@ Still cooking * Look into -DFORTIFY_SOURCE=2, -msecure-plt for ppc - -Status summary: -=============== - -glibc ok (builds itself non-ssp) -gcc ok (ish) - Needs distfile gcc-4.1.1-piepatches-v9.0.6.tar.bz2 from toolchain/distfiles - (or gcc-3.4.6-piepatches-v9.0.5.tar.bz2 for gcc-3.4.6) - - diff --git a/hardened/toolchain/branches/pieworld/eclass/flag-o-matic.eclass b/hardened/toolchain/branches/pieworld/eclass/flag-o-matic.eclass index 8fd86f7..64fc778 100644 --- a/hardened/toolchain/branches/pieworld/eclass/flag-o-matic.eclass +++ b/hardened/toolchain/branches/pieworld/eclass/flag-o-matic.eclass @@ -1,6 +1,6 @@ # Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/eclass/flag-o-matic.eclass,v 1.113 2006/11/15 22:46:52 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/eclass/flag-o-matic.eclass,v 1.115 2006/12/29 21:30:38 vapier Exp $ # # Maintainer: base-system@gentoo.org @@ -112,7 +112,8 @@ setup-allowed-flags() { -mtls-direct-seg-refs -mno-tls-direct-seg-refs \ -mflat -mno-flat -mno-faster-structs -mfaster-structs \ -m32 -m64 -mabi -mlittle-endian -mbig-endian -EL -EB -fPIC \ - -mlive-g0 -mcmodel -mstack-bias -mno-stack-bias" + -mlive-g0 -mcmodel -mstack-bias -mno-stack-bias \ + -msecure-plt -D*" # C[XX]FLAGS that we are think is ok, but needs testing # NOTE: currently -Os have issues with gcc3 and K6* arch's diff --git a/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass b/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass index 676d97d..087a32e 100644 --- a/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass +++ b/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass @@ -1,6 +1,6 @@ # Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/eclass/toolchain-funcs.eclass,v 1.63 2006/12/16 10:31:12 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/eclass/toolchain-funcs.eclass,v 1.64 2007/01/07 11:39:08 vapier Exp $ # # Author: Toolchain Ninjas <toolchain@gentoo.org> # @@ -152,31 +152,6 @@ tc-arch-kernel() { tc-arch() { tc-ninja_magic_to_arch portage $@ } -tc-endian() { - local host=$1 - [[ -z ${host} ]] && host=${CTARGET:-${CHOST}} - host=${host%%-*} - - case ${host} in - alpha*) echo big;; - arm*b*) echo big;; - arm*) echo little;; - cris*) echo little;; - hppa*) echo big;; - i?86*) echo little;; - ia64*) echo little;; - m68*) echo big;; - mips*l*) echo little;; - mips*) echo big;; - powerpc*) echo big;; - s390*) echo big;; - sh*b*) echo big;; - sh*) echo little;; - sparc*) echo big;; - x86_64*) echo little;; - *) echo wtf;; - esac -} # Returns the version as by `$CC -dumpversion` gcc-fullversion() { diff --git a/hardened/toolchain/branches/pieworld/eclass/toolchain.eclass b/hardened/toolchain/branches/pieworld/eclass/toolchain.eclass index 2420907..402682a 100644 --- a/hardened/toolchain/branches/pieworld/eclass/toolchain.eclass +++ b/hardened/toolchain/branches/pieworld/eclass/toolchain.eclass @@ -1,6 +1,6 @@ # Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/eclass/toolchain.eclass,v 1.316 2006/11/13 18:57:10 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/eclass/toolchain.eclass,v 1.321 2007/01/06 11:31:26 vapier Exp $ HOMEPAGE="http://gcc.gnu.org/" LICENSE="GPL-2 LGPL-2.1" @@ -102,7 +102,6 @@ if [[ ${GCC_VAR_TYPE} == "versioned" ]] ; then else LIBPATH=${TOOLCHAIN_LIBPATH:-${PREFIX}/lib/gcc-lib/${CTARGET}/${GCC_CONFIG_VER}} fi - LIBEXECPATH=${TOOLCHAIN_LIBEXE:-${PREFIX}/libexec/gcc/${CTARGET}/${GCC_CONFIG_VER}} INCLUDEPATH=${TOOLCHAIN_INCLUDEPATH:-${LIBPATH}/include} if is_crosscompile ; then BINPATH=${TOOLCHAIN_BINPATH:-${PREFIX}/${CHOST}/${CTARGET}/gcc-bin/${GCC_CONFIG_VER}} @@ -120,7 +119,6 @@ elif [[ ${GCC_VAR_TYPE} == "non-versioned" ]] ; then # specific gcc targets, like libffi. Note that we dont override the value # returned by get_libdir here. LIBPATH=${TOOLCHAIN_LIBPATH:-${PREFIX}/$(get_libdir)} - LIBEXECPATH=${TOOLCHAIN_LIBEXE:-${PREFIX}/libexec/gcc} INCLUDEPATH=${TOOLCHAIN_INCLUDEPATH:-${PREFIX}/include} BINPATH=${TOOLCHAIN_BINPATH:-${PREFIX}/bin} DATAPATH=${TOOLCHAIN_DATAPATH:-${PREFIX}/share} @@ -336,7 +334,6 @@ get_gcc_src_uri() { GCC_SRC_URI="${GCC_SRC_URI} boundschecking? ( mirror://sourceforge/boundschecking/${HTBFILE} - http://web.inter.nl.net/hcc/Haj.Ten.Brugge/${HTBFILE} $(gentoo_urls ${HTBFILE}) )" fi @@ -1160,11 +1157,13 @@ gcc_src_unpack() { eend $? done - einfo "Touching generated files" - ./contrib/gcc_update --touch | \ - while read f ; do - einfo " ${f%%...}" - done + if [[ -x contrib/gcc_update ]] ; then + einfo "Touching generated files" + ./contrib/gcc_update --touch | \ + while read f ; do + einfo " ${f%%...}" + done + fi disable_multilib_libjava || die "failed to disable multilib java" } @@ -1298,6 +1297,7 @@ gcc_do_configure() { --with-system-zlib \ --disable-checking \ --disable-werror \ + --enable-secureplt \ --disable-libunwind-exceptions" # etype specific configuration @@ -1334,7 +1334,7 @@ gcc_do_configure() { fi if [[ ${GCCMAJOR}.${GCCMINOR} > 4.1 ]] ; then - confgcc="${confgcc} --disable-bootstrap" + confgcc="${confgcc} --disable-bootstrap --disable-libgomp" fi elif [[ ${CHOST} != mingw* ]] ; then confgcc="${confgcc} --enable-shared --enable-threads=posix" @@ -1343,6 +1343,7 @@ gcc_do_configure() { confgcc="${confgcc} --enable-bootstrap" fi fi + [[ ${CTARGET} == *-elf ]] && confgcc="${confgcc} --with-newlib" # __cxa_atexit is "essential for fully standards-compliant handling of # destructors", but apparently requires glibc. # --enable-sjlj-exceptions : currently the unwind stuff seems to work @@ -1681,9 +1682,10 @@ gcc-compiler_src_install() { S=${WORKDIR}/build \ make DESTDIR="${D}" install || die # Punt some tools which are really only useful while building gcc - rm -r "${D}${LIBEXECPATH}"/install-tools + find "${D}" -name install-tools -type d -exec rm -rf "{}" \; # This one comes with binutils - find "${D}" -name libiberty.a -exec rm -f {} \; + find "${D}" -name libiberty.a -exec rm -f "{}" \; + # Move libgcj.pc to libgcj-${PV} mv ${D}/usr/lib/pkgconfig/libgcj.pc ${D}/usr/lib/pkgconfig/libgcj-${PV}.pc @@ -1722,38 +1724,38 @@ gcc-compiler_src_install() { # Make sure we dont have stuff lying around that # can nuke multiple versions of gcc if ! use build ; then - cd ${D}${LIBPATH} + cd "${D}"${LIBPATH} # Move Java headers to compiler-specific dir - for x in ${D}${PREFIX}/include/gc*.h ${D}${PREFIX}/include/j*.h ; do - [[ -f ${x} ]] && mv -f "${x}" ${D}${LIBPATH}/include/ + for x in "${D}"${PREFIX}/include/gc*.h "${D}"${PREFIX}/include/j*.h ; do + [[ -f ${x} ]] && mv -f "${x}" "${D}"${LIBPATH}/include/ done for x in gcj gnu java javax org ; do if [[ -d ${D}${PREFIX}/include/${x} ]] ; then dodir /${LIBPATH}/include/${x} - mv -f ${D}${PREFIX}/include/${x}/* ${D}${LIBPATH}/include/${x}/ - rm -rf ${D}${PREFIX}/include/${x} + mv -f "${D}"${PREFIX}/include/${x}/* "${D}"${LIBPATH}/include/${x}/ + rm -rf "${D}"${PREFIX}/include/${x} fi done if [[ -d ${D}${PREFIX}/lib/security ]] ; then dodir /${LIBPATH}/security - mv -f ${D}${PREFIX}/lib/security/* ${D}${LIBPATH}/security - rm -rf ${D}${PREFIX}/lib/security + mv -f "${D}"${PREFIX}/lib/security/* "${D}"${LIBPATH}/security + rm -rf "${D}"${PREFIX}/lib/security fi # Move libgcj.spec to compiler-specific directories [[ -f ${D}${PREFIX}/lib/libgcj.spec ]] && \ - mv -f ${D}${PREFIX}/lib/libgcj.spec ${D}${LIBPATH}/libgcj.spec + mv -f "${D}"${PREFIX}/lib/libgcj.spec "${D}"${LIBPATH}/libgcj.spec # Rename jar because it could clash with Kaffe's jar if this gcc is # primary compiler (aka don't have the -<version> extension) - cd ${D}${BINPATH} + cd "${D}"${BINPATH} [[ -f jar ]] && mv -f jar gcj-jar # Move <cxxabi.h> to compiler-specific directories [[ -f ${D}${STDCXX_INCDIR}/cxxabi.h ]] && \ - mv -f ${D}${STDCXX_INCDIR}/cxxabi.h ${D}${LIBPATH}/include/ + mv -f "${D}"${STDCXX_INCDIR}/cxxabi.h "${D}"${LIBPATH}/include/ # These should be symlinks dodir /usr/bin @@ -1793,8 +1795,11 @@ gcc-compiler_src_install() { fi # Now do the fun stripping stuff - env RESTRICT="" CHOST=${CHOST} prepstrip "${D}${BINPATH}" "${D}${LIBEXECPATH}" + env RESTRICT="" CHOST=${CHOST} prepstrip "${D}${BINPATH}" env RESTRICT="" CHOST=${CTARGET} prepstrip "${D}${LIBPATH}" + # gcc used to install helper binaries in lib/ but then moved to libexec/ + [[ -d ${D}${PREFIX}/libexec/gcc ]] && \ + env RESTRICT="" CHOST=${CHOST} prepstrip "${D}${PREFIX}/libexec/gcc/${CTARGET}/${GCC_CONFIG_VER}" cd "${S}" if use build || is_crosscompile; then @@ -1861,6 +1866,9 @@ gcc-compiler_src_install() { # when installing gcc, it dumps internal libraries into /usr/lib # instead of the private gcc lib path gcc_movelibs() { + # older versions of gcc did not support --print-multi-os-directory + tc_version_is_at_least 3.0 || return 0 + local multiarg removedirs="" for multiarg in $($(XGCC) -print-multi-lib) ; do multiarg=${multiarg#*;} @@ -1902,7 +1910,7 @@ gcc_movelibs() { # make sure the libtool archives have libdir set to where they actually # -are-, and not where they -used- to be. - fix_libtool_libdir_paths "$(find ${D}${LIBPATH} -name *.la)" + fix_libtool_libdir_paths $(find "${D}"${LIBPATH} -name *.la) } #----<< src_* >>---- diff --git a/hardened/toolchain/branches/pieworld/pieworld.README b/hardened/toolchain/branches/pieworld/pieworld.README new file mode 100644 index 0000000..8b0931e --- /dev/null +++ b/hardened/toolchain/branches/pieworld/pieworld.README @@ -0,0 +1,8 @@ +This is PIEworld +================ + +Traditional hardened toolchain; ends up with crtbegin.o, crtend.o built -fPIE, +all lib*.a are PIE. + +Cannot create proper vanilla binaries (i.e. no use for building vanilla stages). +Static binaries on sparc segfault. diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest b/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest index 5e4aaf1..9eab0a9 100644 --- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest +++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/Manifest @@ -140,7 +140,7 @@ RMD160 6b35cd93db30848afc9721dbac2e43b218bc32c7 files/specs/zrelro.specs 35 SHA256 43e48d9f5f0b99db15bfae2eb0ab2625eaa9a3a8d3d6caf7ca3ac313059f62a4 files/specs/zrelro.specs 35 DIST bounds-checking-gcc-3.4.4-1.00.patch.bz2 815608 RMD160 b5e1d4716a5ab881b5d7742bb6650e0492edce93 SHA1 dad2fea0818e8361eba78ad01020769067cd9c3f SHA256 a29adc9260071f5928f2e491803b73117ee176e4b19b56ce421aa3ca461370b2 DIST gcc-3.4.5-uclibc-patches-1.1.tar.bz2 70923 RMD160 89e42889420fbab22e418261d248a89ee2bbbe9b SHA1 ee30203bd1528057b7639a7186adc16fbbabf206 SHA256 5b92fac2afe835a127976fdb6602fb5628cf28e67dd19e8289768a3bb8631ec2 -DIST gcc-3.4.6-patches-1.2.tar.bz2 54757 RMD160 d4e1240b9e45b7661b7f8bf4f57bb2c9cac17686 SHA1 be5868d0ba17d0d8952cda5a82064aaca9168cb3 SHA256 43253a8defa6111bd6f107178cc46f425ec81efe0eb26b730c11c422a4d4de26 +DIST gcc-3.4.6-patches-1.4.tar.bz2 55772 RMD160 bdc96bf39b806a30d566d18dfe1f0b4b2f34af22 SHA1 df0fb3e152b0eed266493cc62ea2bfb728ddcce0 SHA256 ee3ba71670f9fd3857035744563a21ae8238c679ebef54502e5d298d4d1af04a DIST gcc-3.4.6-piepatches-v9.0.5.tar.bz2 6723 RMD160 eada7d8d45d9cc1e4547fe16e481c3ca41c8e600 SHA1 9c5dabec7c7b6c3bd58820ed187d22f56307dc85 SHA256 9298df21e95e5c97aa812be4c8d9dd14704cc4578b9d59e25146ab8c9095599e DIST gcc-3.4.6-ssp-1.0.tar.bz2 34468 RMD160 0f668e3ffc08297b5ebe3d5cbb9575426008e096 SHA1 d5c6634632b340657e416ecd2ab5b43048c75c23 SHA256 27ff25099ca8617fe2a76cf8ea06acaab39cff9eb91ef64c84971ba324a664e9 DIST gcc-3.4.6.tar.bz2 28193401 RMD160 b15003368cedc7964f6ceaee0c39ddc43a46c442 SHA1 97b290fdc572c8e490b3b39f243e69bacad23c2b SHA256 7791a601878b765669022b8b3409fba33cc72f9e39340fec8af6d0e6f72dec39 @@ -148,17 +148,17 @@ DIST gcc-4.1.1-patches-1.9.tar.bz2 51152 RMD160 4e9c774c23e5fe96be60de897fee7c3a DIST gcc-4.1.1-piepatches-v9.0.6.tar.bz2 5120 RMD160 7bf6af65708c1633c65beec17bb003d040fe97ad SHA1 44d9675b3df9a9fdb2e06a6dc3b1434108494d6c SHA256 57d82883facc411591c405ff68553c20fe7813df8eca5ede67ca52eb663522c1 DIST gcc-4.1.1-uclibc-patches-1.1.tar.bz2 20981 RMD160 ca12459f3ec8ee8a9dc5c260bea4bb20d6a80a65 SHA1 c004fbace98a1159115a81f0b733a4a248b2d096 SHA256 f97cf0f9fe52a529b41a78bb5d0d57899805fae00c3e7b2dff87c8192195b6f3 DIST gcc-4.1.1.tar.bz2 39172003 RMD160 0edeac242d900b075a7e36796380492b5b3c8564 SHA1 a398b95d38b6e35f4c4e02c34c0a3bff79811f8f SHA256 985cbb23a486570a8783395a42a8689218f5218a0ccdd6bec590eef341367bb7 -EBUILD gcc-3.4.6-r3.ebuild 5023 RMD160 5c219c10fd594ddc9def680da716edb7c09d8736 SHA1 2f94b37676e932fb8e97139baa37f065b8364b16 SHA256 38490fa68cb84b77a6cd868257e4700c3ae22d9d55440166889edee2f0273082 -MD5 12e8ce429498cd4768d9464b417380a8 gcc-3.4.6-r3.ebuild 5023 -RMD160 5c219c10fd594ddc9def680da716edb7c09d8736 gcc-3.4.6-r3.ebuild 5023 -SHA256 38490fa68cb84b77a6cd868257e4700c3ae22d9d55440166889edee2f0273082 gcc-3.4.6-r3.ebuild 5023 -EBUILD gcc-4.1.1-r3.ebuild 3009 RMD160 b844335b58de71d0960d16c6c2f2845f604b8b0b SHA1 aeacc440cc7523b1e2f9ce10cd6a5846a1fcaa24 SHA256 9e197718d22736ebfef6d592b7e1e83a6b6516e4792da353a110e2ddb4903e53 -MD5 25730568c870638dd9fcd7bbbc6fd79c gcc-4.1.1-r3.ebuild 3009 -RMD160 b844335b58de71d0960d16c6c2f2845f604b8b0b gcc-4.1.1-r3.ebuild 3009 -SHA256 9e197718d22736ebfef6d592b7e1e83a6b6516e4792da353a110e2ddb4903e53 gcc-4.1.1-r3.ebuild 3009 -MD5 25769cef09f895c0867caf01eb288436 files/digest-gcc-3.4.6-r3 1623 -RMD160 d58cfe1955c20064c63ad0e47eaa15c698fec2e8 files/digest-gcc-3.4.6-r3 1623 -SHA256 69528d8037d0e2019bfc8deae140847116073acc0aa6946fc8bbd934cb47793d files/digest-gcc-3.4.6-r3 1623 +EBUILD gcc-3.4.6-r3.ebuild 5025 RMD160 2058cb7bcf3a63d0676584cae76081161d03ea2e SHA1 2f3771f15b9d570262e2ecf718b101fb2e5fa832 SHA256 51a5e8aa4e23fea87d17508638016a7651961d4bffd0cd15335f1ce493c206e3 +MD5 e7e1819986cf0ecdffbb5f1f59ba6b16 gcc-3.4.6-r3.ebuild 5025 +RMD160 2058cb7bcf3a63d0676584cae76081161d03ea2e gcc-3.4.6-r3.ebuild 5025 +SHA256 51a5e8aa4e23fea87d17508638016a7651961d4bffd0cd15335f1ce493c206e3 gcc-3.4.6-r3.ebuild 5025 +EBUILD gcc-4.1.1-r3.ebuild 3026 RMD160 e87d40fa86b24a92687040befc66098b3e8af853 SHA1 c423ffc3e7cc354ed269014c3820ae737b359308 SHA256 78fe42872ed0968dfc2f1537155bbeb2a3483d136b22af59742721c0a27c2426 +MD5 8f85a1fdb0643be8659bbcd3e6a3b080 gcc-4.1.1-r3.ebuild 3026 +RMD160 e87d40fa86b24a92687040befc66098b3e8af853 gcc-4.1.1-r3.ebuild 3026 +SHA256 78fe42872ed0968dfc2f1537155bbeb2a3483d136b22af59742721c0a27c2426 gcc-4.1.1-r3.ebuild 3026 +MD5 f2ae42150d118fee847851b13498c67d files/digest-gcc-3.4.6-r3 1623 +RMD160 61cd90be115485be70bc0c6511848949fd86e3ff files/digest-gcc-3.4.6-r3 1623 +SHA256 fb9bc05b7f310a0ce63c7538d07315a3432bced82fc26c656e9ec0d843df2468 files/digest-gcc-3.4.6-r3 1623 MD5 999cc0e908bc64ab913514396b8859c1 files/digest-gcc-4.1.1-r3 1069 RMD160 d6ff22ff681d6510bb7dd5f9e02466b2789fdbf0 files/digest-gcc-4.1.1-r3 1069 SHA256 c16acb71c2d63e66a1f7830fc4c64c9daecb6a8e43d38d1232e753bbc08c9311 files/digest-gcc-4.1.1-r3 1069 diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/digest-gcc-3.4.6-r3 b/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/digest-gcc-3.4.6-r3 index e00b428..2d6e20a 100644 --- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/digest-gcc-3.4.6-r3 +++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/files/digest-gcc-3.4.6-r3 @@ -4,9 +4,9 @@ SHA256 a29adc9260071f5928f2e491803b73117ee176e4b19b56ce421aa3ca461370b2 bounds-c MD5 90aa9cb64d7edcd9a2306abe910cbe3b gcc-3.4.5-uclibc-patches-1.1.tar.bz2 70923 RMD160 89e42889420fbab22e418261d248a89ee2bbbe9b gcc-3.4.5-uclibc-patches-1.1.tar.bz2 70923 SHA256 5b92fac2afe835a127976fdb6602fb5628cf28e67dd19e8289768a3bb8631ec2 gcc-3.4.5-uclibc-patches-1.1.tar.bz2 70923 -MD5 fe9514353eaf5a09ab16790b7714481b gcc-3.4.6-patches-1.2.tar.bz2 54757 -RMD160 d4e1240b9e45b7661b7f8bf4f57bb2c9cac17686 gcc-3.4.6-patches-1.2.tar.bz2 54757 -SHA256 43253a8defa6111bd6f107178cc46f425ec81efe0eb26b730c11c422a4d4de26 gcc-3.4.6-patches-1.2.tar.bz2 54757 +MD5 cc05b66335b2fd31076f70bc3a8de225 gcc-3.4.6-patches-1.4.tar.bz2 55772 +RMD160 bdc96bf39b806a30d566d18dfe1f0b4b2f34af22 gcc-3.4.6-patches-1.4.tar.bz2 55772 +SHA256 ee3ba71670f9fd3857035744563a21ae8238c679ebef54502e5d298d4d1af04a gcc-3.4.6-patches-1.4.tar.bz2 55772 MD5 0dff307db3a06c6ddd517d27e2ea47be gcc-3.4.6-piepatches-v9.0.5.tar.bz2 6723 RMD160 eada7d8d45d9cc1e4547fe16e481c3ca41c8e600 gcc-3.4.6-piepatches-v9.0.5.tar.bz2 6723 SHA256 9298df21e95e5c97aa812be4c8d9dd14704cc4578b9d59e25146ab8c9095599e gcc-3.4.6-piepatches-v9.0.5.tar.bz2 6723 diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-3.4.6-r3.ebuild b/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-3.4.6-r3.ebuild index 31b9bc4..78e5933 100644 --- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-3.4.6-r3.ebuild +++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-3.4.6-r3.ebuild @@ -1,9 +1,10 @@ -# Copyright 1999-2006 Gentoo Foundation +# Copyright 1999-2007 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-devel/gcc/gcc-3.4.6-r2.ebuild,v 1.6 2006/10/02 01:10:12 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-devel/gcc/gcc-3.4.6-r2.ebuild,v 1.13 2007/01/01 21:51:51 josejx Exp $ + MAN_VER="" -PATCH_VER="1.2" +PATCH_VER="1.4" UCLIBC_VER="1.1" UCLIBC_GCC_VER="3.4.5" PIE_VER="9.0.5" diff --git a/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-4.1.1-r3.ebuild b/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-4.1.1-r3.ebuild index d7009da..ac14cb6 100644 --- a/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-4.1.1-r3.ebuild +++ b/hardened/toolchain/branches/pieworld/sys-devel/gcc/gcc-4.1.1-r3.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2006 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-devel/gcc/gcc-4.1.1-r3.ebuild,v 1.2 2006/12/10 21:27:50 kloeri Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-devel/gcc/gcc-4.1.1-r3.ebuild,v 1.3 2006/12/26 21:37:03 vapier Exp $ PATCH_VER="1.9" UCLIBC_VER="1.1" @@ -62,7 +62,7 @@ RDEPEND=">=sys-libs/zlib-1.1.4 hardened? ( >=sys-libs/glibc-2.4 ) )" DEPEND="${RDEPEND} - test? ( sys-devel/autogen ) + test? ( sys-devel/autogen dev-util/dejagnu ) >=sys-apps/texinfo-4.2-r4 >=sys-devel/bison-1.875 >=${CATEGORY}/binutils-2.15.94" |