Add upgrade path instructions

svn path=/; revision=83

1 files changed, 62 insertions, 10 deletions

diff --git a/hardened/toolchain.README b/hardened/toolchain.README
index d56f0b3..f0493e8 100644
--- a/hardened/toolchain.README
+++ b/hardened/toolchain.README
@@ -1,16 +1,59 @@
+Upgrade path for Hardened Gentoo users from glibc-2.3*/gcc-3* to glibc-2.4+/gcc-4.1+
+====================================================================================
+
+1) Add 'nptl nptlonly' to USE (make.conf) if not already present.
+   This may cause linux-headers to be updated when building glibc.
+   Note - this may become obsolete by glibc-2.5, since I understand
+   linuxthreads has come back for 2.5.
+
+For arches that don't require gcc-4 to build glibc-2.4+:
+
+	2) emerge --oneshot sys-libs/glibc
+	   (build glibc-2.4 with gcc-3)
+
+	3) emerge --oneshot sys-devel/gcc
+	   (upgrade compiler - needs glibc-2.4+ to build hardened)
+
+	4) gcc-config <new gcc-4.1+ hardened compiler> && source /etc/profile
+
+	If glibc itself is to be built w/ SSP enabled (which it isn't at the moment):
+
+	5) emerge --oneshot sys-libs/glibc
+	   (to get glibc built with gcc-4.x - you may want to do this in any case, if
+	    you want a system completely built with gcc-4.x)
+
+For arches that require gcc-4 to build glibc-2.4+ (e.g. ppc):
+
+	2) USE="-hardened" SPLIT_SPECS="no" emerge --oneshot sys-devel/gcc
+	   To build a non-hardened compiler, only, which you can do against glibc-2.3
+
+	3) gcc-config <new gcc-4.1+ non-hardened compiler> && source /etc/profile
+	   Use 'gcc-config -l' to find out - should be the only 4.1 compiler present.
+
+	4) emerge --oneshot sys-libs/glibc
+	   To build glibc-2.4+ - which has to be done with gcc-4.x.
+
+	5) emerge --oneshot sys-devel/gcc
+	   To get the hardened gcc-4.x compiler
+
+	6) gcc-config <new gcc-4.1+ hardened compiler> && source /etc/profile
+	   Use 'gcc-config -l' to find out - hardened compiler will be the first listed
+	   (others include hardenednopie, hardenednossp, hardenednopiessp, vanilla)
+
+	If glibc itself is to be built w/ SSP enabled (which it isn't at the moment):
+
+	7) emerge --oneshot sys-libs/glibc
+	   (note; you already have glibc built with gcc-4.x at this stage, so it's
+	    only useful if glibc is to be buit w/SSP enabled)
+
+
 Toolchain mods for hardened gcc-4.x/glibc-2.4
 =============================================
 
-* Default -z,now and -z,relro are wired into binutils
-  (binutils)
-  No longer sure this is a good idea - it's difficult to switch off the altered
-  defaults without forcing -z,lazy, which would break applications that specifically
-  build stuff bind_now.
-
 * Specs switching handled by the wrappers, rather than the gcc-specs-env patch
-  (eselect-compiler)
+  (app-admin/eselect-compiler)
   May not be a good idea - doing it gcc itself guarantees it'll happen even if
-  the wrappers aren't used.
+  the wrappers aren't used (is that ever the case?).
 
 * glibc __stack_chk_fail implementation written so that it's ok when glibc built with SSP
   Implement stderr & syslog messaging, SIGKILL and _exit to provide a secure termination
@@ -20,10 +63,19 @@ Toolchain mods for hardened gcc-4.x/glibc-2.4
   now it's set to build without ssp.
   Sorted out the PIE building better (replaces the filter-ldflags -pie with something
   more sensible).
+  (done) Use SIG_ABRT instead of SIG_KILL - means doing the sigset stuff.
+  (done) Use INTERNAL_SYSCALL (check vsyscall page isn't user modifiable)
 
 * gcc minispecs for gcc-4.1.1 and gcc-3.4.6, from psm
   Much simplified gcc patching for hardened compiler; use of minispecs to generate
-  the relevant specs files.
+  the relevant specs files.  Involves a few changes in toolchain.eclass and
+  flag-o-matic.eclass.
+
+- Default -z,now and -z,relro are wired into binutils
+  (sys-devel/binutils)
+  Deleted - not a good idea as it makes it difficult to switch off the altered defaults
+  without forcing -z,lazy, which would break applications that specifically build stuff
+  bind_now.
 
 Still cooking
 
@@ -34,7 +86,7 @@ Status summary:
 ===============
 
 glibc ok (builds itself non-ssp)
-binutils ok
+binutils ok (but will probably not happen)
 gcc ok
    Needs distfile gcc-4.1.1-piepatches-v9.0.5.tar.bz2 from toolchain-psm/distfiles
    (or gcc-3.4.6-piepatches-v9.0.5.tar.bz2 for gcc-3.4.6)