summaryrefslogtreecommitdiff
path: root/metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt
blob: f0aab216a04f96b0f1a80f0820627f9154e0bcdc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
Title: Hardened profiles improvements
Author: Sam James <sam@gentoo.org>
Posted: 2023-01-01
Revision: 2
News-Item-Format: 2.0
Display-If-Installed: sys-devel/gcc[hardened]
Display-If-Profile: features/hardened
Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened
Display-If-Profile: default/linux/ppc/17.0/musl/hardened
Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened
Display-If-Profile: default/linux/amd64/17.0/hardened
Display-If-Profile: default/linux/amd64/17.0/musl/hardened
Display-If-Profile: default/linux/amd64/17.1/hardened
Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened
Display-If-Profile: default/linux/x86/17.0/hardened
Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened
Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened
Display-If-Profile: default/linux/arm/17.0/armv7a/hardened
Display-If-Profile: default/linux/arm/17.0/armv6j/hardened
Display-If-Profile: default/linux/ppc64/17.0/musl/hardened
Display-If-Profile: default/linux/arm64/17.0/hardened
Display-If-Profile: default/linux/arm64/17.0/musl/hardened

Gentoo's hardened profiles are adopting two new modern toolchain hardening
techniques:
1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0]
2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1]

These will both be enabled by default with USE=hardened on sys-devel/gcc
for >=sys-devel/gcc-12.2.1_p20221231.

To view the existing list of hardening changes applied by the profiles,
see the wiki [2].

Stable users may wish to add sys-devel/gcc-12.2.1_p20221231 into
/etc/portage/package.accept_keywords if they wish to take advantage
of these improvements early, before GCC 12 is marked stable.

## Migration

To fully take advantage of these new settings, GCC must first
be upgraded, and then all packages must be re-emerged:
1. # emerge --sync
2. # emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221231"
3. # gcc-config latest
4. # emerge --verbose --emptytree @world

## Troubleshooting

In the event that some packages fail at runtime, please file a bug
with the full details. To temporarily workaround the problem,
it should be possible to recompile broken packages with the
following *FLAGS:
CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
CXXFLAGS="${CXXFLAGS} -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS"

[0] https://bugs.gentoo.org/876893
[1] https://bugs.gentoo.org/876895
[2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes