I have attached my preliminary/experimental differences to build HLFS with gcc-4.1.1 and glibc-2.4. Comments are welcome.
robert
# May 28th, 2006 # These are the differences to use GCC-4.1 and Glibc-2.4 with the HLFS-unstable # book, available at http://www.linuxfromscratch.org/hlfs/view/unstable/glibc/ # Glibc-2.4 and GCC-4.1 have integrated SSP, so the SSP patches are no longer # needed. # Thanks to CLFS and LFS for some commands I stole :-) # New/additional patches are available at: # http://www.linuxfromscratch.org/patches/downloads/glibc/ # http://www.linuxfromscratch.org/~robert/new/newpatches/ # http://www.grsecurity.net/~spender/ # Commands here depend on Sed version 4 or higher, and Perl, as usual. # I tested this with Binutils-2.16.93, but the testsuite had many failures. Feel # free to try HJL Binutils instead. # - Chapter 5 - # - Kernel headers (I used linux-2.6.16.18): # I dont know if this will be the way kernel headers are installed, but it works # for now. It's a good idea to be running this kernel version on the host system, # for Glibc. # Unpack your kernel source. make mrproper && make include/linux/version.h && make include/asm && install -d /tools/include/asm && cp -R include/asm/* /tools/include/asm && cp -R include/asm-generic /tools/include && cp -R include/linux /tools/include # Don't worry about ".config: No such file or directory". # - Glibc-2.4 headers: # Break the GCC version sanity check (this doesn't matter because we're only # installing the Glibc headers): sed -e 's/3.4\*/\*/' -i configure # After 'make install-headers' (just he Glibc version number below was changed): cp bits/stdio_lim.h /tools/include/bits && touch /tools/include/gnu/stubs.h && cp ../glibc-2.4/nptl/sysdeps/pthread/pthread.h /tools/include && cp ../glibc-2.4/nptl/sysdeps/unix/sysv/linux/i386/bits/pthreadtypes.h \ /tools/include/bits # - Binutils-2.16.93 cross-linker: # GCC-4.1 needs binutils-2.16.91 or higher. # ftp://sources.redhat.com/pub/binutils/snapshots/binutils-2.16.93.tar.bz2 # After 'make install': make -C ld clean && make -C ld LIB_PATH=/tools/lib && install ld/ld-new /tools/bin/${target}-ld-new # Remove the binutils-2.16.93/ and binutils-build/ directories. # - GCC-4.1.1 cross-compiler: patch -Np1 -i ../gcc-4.1.1-specs_x86-1.patch # No need to 'touch ${ldso}'. # Add '--disable-libssp --disable-libmudflap' to the configure command. # - Glibc-2.4: # The ssp patch is no longer needed. The pt_pax and dl_execstack_PaX patches from # 2.3.6 still work on 2.4. tar xf ../glibc-libidn-2.4.tar.bz2 && mv glibc-libidn-2.4 libidn # This patch stops localedef from crashing while running a PaX kernel: patch -Np1 -i ../glibc-2.4-localedef_segfault-1.patch # This patch is so that we can just use a simple 'make' command, instead of # 'make libgcc_eh="" gnulib="-lgcc" static-gnulib="-lgcc"': patch -Np1 -i ../glibc-2.4-libgcc_eh-1.patch # Run 'make check' like this: make -k check >glibc-check-log 2>&1 ; grep Error glibc-check-log # I couldn't get 'make check' to pass perfectly even under the best conditions. # make[2]: [/mnt/hlfs/usr/src/glibc-build/posix/annexc.out] Error 1 (ignored) # make[2]: *** [/mnt/hlfs/usr/src/glibc-build/nptl/tst-cancel24.o] Error 1 # make[1]: *** [nptl/tests] Error 2 # make[2]: *** [/mnt/hlfs/usr/src/glibc-build/elf/check-localplt.out] Error 1 # make[1]: *** [elf/tests] Error 2 # make: *** [check] Error 2 # Install like this: install -d /tools/etc && touch /tools/etc/ld.so.conf && make install # - Adjusting toolchain: mv /tools/bin/${target}-{ld-new,ld} && ln -f /tools/bin/${target}-ld /tools/${target}/bin/ld # Then test it... # - Binutils-2.16.93: # After 'make install': make -C ld clean && make -C ld LIB_PATH=/usr/lib:/lib && install ld/ld-new /tools/bin/ld-new # Remove the binutils-2.16.93/ and binutils-build/ directories. # - GCC-4.1: # Don't use the SSP patch, or the version.c sed command. # The nofixincludes patch is replaced by this: sed '[EMAIL PROTECTED]/[EMAIL PROTECTED] true@' -i gcc/Makefile.in # patch -Np1 -i ../gcc-4.1.1-specs_x86-1.patch # GCC-4.1.1 does not detect SSP when Glibc is installed to non-standard locations, # like /tools. Fix that: sed -e '[EMAIL PROTECTED]/usr\/[EMAIL PROTECTED]/tools\/include@' -i gcc/configure # GCC will still build and install libssp, but gcc won't use it. # 'make', 'make bootstrap', or 'make profiledbootstrap', whichever you prefer. # 'make bootstrap' is probably a good idea, but this gcc is being built by the # same version of gcc, so it may not make a difference. # - Adding hardened specs: # This requires Perl on your host system. # Get: # http://www.linuxfromscratch.org/~robert/new/newpatches/hardened-specs.sh install hardened-specs.sh /tools/bin/hardened-specs && gcc -dumpspecs > `dirname $(gcc -print-libgcc-file-name)`/specs && /tools/bin/hardened-specs # The two lines with __guard need to be removed from test.c for it to compile. # Glibc's SSP does not use __guard anymore, but Glibc's testsuite will also run # tests for SSP in chapter 6 to conferm it is working properly. # - Chapter 6 - # - Kernel headers (for Glibc): # Unpack the kernel. patch --no-backup-if-mismatch -Np1 -i \ ../linux-libc-headers-2.6.12.0-pseudo_random-1.patch && patch --no-backup-if-mismatch -Np1 -i \ ../linux-libc-headers-2.6.12.0-unistd_x86_PIC-1.patch && make mrproper && make include/linux/version.h && make include/asm && mkdir /usr/src/glibcheaders && cp -HR include/asm /usr/src/glibcheaders && cp -R include/asm-generic /usr/src/glibcheaders && cp -R include/linux /usr/src/glibcheaders && touch /usr/src/glibcheaders/linux/autoconf.h # - Glibc-2.4: tar xf ../glibc-libidn-2.4.tar.bz2 && mv glibc-libidn-2.4 libidn # Don't forget to apply the dl_execstack_PaX and pt_pax patches. Don't use the # fstack_protector patch for now. patch -Np1 -i ../glibc-2.4-localedef_segfault-1.patch # The glibc-2.3.6-arc4random-2.patch is now optional. Glibc and uClibc have moved # the SSP functions to ld.so (rtld). In order to use arc4random with SSP the # arc4random code would also need to be moved to ld.so, and that's not a sane idea. # Some packages, like OpenSSL, OpenNTPD, and BIND can still use arc4random via # libc if it is available. # If you want to preserve your kernel entropy you should use /dev/erandom instead # of /dev/urandom for SSP. This is especially important for servers with little # or no keyboard and mouse activity. Note: doing this while compiling Glibc on a # vanilla kernel may cause a couple test failures because erandom doesn't exist. # To do that enter this: sed -e 's/urandom/erandom/' -i sysdeps/unix/sysv/linux/dl-osinfo.h # Add --enable-stackguard-randomization to have Glibc use urandom/erandom to generate # random canary values used with SSP. # Add '--with-headers=/usr/src/glibcheaders' to point Glibc to the raw kernel headers. # This 'make check' resulted the same as chapter 5. # - Sanitized headers: # http://download.fedora.redhat.com/pub/fedora/linux/core/development/source/SRPMS/\ # glibc-kernheaders-3.0-??.src.rpm # You'll need to rpm2tgz this package, then unpack it. Inside there's another # tarball. tar xf glibc-kernheaders-2.6.??-?.????_FC6.tar.bz2 && cd usr/include/ && cp -R asm-i386 /usr/include/asm && cp -R asm-generic /usr/include && cp -R linux /usr/include # - Adjusting toolchain: install /tools/bin/ld{-new,} && perl -pi -e 's:/tools${ldso}:${ldso}:g;' \ -e '[EMAIL PROTECTED]:[EMAIL PROTECTED]/usr/lib/@g;' \ `dirname $(gcc -print-libgcc-file-name)`/specs # - Binutils-2.16.93: # To do 'make check': make CC_FOR_TARGET="gcc -no-pie -fno-stack-protector" -k check # However, many of the tests won't pass (I'm pretty sure this is a problem with # the binutils snapshot, and not HLFS). Binutils tests are also sensitive to CFLAGS. # - GCC-4.1.1: # No patches are needed (with Glibc). # Fix libiberty/Makefile.in: sed -e 's/install_to_$(INSTALL_DEST) //' -i libiberty/Makefile.in # Disable fixincludes if you want: sed '[EMAIL PROTECTED]/[EMAIL PROTECTED] true@' -i gcc/Makefile.in # Fix gccbug: sed 's/@have_mktemp_command@/yes/' -i gcc/gccbug.in # Configure GCC... # Compile GCC with -fstack-protector and -pie: make CFLAGS="-fstack-protector-all -fPIC -fomit-frame-pointer -O2" \ CXXFLAGS="-fstack-protector-all -fPIC -fomit-frame-pointer -O2" \ LDFLAGS="-z relro -z now -pie" # Use BOOT_CFLAGS, BOOT_CXXFLAGS, and BOOT_LDFLAGS, if you are using # 'make bootstrap'. # Maybe one day I'll figure out how to stick -fPIE in GCC's build, so it runs # more optimally. Alternately the specs can be hardcoded with a patch. # After 'make install': gcc -dumpspecs > `dirname $(gcc -print-libgcc-file-name)`/specs && /tools/bin/hardened-specs # - Kernel # The pseudo_random kernel patch is also optional, but only if you are not using # the arc4random libc patch, and you are not using /dev/erandom with SSP. It is # advisable to use the pseudo_random kernel patch. # It should be downhill after this, aside from gcc-4.1.1 issues. Now I need to # get this working with uClibc too, and see if it can be cleaned up better. # robert - ashes
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
