Dear gentoo hardened team, I did a stage3 2008.0 installation of my new Via Epia SN, which worked without problems. I then switched to the hardened profile and ran emerge -e world. After that, the machine no longer booted, but immediately reboots before any grub output shows up. When switching back to gcc vanilla 3.4.6, the problem goes away.
switched back and forth twice to double-check, always with the same result. this is a Via Esther processor. output of emerge --info comes in a few minues.
Created attachment 201075 [details] emerge --info
Created attachment 201076 [details] emerge --info with hardened gcc profile
Hi can you try -hardenednopie or -hardenednossp gcc profile and see what profile make it not boot and are grub working from the command line?
(In reply to comment #4) > Hi can you try -hardenednopie or -hardenednossp gcc profile and see what > profile > make it not boot and are grub working from the command line? I will try this in the evening. At least the commandline tool grub-install always worked fine. For completeness sake: the Via Esther is also called Via C7.
My profile is hardened/linux/x86/2008.0/server/
nopie: boots nossp: does not boot. so pie is the one to blame here.
Can't test the error but will look at it more and hope get a working patch. Some way the ebuild do not disable PIE/PIC for grub on your platform.
Check the size of the boot/grub dir Size of stage1 and stage2?
More accurate, please do: du -hs /lib/grub
* Switching native-compiler to i686-pc-linux-gnu-3.4.6 ... ... emerging grub ... $ du -hs /lib/grub 368K /lib/grub * Switching native-compiler to i686-pc-linux-gnu-3.4.6-hardenednopie ... ... emerging grub ... $ du -hs /lib/grub 368K /lib/grub
Sorry, I messed up! please ignore comment #11. Once again: * Switching native-compiler to i686-pc-linux-gnu-3.4.6 ... ... source /etc/profile, emerge grub ... $ du -hs /lib/grub 368K /lib/grub * Switching native-compiler to i686-pc-linux-gnu-3.4.6-hardenednopie ... $ du -hs /lib/grub 336K /lib/grub
Some way do not the filter-flags -fPIE in the ebuild work as it should.
Created attachment 203206 [details, diff] Ported the Grub2 -fPIE Check Try this patch and see if it works.
(In reply to comment #14) > Ported the Grub2 -fPIE Check > > Try this patch and see if it works. Dear Magnus, sorry it took so long for me to find an opportunity to make this test! I stored your patch in the files subdirectory, added the following line to the ebuild: epatch "${FILESDIR}"/grub-0.97-fpie_check.patch Now, with gcc-config set to i686-pc-linux-gnu-3.4.6, when I run configure, I see: $ ebuild grub-0.97-r9.ebuild compile ... * Applying grub-0.97-fpie_check.patch ... ok ... checking whether `i686-pc-linux-gnu-gcc' has `-fPIE' as default... no which is not what I expected...
(In reply to comment #15) > (In reply to comment #14) > > Ported the Grub2 -fPIE Check > > > > Try this patch and see if it works. > > Dear Magnus, > > sorry it took so long for me to find an opportunity to make this test! > I stored your patch in the files subdirectory, added the following line to the > ebuild: > epatch "${FILESDIR}"/grub-0.97-fpie_check.patch > > Now, with gcc-config set to i686-pc-linux-gnu-3.4.6, when I run configure, I > see: > > $ ebuild grub-0.97-r9.ebuild compile > ... > * Applying grub-0.97-fpie_check.patch ... ok > ... > checking whether `i686-pc-linux-gnu-gcc' has `-fPIE' as default... no > > which is not what I expected... > Remove the filter-flags -fPIE line in the ebuild.
Hi base-system, another grub+PIE fail. Re-assigning like bug 139277. Curious, what is the resistance to patching configure/make/whatever to filter pic/pie? thanks.
(In reply to comment #16) > Remove the filter-flags -fPIE line in the ebuild. No matter whether I filter-flag, remove-flag, add-flag PIE or no-PIE in the ebuild, the size of the /lib/grub directory stays constant the the non-booting value...
Created attachment 205767 [details, diff] Old gcc 3.4.6 hardened defined __PIC__ instead of __PIE__ Can you check with this patch.
oh yes, this looks good - the PIE detection returns "yes" now and the /lib/grub size is as expected. I'll reboot tomorrow evening...
Magnus, thanks a log for your support, the reboot was successful - so your fpie_check.patch fixes the issue. I don't know whether you want to add your patch to the grub patch collection tarball - in case you don't, here's the ebuild that applies your patch successfully... (I don't mark the bug as resolved, as it's not in the official tree yet - I hope that's the correct workflow...)
Created attachment 205872 [details] ebuild that applies the patch
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=b7b83daed781b58a0532d5d9c19f98d091a3b164 Thanks for finding the bug and testing the patch. @base-system this patch fix bug 139277 to.
whohoo, this just saved my day... just for the records: i'm setting up a hardened amd64 box at the moment and when it came to installing grub 0.97-r9, after rebooting, grub came up with just a console and was just reporting "Error 28: Selected item cannot fit into memory" on every command you would type, it also detected 0K upper memory. now 0.97-r11 from hardened-dev overlay works fine
Created attachment 222823 [details, diff] Clean -fPIE check patch Have clean the patch up If i try to check for -nopie instead of -fPIE it allways true, if i use the code from the -fno-stack-protector check.
that looks fine. the PIC stuff is odd, but not much we can do about it i guess.
added to cvs http://sources.gentoo.org/gentoo/src/patchsets/grub/0.97/860_all_grub-0.97-pie.patch?rev=1.1
*** Bug 139277 has been marked as a duplicate of this bug. ***
reopening to spin patchset tarball
Now committed and published as new patchset: grub-0.97-patches-1.10.tar.bz2 Ebuild sys-boot/grub-0.97-r10 committed.
gcc-6 (at least 6.4, didn't check others) drops the gentoo pie patches, and with it the 'nopie' option; the patch now needs to use '-no-pie' instead it seems. As this is contingent on the gcc version (and grub-0.97 likely has a limited lifespan) i'm going to sed -nopie to -no-pie on the patch on new-enough gcc rather than trying to conditionally apply different patches.
