Hardened Linux From Scratch
Version SVN-20070501
Copyright (c) 2004-2007 HLFS Development Team
– Who willed you? or whose will stands but mine?
There's none protector of the realm but I.
(Gloucester - 1593)
This is HLFS-unstable featuring:
-
uClibc: http://www.uclibc.org/
-
Stack Smashing Protector, this is now part of GCC-4.1+: http://www.trl.ibm.com/projects/security/ssp/
-
Grsecurity: http://www.grsecurity.net/
-
GCC PIE patch. This is now part of gcc-3.4+: http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
-
Binutils PIE patch. This is now part of bintuils-2.15+ and is utilized by Glibc and uClibc: http://sources.redhat.com/ml/binutils/2003-05/msg00832.html
-
Binutils Non-lazy Runtime Binding. This is part of Binutils and is utilized by Glibc and uClibc: 'man 1 ld'
-
Binutils Relocation Read-only patch. This is now part of Bintuils and is utilized by Glibc and uClibc: http://sources.redhat.com/ml/binutils/2004-01/msg00070.html
-
FORTIFY_SOURCE runtime buffer overflow protection: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
-
Heap Consistency Checking in Glibc: http://www.gnu.org/software/libc/manual/html_node/Heap-Consistency-Checking.html
-
strlcpy() strlcat() C library functions: http://www.courtesan.com/todd/papers/strlcpy.html
-
Mudflap GCC debugging library: http://gcc.gnu.org/wiki/Mudflap_Pointer_Debugging
-
Owl Linux temporary-file hardening: http://www.openwall.com/Owl/
Recent LFS-stable (6.*), or HLFS-0.1+, are the prerequisite for the host system. Other systems may work but are not supported.
UTF-8 compatability is not yet implemented. Notes in the BLFS book regarding UTF-8 workarounds will generally not apply to HLFS systems. Anyone seeking to implement LFS-based UTF-8 compatability, especially with the uClibc version of HLFS, should subscribe to mailto:hlfs-dev AT linuxfromscratch D0T org.
See chapter02 for descriptions of the Stack Smashing Protector, and Position Independent Executables.
The instructions in this book only work for i386 so far. The instructions in this book were tested on an LFS host system.
Note:
This book assumes you already have experience with Linux From Scratch and are comfortable using it.
Warning:
This book is probably broken in some places. uClibc is definitely broken. gcc-4.1 and glibc-2.5 were recently added and the incomplete changes were commited in order to get more feedback about the new toolchain. Don't expect this book to produce a usable system. This warning will be removed when both Glibc and uClibc are using gcc-4.1, and everything is functional. Please report bugs to hlfs-dev AT linuxfromscratch D0T org or http://wiki.linuxfromscratch.org/hlfs/.
Warning:
The Linux-2.4 based books listed here are very broken at this momment. Please use the ones from the 2.4-branch instead until we finish porting the code here.
The 2.4-branch book can be found here: http://www.linuxfromscratch.org/hlfs/view/2.4-branch/.
Send bugs, comments, and questions to: mailto:hlfs-dev AT linuxfromscratch D0T org.