Progress on hardened1-linux-amd64 (was: Re: Proposing amd64-hardened architecture for Debian)

To: Debian Developers <debian-devel@lists.debian.org>
Subject: Progress on hardened1-linux-amd64 (was: Re: Proposing amd64-hardened architecture for Debian)
From: Bálint Réczey <balint@balintreczey.hu>
Date: Tue, 2 Feb 2016 23:13:02 +0100
Message-id: <[🔎] CAK0OdpzXQjtwmiZJr+Ycohgq3_fUm_8RPjNLK_BPWXAw1n8+Dg@mail.gmail.com>
Reply-to: balint@balintreczey.hu

Hi All,

2014-04-15 18:15 GMT+02:00 Thomas Goirand <zigo@debian.org>:
> On 04/15/2014 06:00 PM, Balint Reczey wrote:
>> Hi,
>>
...
>> My proposal for serving those security-focused users is introducing a
>> new architecture targeting amd64 hardware, but with more security
>> related C/C++ features turned on for every package (currently hardening
>> has to be enabled by the maintainers in some way) through compiler flags
>> as a start.
>>
>> Introducing the new architecture would also let package maintainers
>> enabling additional dependencies and build rules selectively for the new
>> architecture improving the security further. On the users' side the
>> advantage of having a separate security enhanced architecture instead of
>> a Debian derivative is the potential of installing a set of security
>> enhanced packages using multiarch [6]. You could have a fast amd64
>> installation as a base and run Apache or any other sensitive server from
>> the amd64-hardened packages!
>>
>> -----
>>
>> What do you think? Would adding a new arch be feasible and a good solution?
>>
>> Cheers,
>> Balint
>
> My take on this: start it if you wish, and see how it takes you. If it
> is successful enough, it will go to http://www.debian-ports.org/. If it
> has even more success, then probably it will go through the standard
> repository and be official part of Debian. Whatever happens, it will be
> interesting to see what kind of performance hit you get, and what kind
> of security enhancement there is.
I made some progress on this wanna-be port in the last months [8]
starting from Helmut's and others' work on rebootsrap [9]. First, the
name is still not final, but has been changed to hardened1-linux-amd64
which fits current port naming better. There are ongoing discussions
regarding the name and I'm working on fulfilling all requirements for
new ports.

The port's objective changed slightly with targeting QA first since I
find too many bugs which prevent using the packages on a stable system
yet. :-)

Right now packages can only be cross-built, thus help on
cross-buildability of packages is highly appreciated especially for
the few missing ones needed for creating a pbuilder/sbuild chroot. You
can try plenty of build-essential packages following the post's [8]
instructions already.

I plan continuing work on this port as my time permits and if there is
significant interest from users. If you are interested and don't want
to share that in public feel free to drop me a mail.

Cheers,
Balint

[8] http://balintreczey.hu/blog/progress-report-on-hardened1-linux-amd64-a-potential-debian-port-with-pie-asan-ubsan-and-more/
[9] https://wiki.debian.org/HelmutGrohne/rebootstrap

Reply to:

Prev by Date: Fixing dependency resolution of britney (was: Re: The state of cross building)
Next by Date: Re: Debtags consolidation
Previous by thread: Bug#813524: ITP: djangocms-admin-style -- CSS styles for the django CMS admin interface
Next by thread: Re: Debtags consolidation
Index(es):
- Date
- Thread