Thursday, 29 October 2009

Wireshark on Gentoo hardened

If compiling wireshark bails out with the following error:

checking for GTK+ - version >= 2.4.0... no
*** Could not run GTK+ test program, checking why...
*** The test program failed to compile or link. See the file config.log for the
*** exact error that occured. This usually means GTK+ is incorrectly installed.
configure: error: GTK+ 2.4 or later isn't available, so Wireshark can't be compiled

Disable the 'profile' flag as per this bug. So the magic command is:

USE="-profile" emerge wireshark

Happy sniffing! ;]

Friday, 23 October 2009

Injection support with Intel 3945 A/B/G card

I've used this chipset for quite a while now and since some time it very stable, well supported and built in antenna provides decent reception. It's not N capable but it does A band! Getting it to work on a decent kernel is trivial and Gentoo hardened is no exception. ;]

First, make sure that you have it enabled in your kernel config - in Wireless LAN section enable "Intel PRO/Wireless 3945ABG/BG Network Connection" - I tend to compile it as a module so I can load it only when necessary - just in case, I prefer to have it disabled... ;] If needed, recompile and boot your new kernel, then continue.

You probably want to emerge aircrack suite if not already done so. Aircrack has a cool feature to test injection support and can do sooo much more than that! You need to make sure that you will emerge aircrack from the 'hardened-development' overlay because otherwise it won't compile on hardened. It has some inline assembly which unfortunately does not like to be compiled as PIE, at least at the time being ;( Anyway:

~ # emerge -av aircrack-ng

These are the packages that would be merged, in order:

Calculating dependencies ... done!
[ebuild N ] net-wireless/aircrack-ng-1.0 USE="sqlite" 1,472 kB [1]

Total: 1 package (1 new), Size of downloads: 1,472 kB
Portage tree and overlays:
[0] /usr/portage
[1] /usr/local/portage/layman/hardened-development

Would you like to merge these packages? [Yes/No]

Cool, once it's done it's time to load the module:

host ~ # modprobe iwl3945

Which should result in the following output via the dmesg command:

iwl3945 0000:0c:00.0: PCI INT A disabled
iwl3945: Intel(R) PRO/Wireless 3945ABG/BG Network Connection driver for Linux, 1.2.26ks
iwl3945: Copyright(c) 2003-2009 Intel Corporation
iwl3945 0000:0c:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17
iwl3945 0000:0c:00.0: setting latency timer to 64
iwl3945 0000:0c:00.0: Tunable channels: 13 802.11bg, 23 802.11a channels
iwl3945 0000:0c:00.0: Detected Intel Wireless WiFi Link 3945ABG
iwl3945 0000:0c:00.0: irq 24 for MSI/MSI-X
phy2: Selected rate control algorithm 'iwl-3945-rs'

Sweet! Let's enable monitor mode then, shall we? Command airmon-ng when run without any parameters will show list of wireless cards recognised by the system along with their respective drivers - quite useful!

~ # airmon-ng
Interface Chipset Driver
wlan1 Atheros ath5k - [phy1]
mon0 Atheros ath5k - [phy1]
wlan0 Intel 3945ABG iwl3945 - [phy2]

Right, so the card is there, now the monitor mode itself:

~ # airmon-ng start wlan0
Interface Chipset Driver

wlan1 Atheros ath5k - [phy1]
mon0 Atheros ath5k - [phy1]
wlan0 Intel 3945ABG iwl3945 - [phy2]SIOCSIFFLAGS: No such file or directory
(monitor mode enabled on mon1)

Hmm...that didn't look good, let's see what has happened...that's what I got from dmesg again:

iwl3945 0000:0c:00.0: firmware: requesting iwlwifi-3945-2.ucode
iwl3945 0000:0c:00.0: iwlwifi-3945-2.ucode firmware file req failed: -2
iwl3945 0000:0c:00.0: firmware: requesting iwlwifi-3945-1.ucode
iwl3945 0000:0c:00.0: iwlwifi-3945-1.ucode firmware file req failed: -2
iwl3945 0000:0c:00.0: Could not read microcode: -2

Oppsie! Right, so required firmware file is missing but there's a trustworthy Gentoo repository! ;] So:

~ # emerge -av iwl3945-ucode

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild N ] net-wireless/iwl3945-ucode-15.32.2.9 66 kB

Total: 1 package (1 new), Size of downloads: 66 kB

Would you like to merge these packages? [Yes/No]

Yesss! When it's installed we need to reload the module and then start the monitor mode again:

~ # rmmod iwl3945
~ # modprobe iwl3945
~ # airmon-ng start wlan0
Interface Chipset Driver

wlan1 Atheros ath5k - [phy1]
mon0 Atheros ath5k - [phy1]
wlan0 Intel 3945ABG iwl3945 - [phy3]
(monitor mode enabled on mon1)

Which resulted in the following in the dmesg:

iwl3945 0000:0c:00.0: firmware: requesting iwlwifi-3945-2.ucode
iwl3945 0000:0c:00.0: loaded firmware version 15.32.2.9

Yuppie! Now run aircrack as a final test:

~ # aireplay-ng -9 mon1
20:38:16 Trying broadcast probe requests...
20:38:16 Injection is working!


Bakgat!

Monday, 19 October 2009

HowTo update

I've just setup another box according to my earlier HowTo - just to test it accuracy ;). I've spotted few mistakes which should be now fixed. In the meantime kernel got updated to 2.6.31.4 and KDE to 4.3.2 ;] It also seems that nepomuk is now fine with grsec kernels - it compiles and runs without segfaulting! ;]
Happy Compiling!

Saturday, 3 October 2009

64-bit Hardened Gentoo with LUKS on 2.6.31.1-grsec, glibc-2.10 and gcc-4.4.1. With KDE-4.3.1. From scratch.

UPDATED 23/10 - Added info about repos.conf which I've missed previously!

Recenty I had to setup a new box with the specs above so I decided to share my installation notes in an attempt to spread the Gentoo virus ;] Apologies if they're not always as detailed as they could be but nevertheless should be helpful for anyone setting up a new Gentoo box. Ok, off we go!

I've mostly used as a reference the following links:

The Hardened GCC4 Toolchain Overlay Guide

LUKS on Gentoo

I used this live CD and this stage3 tarball because I wanted to give a go for the weekly hardened ones just out of curiosity :). Also, as soon as it was possible I've ssh'ed to the new box to make command pasting (and saving!) much easier.

Follow the Gentoo Installation handbook up to chapter 4. Ok, disk preparation - below I have created a 100MB boot partition (will have to stay unencrypted), 2G of SWAP space and root partition on the remaining disk space for rest of the system.

livecd ~ # fdisk /dev/sda
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x24c78168.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.


The number of cylinders for this disk is set to 10011.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-10011, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-10011, default 10011): +100M

Command (m for help): p

Disk /dev/sda: 82.3 GB, 82348277760 bytes
255 heads, 63 sectors/track, 10011 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x24c78168

Device Boot Start End Blocks Id System
/dev/sda1 1 14 112423+ 83 Linux

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (15-10011, default 15):
Using default value 15
Last cylinder, +cylinders or +size{K,M,G} (15-10011, default 10011): +2G

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): p
Partition number (1-4): 3
First cylinder (277-10011, default 277):
Using default value 277
Last cylinder, +cylinders or +size{K,M,G} (277-10011, default 10011):
Using default value 10011

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.


Now the encrypted partition creation. You can use different options, just check cryptsetup man page. The option below uses AES 256 bit encryption with SHA256 key hashing in cbc-essiv mode.

livecd ~ # cryptsetup --verbose --cipher "aes-cbc-essiv:sha256" --key-size 256 --verify-passphrase luksFormat /dev/sda3

WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
livecd ~ #


Ahh - you'd better remember this passphrase! Ya've been warned... ;]
Ok, now we need to to 'map' the encrypted partition so it will be visible to the system:

livecd ~ # cryptsetup luksOpen /dev/sda3 root
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
livecd ~ #

Onto fortmatting! For main partition choose whatever filesystem you want. For the boot partition I'd go with soomething stable like ext2 or ext3 so it will be well supported by bootloader. Speed doesn't really matter here - your kernel is loaded only once during the booting ;)

livecd ~ # mkfs.ext3 /dev/sda1
mke2fs 1.41.3 (12-Oct-2008)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
28112 inodes, 112420 blocks
5621 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67371008
14 block groups
8192 blocks per group, 8192 fragments per group
2008 inodes per group
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729

Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 31 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Being a curious person, I've chosen the ext4 filesystem for root partition ;] Pay attention to the /dev/mapper/root here instead of /dev/sda3!

livecd ~ # mkfs.ext4 /dev/mapper/root
mke2fs 1.41.3 (12-Oct-2008)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
4890624 inodes, 19548839 blocks
977441 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
597 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 33 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Now the newly created partition need to be mounted as per the handbook:

livecd ~ # mount /dev/mapper/root /mnt/gentoo/
livecd ~ # mkdir /mnt/gentoo/boot
livecd ~ # mount /dev/sda1 /mnt/gentoo/boot/

Adjust date if necessary:

livecd ~ # date
Fri Sep 11 13:37:52 UTC 2009

And from there it's more or less standard Gentoo installation...get and unpack the stage3 file and latest portage tree:

livecd ~ # cd /mnt/gentoo/
livecd gentoo # wget http://mirrors.kernel.org/gentoo/releases/amd64/autobuilds/current-iso/hardened/stage3-amd64-hardened+nomultilib-20090903.tar.bz2

livecd gentoo # tar xjpf stage3-*.tar.bz2

livecd gentoo # cd /mnt/gentoo
livecd gentoo # wget http://mirror.datapipe.net/gentoo/snapshots/portage-latest.tar.bz2
livecd gentoo # tar xjpf portage* -C usr/


Before any compilation will be done on the system, adjust make.conf to suit your needs (CC and USE flags, etc.). Again - handbook and multiple online resources are available for more details.

livecd ~ # nano /mnt/gentoo/etc/make.conf

adjust as needed...

Chrooting!

livecd ~ # mount -t proc none /mnt/gentoo/proc
livecd ~ # mount -o bind /dev /mnt/gentoo/dev
livecd ~ # cp -Lv /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
`/etc/resolv.conf' -> `/mnt/gentoo/etc/resolv.conf'
livecd ~ # chroot /mnt/gentoo /bin/bash
livecd / # env-update && source /etc/profile
>>> Regenerating /etc/ld.so.cache...
livecd / # export PS1="(chroot) $PS1"
(chroot) livecd / #

Nice, now update the portage tree:

(chroot) livecd / # emerge --sync --quiet

Performing Global Updates: /usr/portage/profiles/updates/3Q-2009
(Could take a couple of minutes if you have a lot of binary packages.)
.='update pass' *='binary update' #='/var/db update' @='/var/db move'
s='/var/db SLOT move' %='binary move' S='binary SLOT move'
p='update /etc/portage/package.*'
...............................................
(chroot) livecd / #

Localisation bits below...speeds up compilation of glibc as it doesn't need to generate 400+ locales! ;]

(chroot) livecd / # nano -w /etc/locale.gen
(chroot) livecd / # locale-gen
* Generating 2 locales (this might take a while) with 1 jobs
* (1/2) Generating en_US.ISO-8859-1 ... [ ok ]
* (2/2) Generating en_US.UTF-8 ... [ ok ]
* Generation complete

We'll have to use layman tool so let's emerge it now:

(chroot) livecd / # emerge -av layman

!!! Your current profile is deprecated and not supported anymore.
!!! Please upgrade to the following profile if possible:
hardened/linux/amd64/10.0/no-multilib
To upgrade do the following steps:
# Use eselect profile to switch into 10.0 profile.

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild N ] dev-python/pyxml-0.8.4-r2 USE="-doc -examples" 718 kB
[ebuild N ] app-portage/layman-1.2.3 USE="-git -subversion -test" 46 kB

Total: 2 packages (2 new), Size of downloads: 764 kB

Would you like to merge these packages? [Yes/No]


Oppsie! Ok, so Gentoo profile needs to be changed first. Let's see what we've got:

(chroot) livecd / # eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/2008.0
[2] default/linux/amd64/2008.0/desktop
[3] default/linux/amd64/2008.0/developer
[4] default/linux/amd64/2008.0/no-multilib
[5] default/linux/amd64/2008.0/server
[6] default/linux/amd64/10.0
[7] default/linux/amd64/10.0/desktop
[8] default/linux/amd64/10.0/developer
[9] default/linux/amd64/10.0/no-multilib
[10] default/linux/amd64/10.0/server
[11] hardened/amd64
[12] hardened/amd64/multilib
[13] selinux/2007.0/amd64
[14] selinux/2007.0/amd64/hardened
[15] selinux/v2refpolicy/amd64
[16] selinux/v2refpolicy/amd64/desktop
[17] selinux/v2refpolicy/amd64/developer
[18] selinux/v2refpolicy/amd64/hardened
[19] selinux/v2refpolicy/amd64/server
[20] hardened/linux/amd64/10.0
[21] hardened/linux/amd64/10.0/no-multilib

That's a no brainer really... ;] Hardened no-multilib is the way to go! ;)

(chroot) livecd / # eselect profile set 21

Now emerge layman. Note that you're most likely currently using gcc-3.4.6 which does not support the -march=native option. I was to quick to adjust my CC flags so I had to change it to -march=K8 for my AMD64x2 CPU.
Adding hardened overlay:

(chroot) livecd / # layman -a hardened-development
* Failed to add overlay "hardened-development".
* Error was: Binary /usr/bin/git seems to be missing! Overlay type "git" not supported. Did you emerge dev-util/git?

I did forgot about git indeed! ;] Because I had plenty of USE flags enabled at this stage, I did not want to emerge too much dependencies at this point, hence I disabled some of the flags:

(chroot) livecd / # USE="-gnome -perl -gtk" emerge -av dev-util/git
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild N ] virtual/libintl-0 0 kB
[ebuild N ] dev-libs/libgpg-error-1.7 USE="nls" 395 kB
[ebuild N ] dev-libs/libtasn1-2.3 USE="-doc" 1,449 kB
[ebuild N ] dev-libs/libgcrypt-1.4.4 1,117 kB
[ebuild N ] net-libs/gnutls-2.6.6 USE="cxx nls zlib -bindist -doc -guile -lzo" 4,997 kB
[ebuild N ] net-misc/curl-7.19.6 USE="gnutls ipv6 ssl -ares -idn -kerberos -ldap -libssh2 -nss -test" 2,293 kB
[ebuild N ] dev-util/git-1.6.3.3 USE="bash-completion curl iconv threads xinetd -cgi -cvs -doc -emacs -gtk -mozsha1 -perl (-ppcsha1) -subversion -tk -webdav" 2,252 kB

Total: 7 packages (7 new), Size of downloads: 12,501 kB

Would you like to merge these packages? [Yes/No]

Oh yes, I would! When layman is ready we can proceed with adding the overlay:

(chroot) livecd / # layman -a hardened-development
* Running command "/usr/bin/git clone "git://git.overlays.gentoo.org/proj/hardened-development.git" "/usr/local/portage/layman/hardened-development""...
Initialized empty Git repository in /usr/local/portage/layman/hardened-development/.git/
remote: Counting objects: 2266, done.
remote: Compressing objects: 100% (1144/1144), done.
remote: Total 2266 (delta 1026), reused 2154 (delta 961)
Receiving objects: 100% (2266/2266), 2.13 MiB | 657 KiB/s, done.
Resolving deltas: 100% (1026/1026), done.
* Successfully added overlay "hardened-development".

Now change /etc/make.conf to include layman overlays. Adding this line should do:

source /usr/portage/local/layman/make.conf

Ina true Gentoo fashion there will be some keywording/unmasking needed. I went for using folders with files beneath but you could with one file for each task if you wish.

(chroot) livecd ~ # cd /etc/
(chroot) livecd etc # mkdir portage && cd portage
(chroot) livecd etc # mkdir package.keywords
(chroot) livecd etc # mkdir package.unmask
(chroot) livecd portage # echo "=sys-devel/gcc-4.4*" >>/etc/portage/package.keywords/toolchain
(chroot) livecd portage # echo "=sys-devel/gcc-4.4*" >>/etc/portage/package.unmask/toolchain
(chroot) livecd portage # echo "=sys-libs/glibc-2.10*" >>/etc/portage/package.keywords/toolchain
(chroot) livecd portage # echo "=sys-libs/glibc-2.10*" >>/etc/portage/package.unmask/toolchain

We need repos.conf file to use eclasses from the overlay. This file goes into /etc/portage and should contain the following:

# cat /etc/portage/repos.conf
[gentoo]
eclass-overrides = hardened-dev

Also, in order to compile glibc you need to disable the profile flag for it in package.use file:

echo "sys-libs/glibc -profile" >> /etc/portage/package.use

Let's see what will happen now...

(chroot) livecd layman # emerge -av gcc-config linux-headers glibc binutils gcc portage -1

These are the packages that would be merged, in order:
Calculating dependencies... done!
!!! All ebuilds that could satisfy ">=dev-libs/ppl-0.10" have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-libs/ppl-0.10.2 (masked by: ~amd64 keyword)
For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.
(dependency required by "sys-devel/gcc-4.4.1-r2" [ebuild])
(dependency required by "gcc" [argument])

Obvious! I've enabled the graphite extensions and forgot about their dependencies. More keywording then.

(chroot) livecd layman # echo ">=dev-libs/ppl-0.10" >> /etc/portage/package.keywords/toolchain
(chroot) livecd package.keywords # echo ">=dev-libs/cloog-ppl-0.15" >> /etc/portage/package.keywords/toolchain
(chroot) livecd package.keywords # emerge -av gcc-config linux-headers glibc binutils gcc portage -1

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild R ] sys-apps/portage-2.1.6.13 USE="-build -doc -epydoc (-selinux)" LINGUAS="pl*" 733 kB [0]
[ebuild N ] dev-libs/gmp-4.2.4 USE="-nocxx" 1,671 kB [0]
[ebuild R ] sys-devel/gcc-config-1.4.1 0 kB [0]
[ebuild R ] sys-devel/binutils-2.18-r3 USE="nls* (-gold) -multislot -multitarget -test -vanilla" 14,629 kB [0]
[ebuild N ] dev-libs/ppl-0.10.2 USE="-doc (-pch) -prolog -test -watchdog" 9,590 kB [0]
[ebuild R ] sys-kernel/linux-headers-2.6.27-r2 3,509 kB [0]
[ebuild N ] dev-libs/mpfr-2.4.1_p1 883 kB [0]
[ebuild N ] dev-libs/cloog-ppl-0.15.7 750 kB [0]
[ebuild NS ] sys-devel/gcc-4.4.1-r2 [3.4.6-r2] USE="graphite gtk hardened mudflap nls nptl (-altivec) -bootstrap -build -doc (-fixed-point) -fortran -gcj -ip28 -ip32r10k -libffi (-multilib) -multislot (-n32) (-n64) -nocxx -objc -objc++ -objc-gc -openmp -test -vanilla" 61,426 kB [1]
[ebuild U ] sys-libs/glibc-2.10.1 [2.9_p20081201-r2] USE="gd* hardened nls* profile* -debug -glibc-omitfp (-multilib) (-selinux) -vanilla" 15,909 kB [0=>1]

Total: 10 packages (1 upgrade, 4 new, 1 in new slot, 4 reinstalls), Size of downloads: 109,097 kB
Portage tree and overlays:
[0] /usr/portage
[1] /usr/local/portage/layman/hardened-development

Would you like to merge these packages? [Yes/No]

Ok, nearly there, but I wanted newer linux-headers! ;] So:

(chroot) livecd package.keywords # echo sys-kernel/linux-headers >> /etc/portage/package.keywords/system
(chroot) livecd package.keywords # emerge -av gcc-config linux-headers glibc binutils gcc portage -1

These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] sys-apps/portage-2.1.6.13 USE="-build -doc -epydoc (-selinux)" LINGUAS="pl*" 733 kB [0]
[ebuild N ] dev-libs/gmp-4.2.4 USE="-nocxx" 1,671 kB [0]
[ebuild R ] sys-devel/gcc-config-1.4.1 0 kB [0]
[ebuild R ] sys-devel/binutils-2.18-r3 USE="nls* (-gold) -multislot -multitarget -test -vanilla" 14,629 kB [0]
[ebuild N ] dev-libs/ppl-0.10.2 USE="-doc (-pch) -prolog -test -watchdog" 9,590 kB [0]
[ebuild U ] sys-kernel/linux-headers-2.6.30-r1 [2.6.27-r2] 3,780 kB [0]
[ebuild N ] dev-libs/mpfr-2.4.1_p1 883 kB [0]
[ebuild N ] dev-libs/cloog-ppl-0.15.7 750 kB [0]
[ebuild NS ] sys-devel/gcc-4.4.1-r2 [3.4.6-r2] USE="graphite gtk hardened mudflap nls nptl (-altivec) -bootstrap -build -doc (-fixed-point) -fortran -gcj -ip28 -ip32r10k -libffi (-multilib) -multislot (-n32) (-n64) -nocxx -objc -objc++ -objc-gc -openmp -test -vanilla" 61,426 kB [1]
[ebuild U ] sys-libs/glibc-2.10.1 [2.9_p20081201-r2] USE="gd* hardened nls* profile* -debug -glibc-omitfp (-multilib) (-selinux) -vanilla" 15,909 kB [0=>1]

Total: 10 packages (2 upgrades, 4 new, 1 in new slot, 3 reinstalls), Size of downloads: 109,368 kB
Portage tree and overlays:
[0] /usr/portage
[1] /usr/local/portage/layman/hardened-development

Would you like to merge these packages? [Yes/No]

Oh yes! So the last final check before we go to ensure that everything is set to build our new shiny hardened toolchain:

(chroot) livecd package.keywords # eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/2008.0
[2] default/linux/amd64/2008.0/desktop
[3] default/linux/amd64/2008.0/developer
[4] default/linux/amd64/2008.0/no-multilib
[5] default/linux/amd64/2008.0/server
[6] default/linux/amd64/10.0
[7] default/linux/amd64/10.0/desktop
[8] default/linux/amd64/10.0/developer
[9] default/linux/amd64/10.0/no-multilib
[10] default/linux/amd64/10.0/server
[11] hardened/amd64
[12] hardened/amd64/multilib
[13] selinux/2007.0/amd64
[14] selinux/2007.0/amd64/hardened
[15] selinux/v2refpolicy/amd64
[16] selinux/v2refpolicy/amd64/desktop
[17] selinux/v2refpolicy/amd64/developer
[18] selinux/v2refpolicy/amd64/hardened
[19] selinux/v2refpolicy/amd64/server
[20] hardened/linux/amd64/10.0
[21] hardened/linux/amd64/10.0/no-multilib *
(chroot) livecd package.keywords # gcc-config -l
[1] x86_64-pc-linux-gnu-3.4.6 *
[2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
[3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
[4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
[5] x86_64-pc-linux-gnu-3.4.6-vanilla

All set! So let's emerge the toolchain (last emerge command above).

Hmm...that didn't work, did it?

>>> Failed to emerge dev-libs/ppl-0.10.2, Log file:

Let's temporarily disable the graphite USE flag then:

(chroot) livecd package.keywords # USE="-graphite" emerge -av linux-headers glibc gcc -1
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild U ] sys-kernel/linux-headers-2.6.30-r1 [2.6.27-r2] 0 kB [0]
[ebuild N ] dev-libs/mpfr-2.4.1_p1 0 kB [0]
[ebuild NS ] sys-devel/gcc-4.4.1-r2 [3.4.6-r2] USE="gtk hardened mudflap nls nptl (-altivec) -bootstrap -build -doc (-fixed-point) -fortran -gcj -graphite -ip28 -ip32r10k -libffi (-multilib) -multislot (-n32) (-n64) -nocxx -objc -objc++ -objc-gc -openmp -test -vanilla" 0 kB [1]
[ebuild U ] sys-libs/glibc-2.10.1 [2.9_p20081201-r2] USE="gd* hardened nls* profile* -debug -glibc-omitfp (-multilib) (-selinux) -vanilla" 0 kB [0=>1]

Total: 4 packages (2 upgrades, 1 new, 1 in new slot), Size of downloads: 0 kB
Portage tree and overlays:
[0] /usr/portage
[1] /usr/local/portage/layman/hardened-development

Would you like to merge these packages? [Yes/No]

Yuppie - this worked!:

(chroot) livecd package.keywords # gcc-config -l
[1] x86_64-pc-linux-gnu-3.4.6 *
[2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
[3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
[4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
[5] x86_64-pc-linux-gnu-3.4.6-vanilla
[6] x86_64-pc-linux-gnu-4.4.1
[7] x86_64-pc-linux-gnu-4.4.1-hardenednopie
[8] x86_64-pc-linux-gnu-4.4.1-hardenednossp
[9] x86_64-pc-linux-gnu-4.4.1-vanilla

So let's switch to our new compiler and try to rebuild it with graphite extensions enabled (you'll need to enable graphite use flag in /etc/make.conf):

(chroot) livecd package.keywords # gcc-config 6
* Switching native-compiler to x86_64-pc-linux-gnu-4.4.1 ...
>>> Regenerating /etc/ld.so.cache... [ ok ]

* If you intend to use the gcc from the new profile in an already
* running shell, please remember to do:

* # source /etc/profile

(chroot) livecd package.keywords # source /etc/profile
(chroot) livecd package.keywords # emerge -av gcc

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild N ] dev-libs/ppl-0.10.2 USE="-doc (-pch) -prolog -test -watchdog" 0 kB [0]
[ebuild N ] dev-libs/cloog-ppl-0.15.7 0 kB [0]
[ebuild R ] sys-devel/gcc-4.4.1-r2 USE="graphite* gtk hardened mudflap nls nptl (-altivec) -bootstrap -build -doc (-fixed-point) -fortran -gcj -ip28 -ip32r10k -libffi (-multilib) -multislot (-n32) (-n64) -nocxx -objc -objc++ -objc-gc -openmp -test -vanilla" 0 kB [1]

Total: 3 packages (2 new, 1 reinstall), Size of downloads: 0 kB
Portage tree and overlays:
[0] /usr/portage
[1] /usr/local/portage/layman/hardened-development

Would you like to merge these packages? [Yes/No] y

Ppl failed again ;( I've tried rebuilding binutils and glibc with the new compiler first but that didn't work too. As it is usually the case - solution was simple and even given on the screen!

livecd package.keywords # fix_libtool_files.sh 3.4.6
* Scanning libtool files for hardcoded gcc library paths...
* [1/7] Scanning /lib ...
* [2/7] Scanning /usr/lib ...
* [3/7] Scanning /lib64 ...
* [4/7] Scanning /usr/lib64 ...
* FIXING: /usr/lib64/gcc/x86_64-pc-linux-gnu/3.4.6/libsupc++.la ...[]
* FIXING: /usr/lib64/gcc/x86_64-pc-linux-gnu/3.4.6/libstdc++.la ...[]
* [5/7] Scanning /usr/local/lib ...
* [6/7] Scanning /usr/local/lib64 ...
* [7/7] Scanning /usr/x86_64-pc-linux-gnu/lib ...

Rite, we're on track...emerge gcc with graphite enabled and it should work this time. To take the full advantage of the graphite framework you'll need to change your CCFLAGS (see bottom of this page). I also wanted to enable ccache to speed up all the recompilations ;]

livecd # emerge -av ccache
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild N ] dev-util/ccache-2.4-r7 85 kB
Total: 1 package (1 new), Size of downloads: 85 kB
Would you like to merge these packages? [Yes/No]

This would require the following changes in make.confg (choose whatever size for your cache tou want):

livecd package.keywords # nano /etc/make.conf

FEATURES="ccache"
CCACHE_SIZE="5G"

At last! New gcc has arrived:

livecd package.keywords # gcc -v
Using built-in specs.
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-4.4.1-r2/work/gcc-4.4.1/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.4.1 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.4.1/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.1 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.1/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.4.1/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.4.1/include/g++-v4 --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-altivec --disable-fixed-point --with-ppl --with-cloog --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --enable-secureplt --disable-multilib --enable-libmudflap --disable-libssp --enable-espf --disable-libgomp --enable-cld --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/4.4.1/python --disable-libgcj --enable-languages=c,c++ --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --with-bugurl=http://bugs.gentoo.org/ --with-pkgversion='Gentoo Hardened 4.4.1-r2 p1.0, espf-0.3.3'
Thread model: posix
gcc version 4.4.1 (Gentoo Hardened 4.4.1-r2 p1.0, espf-0.3.3)

Ok, nice and sweet. Now we need to recompile world. Again due to some circular dependencies I disabled the gnome flag which I've already enabled in make.conf ;) :

time USE="-gnome" emerge -ev world --keep-going
failed to compile:
* The following 34 packages have failed to build or install:
*
* ('ebuild', '/', 'sys-fs/cryptsetup-1.0.6-r2', 'merge')
* ('ebuild', '/', 'gnome-base/libgnomeprint-2.18.5', 'merge')
* ('ebuild', '/', 'dev-python/libgnomecanvas-python-2.22.3', 'merge')
* ('ebuild', '/', 'net-print/libgnomecups-0.2.3', 'merge')
* ('ebuild', '/', 'app-misc/hal-info-20090414', 'merge')
* ('ebuild', '/', 'x11-base/xorg-server-1.5.3-r6', 'merge')
* ('ebuild', '/', 'sys-apps/hal-0.5.11-r9', 'merge')
* ('ebuild', '/', 'dev-python/pygtk-2.14.1-r1', 'merge')
* ('ebuild', '/', 'x11-libs/gtksourceview-1.8.5-r1', 'merge')
* ('ebuild', '/', 'dev-python/gnome-python-base-2.22.3', 'merge')
* ('ebuild', '/', 'gnome-base/libgnomecanvas-2.20.1.1', 'merge')
* ('ebuild', '/', 'dev-python/gnome-python-desktop-base-2.24.1', 'merge')
* ('ebuild', '/', 'net-print/cups-1.3.10-r2', 'merge')
* ('ebuild', '/', 'x11-drivers/xf86-video-openchrome-0.2.903', 'merge')
* ('ebuild', '/', 'net-fs/samba-3.0.33', 'merge')
* ('ebuild', '/', 'gnome-base/gail-1000', 'merge')
* ('ebuild', '/', 'x11-drivers/xf86-input-mouse-1.4.0', 'merge')
* ('ebuild', '/', 'dev-python/libgnomeprint-python-2.24.1', 'merge')
* ('ebuild', '/', 'app-text/ghostscript-gpl-8.64-r3', 'merge')
* ('ebuild', '/', 'gnome-base/libglade-2.6.4', 'merge')
* ('ebuild', '/', 'gnome-base/libgnomeprintui-2.18.3', 'merge')
* ('ebuild', '/', 'x11-drivers/xf86-input-keyboard-1.3.2', 'merge')
* ('ebuild', '/', 'dev-python/gtksourceview-python-2.24.1', 'merge')
* ('ebuild', '/', 'virtual/ghostscript-0', 'merge')
* ('ebuild', '/', 'dev-util/git-1.6.3.3', 'merge')
* ('ebuild', '/', 'x11-libs/gtk+-2.14.7-r2', 'merge')
* ('ebuild', '/', 'dev-python/pygobject-2.18.0', 'merge')
* ('ebuild', '/', 'x11-libs/libXaw-1.0.5', 'merge')
* ('ebuild', '/', 'x11-terms/xterm-242', 'merge')
* ('ebuild', '/', 'x11-apps/xinit-1.0.8-r4', 'merge')
* ('ebuild', '/', 'sys-apps/groff-1.20.1-r1', 'merge')
* ('ebuild', '/', 'x11-apps/xmessage-1.0.2-r1', 'merge')
* ('ebuild', '/', 'x11-apps/xsm-1.0.1-r1', 'merge')
* ('ebuild', '/', 'x11-apps/xclock-1.0.3-r1', 'merge')
*

Nothing critical ;D Well...cryptsetup maybe. I don't remember why it failed but as it was already installed, it worked fine and I think that it needed to be keyworded with ~amd64 and then it compiled fine. Further system adjustments:

livecd # sed -i 's/once/once,--hash-style=gnu/' /etc/make.conf
livecd # etc-update
livecd # emerge syslog-ng ntp lilo vixie-cron sysfsutils dhcpcd eix gentoolkit portage-utils genlop
livecd # cp /usr/share/zoneinfo/GMT /etc/localtime


Kernel time - I've used 2.6.31 which since then has been upgraded to 2.6.31.1 and is running perfectly fine. I do strongly recommend to use the 2.6.31.1! Also - the patch utility is also needed!

livecd src # wget http://grsecurity.net/test/grsecurity-2.1.14-2.6.31-200909121839.patch
livecd src #emerge patch
livecd src # tar jxf linux-2.6.31.tar.bz2
livecd src # patch -p0 < grsecurity-2.1.14-2.6.31-200909121839.patch

The easiest way to go about kernel configuration is to use the one from livecd - once it's working we can start stripping it down of unnecessary stuff.
Outside chroot:

zcat /proc/config.gz > /mnt/gentoo/usr/src/linux-2.6.31/.config

Back to chroot (forgot about the genkernel! ;) ):

livecd src # ln -s linux-2.6.31 linux
livecd src # emerge genkernel
livecd src # emerge -av cryptsetup
livecd src # rc-update add dmcrypt boot

Also, /etc/genkernel.conf needs LUKS="yes" set (default is no). You could also tweak other options.

CLEAN="no"
MRPROPER="no"
LUKS="yes"

Compile! Remember to add the --luks option so a LUKS-aware initrd will be created.

livecd linux-2.6.31 # genkernel --luks all
* Gentoo Linux Genkernel; Version 3.4.10.904
* Running with options: --luks all

* Linux Kernel 2.6.31 for x86_64...
* >> Running oldconfig...
* config: --no-clean is enabled; leaving the .config alone.
* >> Compiling 2.6.31-grsec bzImage...
* >> Compiling 2.6.31-grsec modules...
* Copying config for successful build to /etc/kernels/kernel-config-x86_64-2.6.31-grsec
* busybox: >> Applying patches...
* busybox: >> Configuring...
* busybox: >> Compiling...
* busybox: >> Copying to cache...
* initramfs: >> Initializing...
* >> Appending base_layout cpio data...
* >> Appending auxilary cpio data...
* >> Appending busybox cpio data...
* >> Appending luks cpio data...
* Including LUKS support
* >> Appending modules cpio data...
*
* Kernel compiled successfully!
*
* Required Kernel Parameters:
* real_root=/dev/$ROOT
*
* Where $ROOT is the device node for your root partition as the
* one specified in /etc/fstab
*
* If you require Genkernel's hardware detection features; you MUST
* tell your bootloader to use the provided INITRAMFS file. Otherwise;
* substitute the root argument for the real_root argument if you are
* not planning to use the initramfs...

* WARNING... WARNING... WARNING...
* Additional kernel cmdline arguments that *may* be required to boot properly...

* Do NOT report kernel bugs as genkernel bugs unless your bug
* is about the default genkernel configuration...
*
* Make sure you have the latest genkernel before reporting bugs.

Nearly there. /etc/fstab needs to be adjusted so our new system will boot properly. If you've used the same partitioning scheme, here's how it needs to look like:

/dev/sda1 /boot ext3 noauto,noatime 1 2
/dev/mapper/root / ext4 noatime 0 1
/dev/crypt-swap none swap sw 0 0
/dev/cdrom /mnt/cdrom auto noauto,ro 0 0
#/dev/fd0 /mnt/floppy auto noauto 0 0

To get encrypted swap partition working you need to add this to /etc/conf.d/dmcrypt :

swap=crypt-swap
source='/dev/sda2'

Almost ready for reboot! Edit hostname and clock settings (/etc/hostname and /etc/conf.d/clock) and proceed to boot loader config. Due to neverending issues with grub on amd64 we're (for now at least) doomed with lilo ;]. In order to get it to work with LUKS the append line should look like this:


append="init=/linuxrc ramdisk=8192 crypt_root=/dev/sda3 real_root=/dev/mapper/root"

And I still leave root=/dev/sda3 option in as well. Before you reboot also make sure that you've changed root password. Reboot!
Let's test it then, shall we? Emerge and run paxtest:

host ~ # echo "app-admin/paxtest ~amd64" >> /etc/portage/package.keywords/system
host ~ # emerge paxtest
host ~ # paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser
Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser
Released under the GNU Public Licence version 2 or later
Mode: blackhat
Linux host 2.6.31-grsec #3 SMP Tue Sep 15 10:51:44 GMT 2009 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ AuthenticAMD GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 40 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : 32 bits (guessed)
Main executable randomisation (ET_DYN) : 32 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : *** buffer overflow detected ***: rettofunc1 - terminated
rettofunc1: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (memcpy) : *** buffer overflow detected ***: rettofunc2 - terminated
rettofunc2: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (strcpy, RANDEXEC) : *** buffer overflow detected ***: rettofunc1x - terminated
rettofunc1x: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (memcpy, RANDEXEC) : *** buffer overflow detected ***: rettofunc2x - terminated
rettofunc2x: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Executable shared library bss : Killed
Executable shared library data : Killed

Sweet! You could update baselayout and switch to openrc:

host ~ # echo "sys-apps/baselayout ~amd64" >> /etc/portage/package.keywords/system
host ~ # echo "sys-apps/openrc ~amd64" >> /etc/portage/package.keywords/system
host ~ # echo "sys-apps/sysvinit ~amd64" >> /etc/portage/package.keywords/system
host ~ # emerge -av baselayout

KDE time! The Gentoo KDE Guide will be useful here, especially to get the keywording/unmasking files. To keep it nice and clean:

host ~ # cd /etc/portage/package.keywords/
host package.keywords # touch kde-4.3
host package.keywords # nano kde-4.3

Update the files as per guide. Also some packages have to be compiled with specific flags set, this is what worked for me at the time being:

host portage # echo "dev-python/PyQt4 sql webkit" >> /etc/portage/package.use
host portage # echo "sys-auth/pambase consolekit" >> /etc/portage/package.use
host portage # echo "x11-libs/qt-gui mng" >> /etc/portage/package.use
host portage # echo "sys-libs/ncurses unicode" >> /etc/portage/package.use

Now is the biggie ;] Better run it over night or even better over weekend...The --keep-going command will prevent you from checking every 10 minutes if the compilation hasn't stopped due to some errors ;) :

emerge --keep-going -av kde-meta

...few hours later I got this:

*
* The following 12 packages have failed to build or install:
*
* ('ebuild', '/', 'kde-base/nepomuk-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/kdebase-meta-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/kde-meta-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/gwenview-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/kdegraphics-meta-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/kdenetwork-meta-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/mplayerthumbs-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/kdemultimedia-meta-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/kmail-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/dolphin-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/kdepim-meta-4.3.1', 'merge')
* ('ebuild', '/', 'kde-base/kget-4.3.1', 'merge')

Well, nepomuk did not like the grsec kernel, so I had to reboot into vanilla and re-emerge the kde-meta package. It (nepomuk) compiled fine but still segfaults on grsec kernels - I don't really use it so I'm not bothered but that probably is a bug that would require some patching. Nevertheless - finish of the installation as per Gentoo guide, remove unnecessary files and update config files:

host / # rm portage-latest.tar.bz2
host / # rm stage3-amd64-hardened+nomultilib-20090903.tar.bz2
host / # etc-update

...configure X (Gentoo guides will be helpful again!) and start your new shiny KDE environment! ;] Remember to add dbus to startup or KDM will not work; you'll probably need hald as well:

host ~ # rc-update add dbus default
* service dbus added to runlevel default
host ~ # /etc/init.d/dbus start
dbus |* Starting D-BUS system messagebus...
[ ok ] |
host ~ # /etc/init.d/hald start
hald |* Starting Hardware Abstraction Layer daemon...
[ ok ] |
host ~ # rc-update add hald default
* service hald added to runlevel default

Enjoy!

Compiling glibc-2.10 with GCC-4.4 on gentoo hardened

It does not compile with the profile flag set, at least at the time of writing. In order to get it compiled unset the flag:

# USE="-profile" emerge -av glibc

These are the packages that would be merged, in order:

Calculating dependencies ... done!
[ebuild R ] sys-libs/glibc-2.10.1 USE="gd hardened nls -debug -glibc-omitfp (-multilib) -profile (-selinux) -vanilla" 16,492 kB