commit 509e91fb187b4e42672e677a0ec65afbb4b87f68 Author: Mike Perry <mikeperry-git@torproject.org> Date: Wed Jun 19 11:17:13 2013 -0700 Attempt to use MinGW hardening for Windows Too bad it causes everything to insta-crash :/. --- gitian/build-helpers/i686-w64-mingw32-g++ | 4 ++++ gitian/build-helpers/i686-w64-mingw32-gcc | 4 ++++ gitian/build-helpers/i686-w64-mingw32-ld | 9 +++++++++ gitian/descriptors/windows/gitian-firefox.yml | 27 +++++++++++++++---------- gitian/descriptors/windows/gitian-tor.yml | 3 +++ 5 files changed, 36 insertions(+), 11 deletions(-) diff --git a/gitian/build-helpers/i686-w64-mingw32-g++ b/gitian/build-helpers/i686-w64-mingw32-g++ new file mode 100755 index 0000000..e3c13fd --- /dev/null +++ b/gitian/build-helpers/i686-w64-mingw32-g++ @@ -0,0 +1,4 @@ +#!/bin/sh +# Hardened mingw gcc wrapper + +/usr/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase -Wl,--nxcompat -fstack-protector-all -pie -fPIE --param ssp-buffer-size=4 -fno-strict-overflow "$@" diff --git a/gitian/build-helpers/i686-w64-mingw32-gcc b/gitian/build-helpers/i686-w64-mingw32-gcc new file mode 100755 index 0000000..830e11b --- /dev/null +++ b/gitian/build-helpers/i686-w64-mingw32-gcc @@ -0,0 +1,4 @@ +#!/bin/sh +# Hardened mingw gcc wrapper + +/usr/bin/i686-w64-mingw32-gcc -Wl,--dynamicbase -Wl,--nxcompat -fstack-protector-all -pie -fPIE --param ssp-buffer-size=4 -fno-strict-overflow "$@" diff --git a/gitian/build-helpers/i686-w64-mingw32-ld b/gitian/build-helpers/i686-w64-mingw32-ld new file mode 100755 index 0000000..e085bdd --- /dev/null +++ b/gitian/build-helpers/i686-w64-mingw32-ld @@ -0,0 +1,9 @@ +#!/bin/sh +# Hardened mingw gcc wrapper + +if [ -x /usr/bin/i686-w64-mingw32-ld.orig ]; +then + /usr/bin/i686-w64-mingw32-ld.orig --dynamicbase --nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/ "$@" +else + /usr/bin/i686-w64-mingw32-ld --dynamicbase --nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/ "$@" +fi diff --git a/gitian/descriptors/windows/gitian-firefox.yml b/gitian/descriptors/windows/gitian-firefox.yml index cbf3976..a881440 100644 --- a/gitian/descriptors/windows/gitian-firefox.yml +++ b/gitian/descriptors/windows/gitian-firefox.yml @@ -10,9 +10,9 @@ packages: - "zip" - "autoconf" - "autoconf2.13" -- "mingw-w64" - "faketime" - "yasm" +- "mingw-w64" - "g++-mingw-w64-i686" - "mingw-w64-tools" reference_datetime: "2000-01-01 00:00:00" @@ -25,6 +25,9 @@ files: - "torbrowser.version" - "re-dzip.sh" - "dzip.sh" +- "i686-w64-mingw32-gcc" +- "i686-w64-mingw32-g++" +- "i686-w64-mingw32-ld" script: | INSTDIR="$HOME/install/FirefoxPortable/" export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1 @@ -39,7 +42,7 @@ script: | # If we ever find out that the 12.04 mingw is buggy/insufficient: #sudo bash -c 'echo "deb http://archive.ubuntu.com/ubuntu raring main restricted universe multiverse" >> /etc/apt/sources.list' #sudo apt-get update - #sudo apt-get install g++-mingw-w64-i686 mingw-w64-tools mingw-w64 + #sudo apt-get install -y g++-mingw-w64-i686 mingw-w64-tools mingw-w64 # # Build the latest MinGW-w64 headers and CRT # FIXME: We need sudo for all of this because otherwise @@ -83,18 +86,20 @@ script: | make -f client.mk configure find -type f | xargs touch --date="$REFERENCE_DATETIME" # - # The build sometimes randomly fails (faketime issues?) Just restart it until success + # FIXME: MinGW doens't like being built with hardening, and Firefox doesn't + # like being configured with it + # XXX: These changes cause the exes to crash on launch. + #mkdir -p ~/build/bin/ + #cp ~/build/i686* ~/build/bin/ + #export PATH=~/build/bin:$PATH + # XXX: the path to ld is hardcoded in mingw.. This forces gcc's linking to + # use our flags: + #sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig + #sudo cp ~/build/bin/i686-w64-mingw32-ld /usr/bin/ + # make $MAKEOPTS -f client.mk build - while [ $? -ne 0 ]; - do - make $MAKEOPTS -f client.mk build - done # make -C obj-* package INNER_MAKE_PACKAGE=true - while [ $? -ne 0 ]; - do - make -C obj-* package INNER_MAKE_PACKAGE=true - done cp -a obj-*/dist/firefox/* $INSTDIR/App/Firefox/ cp -a /usr/lib/gcc/i686-w64-mingw32/4.6/libgcc_s_sjlj-1.dll $INSTDIR/App/Firefox/ cp -a /usr/lib/gcc/i686-w64-mingw32/4.6/libssp*.dll $INSTDIR/App/Firefox/ diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 4d7e36f..5fb0ef5 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -32,6 +32,9 @@ script: | export TZ=UTC export CFLAGS="-mwindows" export LDFLAGS="-mwindows" + # XXX: Hardening options cause the exe's to crash.. not sure why + #export CFLAGS="-mwindows -fstack-protector-all -fPIE -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat-security" + #export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/" umask 0022 # mkdir -p $INSTDIR/bin/