# Gentoo and hardened profile

## Fulgurance

Hello, i have question, i have seen hardened gentoo profile is very good for add more security on PC. 

Is it sufficient to switch profile and update all, or is it difficult to switch normal profile to hardened profile ? (i have by default plasma multilib profile)

----------

## roboto

The hardened profile starts with a hardened stage3 tarball.

So if you're on the default profile, then you can't switch to hardened unless you reinstall and get the hardened stage3 tarball.

----------

## Hu

roboto: could you provide a citation for that claim?  My understanding was that the only commonly requested transition that requires a full reinstall is a switch from no-multilib to multilib.  Switching into hardened will doubtless require considerable rebuilding, but I thought that transition was possible in-place without a reinstall.

----------

## NeddySeagoon

Fulgurance,

Hardened is in several pieces. The kernel, the toolchain and your apps.

The toolchain builds your apps so that nasty things happening can be detected.

The kernel kills the apps reported to be doing nasty things, so you need all the bits.

The biggest change is the addition of ssp and pie by default. 

That's stack smashing protection (ssp) and position independent executables (pie).

You should be able to switch (I've not done it) but if you have any static libraries, they will all need to be rebuilt for pie. 

A rough outline of the process would be

Switch profiles and fix your USE flags.

Rebuild your toolchain so you have a hardened toolchain.

Select the hardened toolchain

Rebuild everything else.

Don't forget the hardened-sources kernel.

The down side is that some packages expect to do things that hardened won't permit. These packages won't run on a properly hardened system.

However, you can use pax marking to effectively turn hardening off for these packages.

If you want to try a hardened desktop, the "Belgian Crispy Waffle Edition" liveDVD is all hardened.

----------

