Skip to content
Snippets Groups Projects

Buildflags

Closed Buildflags
(removed):buildflags into master
All threads resolved!
Closed Allan McRae requested to merge (removed):buildflags into master
All threads resolved!
Compare
and
1 file
+ 26
2
Compare changes
  • Side-by-side
  • Inline
rfcs/0003-buildflags.rst
+ 26
2
@@ -31,7 +31,8 @@ We will change the distributed makepkg.conf to the following:
#CPPFLAGS=""
CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
-Wp,-D_FORTIFY_SOURCE=2,-D_GLIBCXX_ASSERTIONS -Werror=format-security"
-Wp,-D_FORTIFY_SOURCE=2,-D_GLIBCXX_ASSERTIONS -Werror=format-security \
-fstack-clash-protection -fcf-protection"
CXXFLAGS="$CFLAGS"
LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
DEBUG_CFLAGS="-g -fvar-tracking-assignments"
@@ -43,7+44,7 @@
Unfortunately, there are still build systems which use CFLAGS but not CPPFLAGS.
Or configure tests that use CPPFLAGS and not CFLAGS which creates errors due to
fortify source needing optimisation. Ultimately, we can cover more code with
+1
this workaround.
* Add ``-fexceptions``
@@ -75,7+76,7 @@
This is the default in GCC, at least for x86_64.
* Add ``-fstack-clash-protection``
Ensures all variable length memory allocated from the stack (via alloca() or
gcc variable length arrays etc) are probed at the time they are allocated. This
mitigates stack-clash attacks by ensuring all stack memory allocations are
valid (or by raising a segmentation fault if they are not, and turning a
possible code-execution attack into a denial of service). Without this flag,
vulnerabilities can result where the stack overlaps with the heap, or thread
stacks spill into other regions of memory.
* Add ``-fcf-protection``
Generates instructions to support Intel's Control-flow Enforcement Technology
(CET). Instrument binaries to guard against ROP/JOP attacks. Used on i686 and
x86_64.
Drawbacks
---------
@@ -84,11 +102,17 @@ Adding ``-Werror=format-security`` may cause limited build issues, but patches a
readily available.
There is a minimal performance overhead of adding ``-Wp,-D_GLIBCXX_ASSERTIONS``,
though many of the added checks are optimised away by the compiler.
though many of the added checks are optimised away by the compiler. Adding
-fstack-clash-protection also has very little run-time overhead.
Adding ``-fexceptions`` can produce some data size overhead in C programs, though
does not affect execution. GCC enables it by default for C++.
Using -fcf-protection is incompatible with -mindirect-branch (which is used
to implement retpoline). In such cases it is recommended to disable
-fcf-protection. Disabled with -fcf-protection=none in CFLAGS / CXXFLAGS.
Unresolved Questions
--------------------