Changeset 0ceb504


Ignore:
Timestamp:
08/28/2024 12:46:50 PM (2 weeks ago)
Author:
Xi Ruoyao <xry111@…>
Branches:
12.2, trunk
Children:
0c9bd83
Parents:
2ec620f
git-author:
Xi Ruoyao <xry111@…> (08/28/2024 12:43:45 PM)
git-committer:
Xi Ruoyao <xry111@…> (08/28/2024 12:46:50 PM)
Message:

building-notes: Reformat hardening options description, and fix some errors

File:
1 edited

Legend:

Unmodified
Added
Removed

  • introduction/important/building-notes.xml

    r2ec620f r0ceb504  
    13331333
    13341334      <para>
    1335         The main distros use much more, such as
    1336         <option>-Wl,-z,now</option> (disabling lazy binding to enhance
    1337         <option>-Wl,-z,relro</option>, so the <emphasis>entire</emphasis>
    1338         GOT can be made immutable), <option>-fstack-clash-protection</option>
    1339         (preventing the attacker from using an unchecked offset from a heap
    1340         address to modify the stack),
    1341         <option>-fcf-protection=full</option>
    1342         (utilizing Intel and AMD CET technology to limit the target
    1343         addresses of control-flow transfer instructions; to make it really
    1344         effective the entire system must be built with this option, Glibc
    1345         must be built with <option>--enable-cet</option>, and the system
    1346         must run on Intel Tiger Lake or newer, or AMD Zen 3 or newer),
    1347         and <option>-ftrivial-auto-var-init=zero</option> (initializing
    1348         some variables by filling zero bytes if they are otherwise
    1349         uninitialized).
    1350       </para>
     1335        The main distros use much more, such as:
     1336      </para>
     1337
     1338      <itemizedlist>
     1339        <listitem>
     1340          <para>
     1341            <option>-Wl,-z,now</option>: disables lazy binding to enhance
     1342            <option>-Wl,-z,relro</option>, so the
     1343            <emphasis>entire</emphasis> GOT can be made immutable.
     1344          </para>
     1345        </listitem>
     1346        <listitem>
     1347          <para>
     1348            <option>-fstack-clash-protection</option>: prevents the attacker
     1349            from using an offset large enough and not adequately checked to
     1350            jump over the stack guard page placed by the kernel and the
     1351            stack canary placed by
     1352            <option>-fstack-protector=strong</option>, and modify the stack
     1353            from a heap address, or vice versa.
     1354          </para>
     1355        </listitem>
     1356        <listitem>
     1357          <para>
     1358            <option>-ftrivial-auto-var-init=zero</option>: initializes
     1359            some variables by filling zero bytes if they are not
     1360            initialized by other means.
     1361          </para>
     1362        </listitem>
     1363        <listitem>
     1364          <para>
     1365            <option>-fcf-protection=full</option>: utilizes Intel and AMD
     1366            CET technology to limit the target addresses of control-flow
     1367            transfer instructions.  To make it really effective for a
     1368            package, all packages providing a shared library for the
     1369            package to use must be built with this option, as well as that
     1370            package itself, Glibc must be configured with the
     1371            <option>--enable-cet</option> option enabled, and the system
     1372            must run on Intel Tiger Lake or newer, or AMD Zen 3 or newer.
     1373            If the criteria is not met the program compiled with this
     1374            option will still run, but not really protected by CET.
     1375          </para>
     1376        </listitem>
     1377      </itemizedlist>
    13511378
    13521379      <para>
Note: See TracChangeset for help on using the changeset viewer.