Changeset 5a95524


Ignore:
Timestamp:
01/30/2023 09:32:18 AM (15 months ago)
Author:
Xi Ruoyao <xry111@…>
Branches:
11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, xry111/llvm18, xry111/xf86-video-removal
Children:
8d2373d8
Parents:
5cf5248
git-author:
Xi Ruoyao <xry111@…> (01/30/2023 09:30:14 AM)
git-committer:
Xi Ruoyao <xry111@…> (01/30/2023 09:32:18 AM)
Message:

building-notes: Update harderning section to match the status quo

By the way, use <option> to decorate the compiler options.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • introduction/important/building-notes.xml

    r5cf5248 r5a95524  
    964964
    965965      <para>
     966        In the past, there was Hardened LFS where gcc (a much older version)
     967        was forced to use hardening (with options to turn some of it off on a
     968        per-package basis).  The current LFS and BLFS books is carrying
     969        forward a part of its spirit by enabling PIE
     970        (<option>-fPIE -pie</option>) and SSP
     971        (<option>-fstack-protector-strong</option>) as the defaults
     972        for GCC and clang.  What is being covered here is different - first
     973        you have to make sure that the package is indeed using your added
     974        flags and not over-riding them.
     975      </para>
     976
     977      <para>
    966978        For hardening options which are reasonably cheap, there is some
    967979        discussion in the 'tuning' link above (occasionally, one or more
    968980        of these options might be inappropriate for a package). These
    969         options are -D_FORTIFY_SOURCE=2, -fstack-protector=strong, and
    970         (for C++) -D_GLIBCXX_ASSERTIONS. On modern machines these should
    971         only have a little impact on how fast things run, and often they
    972         will not be noticeable.
    973       </para>
    974 
    975       <para>
    976         In the past, there was Hardened LFS where gcc (a much older version)
    977         was forced to use hardening (with options to turn some of it off on a
    978         per-package basis. What is being covered here is different - first you
    979         have to make sure that the package is indeed using your added flags and
    980         not over-riding them.
     981        options are <option>-D_FORTIFY_SOURCE=2</option> and
     982        (for C++) <option>-D_GLIBCXX_ASSERTIONS</option>. On modern
     983        machines these should only have a little impact on how fast things
     984        run, and often they will not be noticeable.
    981985      </para>
    982986
    983987      <para>
    984988        The main distros use much more, such as RELRO (Relocation Read Only)
    985         and perhaps -fstack-clash-protection. You may also encounter the
    986         so-called 'userspace retpoline' (-mindirect-branch=thunk etc.) which
     989        and perhaps <option>-fstack-clash-protection</option>. You may also
     990        encounter the so-called <quote>userspace retpoline</quote>
     991        (<option>-mindirect-branch=thunk</option> etc.) which
    987992        is the equivalent of the spectre mitigations applied to the linux
    988993        kernel in late 2018). The kernel mitigations caused a lot of complaints
Note: See TracChangeset for help on using the changeset viewer.