Changeset 5a95524 for introduction/important
- Timestamp:
- 01/30/2023 09:32:18 AM (20 months ago)
- Branches:
- 11.3, 12.0, 12.1, 12.2, gimp3, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, xry111/for-12.3, xry111/llvm18, xry111/spidermonkey128, xry111/xf86-video-removal
- Children:
- 8d2373d8
- Parents:
- 5cf5248
- git-author:
- Xi Ruoyao <xry111@…> (01/30/2023 09:30:14 AM)
- git-committer:
- Xi Ruoyao <xry111@…> (01/30/2023 09:32:18 AM)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
introduction/important/building-notes.xml
r5cf5248 r5a95524 964 964 965 965 <para> 966 In the past, there was Hardened LFS where gcc (a much older version) 967 was forced to use hardening (with options to turn some of it off on a 968 per-package basis). The current LFS and BLFS books is carrying 969 forward a part of its spirit by enabling PIE 970 (<option>-fPIE -pie</option>) and SSP 971 (<option>-fstack-protector-strong</option>) as the defaults 972 for GCC and clang. What is being covered here is different - first 973 you have to make sure that the package is indeed using your added 974 flags and not over-riding them. 975 </para> 976 977 <para> 966 978 For hardening options which are reasonably cheap, there is some 967 979 discussion in the 'tuning' link above (occasionally, one or more 968 980 of these options might be inappropriate for a package). These 969 options are -D_FORTIFY_SOURCE=2, -fstack-protector=strong, and 970 (for C++) -D_GLIBCXX_ASSERTIONS. On modern machines these should 971 only have a little impact on how fast things run, and often they 972 will not be noticeable. 973 </para> 974 975 <para> 976 In the past, there was Hardened LFS where gcc (a much older version) 977 was forced to use hardening (with options to turn some of it off on a 978 per-package basis. What is being covered here is different - first you 979 have to make sure that the package is indeed using your added flags and 980 not over-riding them. 981 options are <option>-D_FORTIFY_SOURCE=2</option> and 982 (for C++) <option>-D_GLIBCXX_ASSERTIONS</option>. On modern 983 machines these should only have a little impact on how fast things 984 run, and often they will not be noticeable. 981 985 </para> 982 986 983 987 <para> 984 988 The main distros use much more, such as RELRO (Relocation Read Only) 985 and perhaps -fstack-clash-protection. You may also encounter the 986 so-called 'userspace retpoline' (-mindirect-branch=thunk etc.) which 989 and perhaps <option>-fstack-clash-protection</option>. You may also 990 encounter the so-called <quote>userspace retpoline</quote> 991 (<option>-mindirect-branch=thunk</option> etc.) which 987 992 is the equivalent of the spectre mitigations applied to the linux 988 993 kernel in late 2018). The kernel mitigations caused a lot of complaints
Note:
See TracChangeset
for help on using the changeset viewer.