Changeset a9469d14


Ignore:
Timestamp:
08/28/2024 06:41:08 AM (3 weeks ago)
Author:
Xi Ruoyao <xry111@…>
Branches:
12.2, trunk
Children:
6ff69f4a, ea271cd
Parents:
0110dbd
git-author:
Xi Ruoyao <xry111@…> (08/28/2024 06:39:27 AM)
git-committer:
Xi Ruoyao <xry111@…> (08/28/2024 06:41:08 AM)
Message:

building-notes: Mention GCC 14 -fhardened and explain the hardening options implied by it

File:
1 edited

Legend:

Unmodified
Added
Removed

  • introduction/important/building-notes.xml

    r0110dbd ra9469d14  
    13121312        (<option>-fPIE -pie</option>) and SSP
    13131313        (<option>-fstack-protector-strong</option>) as the defaults
    1314         for GCC and clang.  What is being covered here is different - first
    1315         you have to make sure that the package is indeed using your added
    1316         flags and not over-riding them.
     1314        for GCC and clang.  And, the linkers (<command>ld.bfd</command>
     1315        and <command>ld.gold</command>) have also enabled
     1316        <option>-Wl,-z,relro</option> (making a part of the GOT immutable)
     1317        by default since Binutils 2.27. What is being covered here is
     1318        different - first you have to make sure that the package is indeed
     1319        using your added flags and not over-riding them.
    13171320      </para>
    13181321
     
    13301333
    13311334      <para>
    1332         The main distros use much more, such as RELRO (Relocation Read Only)
    1333         and perhaps <option>-fstack-clash-protection</option>. You may also
     1335        The main distros use much more, such as
     1336        <option>-Wl,-z,now</option> (disabling lazy binding to enhance
     1337        <option>-Wl,-z,relro</option>, so the <emphasis>entrie</emphasis>
     1338        GOT can be made immutable), <option>-fstack-clash-protection</option>
     1339        (preventing the attacker from using an unchecked offset from a heap
     1340        address to modify the stack),
     1341        <option>-fcf-protection=full</option>
     1342        (utilizing Intel and AMD CET technology to limit the target
     1343        addresses of control-flow transfer instructions; to make it really
     1344        effective the entire system must be built with this option, Glibc
     1345        must be built with <option>--enable-cet</option>, and the system
     1346        must run on Intel Tiger Lake or newer, or AMD Zen 3 or newer),
     1347        and <option>-ftrivial-auto-var-init=zero</option> (initializing
     1348        some variables by filling zero bytes if they are otherwise
     1349        uninitialized).
     1350      </para>
     1351
     1352      <para>
     1353        In GCC 14, the option <option>-fhardened</option> is a shorthand
     1354        to enable all the hardening options mentioned above.  It sets
     1355        <option>-D _FORTIFY_SOURCE=3</option> instead of
     1356        <option>-D _FORTIFY_SOURCE=2</option>.
     1357      </para>
     1358
     1359      <para>
     1360        You may also
    13341361        encounter the so-called <quote>userspace retpoline</quote>
    13351362        (<option>-mindirect-branch=thunk</option> etc.) which
Note: See TracChangeset for help on using the changeset viewer.