Changeset a9469d14 for introduction/important
- Timestamp:
- 08/28/2024 06:41:08 AM (3 weeks ago)
- Branches:
- 12.2, trunk
- Children:
- 6ff69f4a, ea271cd
- Parents:
- 0110dbd
- git-author:
- Xi Ruoyao <xry111@…> (08/28/2024 06:39:27 AM)
- git-committer:
- Xi Ruoyao <xry111@…> (08/28/2024 06:41:08 AM)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
introduction/important/building-notes.xml
r0110dbd ra9469d14 1312 1312 (<option>-fPIE -pie</option>) and SSP 1313 1313 (<option>-fstack-protector-strong</option>) as the defaults 1314 for GCC and clang. What is being covered here is different - first 1315 you have to make sure that the package is indeed using your added 1316 flags and not over-riding them. 1314 for GCC and clang. And, the linkers (<command>ld.bfd</command> 1315 and <command>ld.gold</command>) have also enabled 1316 <option>-Wl,-z,relro</option> (making a part of the GOT immutable) 1317 by default since Binutils 2.27. What is being covered here is 1318 different - first you have to make sure that the package is indeed 1319 using your added flags and not over-riding them. 1317 1320 </para> 1318 1321 … … 1330 1333 1331 1334 <para> 1332 The main distros use much more, such as RELRO (Relocation Read Only) 1333 and perhaps <option>-fstack-clash-protection</option>. You may also 1335 The main distros use much more, such as 1336 <option>-Wl,-z,now</option> (disabling lazy binding to enhance 1337 <option>-Wl,-z,relro</option>, so the <emphasis>entrie</emphasis> 1338 GOT can be made immutable), <option>-fstack-clash-protection</option> 1339 (preventing the attacker from using an unchecked offset from a heap 1340 address to modify the stack), 1341 <option>-fcf-protection=full</option> 1342 (utilizing Intel and AMD CET technology to limit the target 1343 addresses of control-flow transfer instructions; to make it really 1344 effective the entire system must be built with this option, Glibc 1345 must be built with <option>--enable-cet</option>, and the system 1346 must run on Intel Tiger Lake or newer, or AMD Zen 3 or newer), 1347 and <option>-ftrivial-auto-var-init=zero</option> (initializing 1348 some variables by filling zero bytes if they are otherwise 1349 uninitialized). 1350 </para> 1351 1352 <para> 1353 In GCC 14, the option <option>-fhardened</option> is a shorthand 1354 to enable all the hardening options mentioned above. It sets 1355 <option>-D _FORTIFY_SOURCE=3</option> instead of 1356 <option>-D _FORTIFY_SOURCE=2</option>. 1357 </para> 1358 1359 <para> 1360 You may also 1334 1361 encounter the so-called <quote>userspace retpoline</quote> 1335 1362 (<option>-mindirect-branch=thunk</option> etc.) which
Note:
See TracChangeset
for help on using the changeset viewer.