Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
gcc compiler flags - some room for more hardening?
atoth at atoth
Jan 17, 2018, 4:27 AM
Post #1 of 3 (1732 views)
Permalink
I've just came accross a Fedora 28 memo about hardening their flags:
https://fedoraproject.org/wiki/Changes/HardeningFlags28
1. -fstack-clash-protection
2. -fcf-protection=full
3. -mcet
4. for C++: -D_GLIBCXX_ASSERTIONS

According to the builtin specs these are not in current use for
sys-devel/gcc-7.2.

It may worth to consider moving the same direction as Fedora. Wouldn't it
be a shame if a regular non-rolling distro would make use of harder flags
compared to Gentoo Hardened?

BR: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
Re: gcc compiler flags - some room for more hardening? [ In reply to ]
zorry at gentoo
Jan 17, 2018, 5:20 PM
Post #2 of 3 (1730 views)
Permalink
onsdag 17 januari 2018 kl. 13:27:25 CET skrev T?th Attila:
> I've just came accross a Fedora 28 memo about hardening their flags:
> https://fedoraproject.org/wiki/Changes/HardeningFlags28
> 1. -fstack-clash-protection
> 2. -fcf-protection=full
> 3. -mcet
> 4. for C++: -D_GLIBCXX_ASSERTIONS
>
> According to the builtin specs these are not in current use for
> sys-devel/gcc-7.2.
>
> It may worth to consider moving the same direction as Fedora. Wouldn't it
> be a shame if a regular non-rolling distro would make use of harder flags
> compared to Gentoo Hardened?
>
> BR: Dw.
Most of the options is for Gcc 8 or newer.
Still waiting what get add for the Spectre stuff.
Re: gcc compiler flags - some room for more hardening? [ In reply to ]
atoth at atoth
Jan 19, 2018, 11:32 AM
Post #3 of 3 (1725 views)
Permalink
2018.Január 18.(Cs) 02:20 id?pontban Magnus Granberg ezt írta:
> onsdag 17 januari 2018 kl. 13:27:25 CET skrev Tóth Attila:
>> I've just came accross a Fedora 28 memo about hardening their flags:
>> https://fedoraproject.org/wiki/Changes/HardeningFlags28
>> 1. -fstack-clash-protection
>> 2. -fcf-protection=full
>> 3. -mcet
>>
> Most of the options is for Gcc 8 or newer.
> Still waiting what get add for the Spectre stuff.

Some of these will probably require hardware support I don't have - ibt,
shstk, cet. However it's still interesting.
Let the community know if we can help with anything.

Thanks: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal