gcc compiler flags - some room for more hardening?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

gcc compiler flags - some room for more hardening?

"Tóth Attila"
I've just came accross a Fedora 28 memo about hardening their flags:
https://fedoraproject.org/wiki/Changes/HardeningFlags28
1. -fstack-clash-protection
2. -fcf-protection=full
3. -mcet
4. for C++: -D_GLIBCXX_ASSERTIONS

According to the builtin specs these are not in current use for
sys-devel/gcc-7.2.

It may worth to consider moving the same direction as Fedora. Wouldn't it
be a shame if a regular non-rolling distro would make use of harder flags
compared to Gentoo Hardened?

BR: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057


Reply | Threaded
Open this post in threaded view
|

Re: gcc compiler flags - some room for more hardening?

Magnus Granberg-2
onsdag 17 januari 2018 kl. 13:27:25 CET skrev  Tóth Attila:

> I've just came accross a Fedora 28 memo about hardening their flags:
> https://fedoraproject.org/wiki/Changes/HardeningFlags28
> 1. -fstack-clash-protection
> 2. -fcf-protection=full
> 3. -mcet
> 4. for C++: -D_GLIBCXX_ASSERTIONS
>
> According to the builtin specs these are not in current use for
> sys-devel/gcc-7.2.
>
> It may worth to consider moving the same direction as Fedora. Wouldn't it
> be a shame if a regular non-rolling distro would make use of harder flags
> compared to Gentoo Hardened?
>
> BR: Dw.
Most of the options is for Gcc 8 or newer.
Still waiting what get add for the Spectre stuff.


Reply | Threaded
Open this post in threaded view
|

Re: gcc compiler flags - some room for more hardening?

"Tóth Attila"
2018.Január 18.(Cs) 02:20 időpontban Magnus Granberg ezt írta:
> onsdag 17 januari 2018 kl. 13:27:25 CET skrev  Tóth Attila:
>> I've just came accross a Fedora 28 memo about hardening their flags:
>> https://fedoraproject.org/wiki/Changes/HardeningFlags28
>> 1. -fstack-clash-protection
>> 2. -fcf-protection=full
>> 3. -mcet
>>
> Most of the options is for Gcc 8 or newer.
> Still waiting what get add for the Spectre stuff.

Some of these will probably require hardware support I don't have - ibt,
shstk, cet. However it's still interesting.
Let the community know if we can help with anything.

Thanks: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057