[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: hardening
From: |
Alex Vong |
Subject: |
Re: hardening |
Date: |
Wed, 31 Jan 2018 20:20:44 +0800 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
Hello,
address@hidden writes:
> Hi,
>
> as we've long talked and not really taken action on hardening builds
> I've started working on an opt-in way as last discussed in
> september 2016, modifying the gnu-build-system with a
> #:hardening-flags keyword.
>
> For my testing purposes I will use
>
>> CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2"
> LDFLAGS="-Wl,-z,now -Wl,-z,relro"
>
> which is used by Gentoo, but adjustments (wether to opt-in or
> opt-out) will be made.
The flags I use (suggested by Debian Wiki[0]) are:
CPPFLAGS=-D_FORTIFY_SOURCE=2
CFLAGS=-fstack-protector-strong
CXXFLAGS=-fstack-protector-strong
LDFLAGS=-Wl,-z,relro,-z,now,--as-needed
Also, should we use retpoline flags for all native binaries? This
article[1] suggests ``applying a software mitigation (e.g., Google's
Retpoline) to the hypervisor, operating system kernel, system programs
and libraries, and user applications''. I've sent a patch to do so when
bootstraping GCC 7 itself[2] but no reply are received yet (maybe I
should have open a new bug instead of changing the title of an old
bug).
[0]: https://wiki.debian.org/Hardening
[1]:
https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
[2]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30111