[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: hardening
From: |
ng0 |
Subject: |
Re: hardening |
Date: |
Sun, 11 Mar 2018 13:37:32 +0000 |
Alex Vong transcribed 1.3K bytes:
> Hello,
>
> address@hidden writes:
>
> > Hi,
> >
> > as we've long talked and not really taken action on hardening builds
> > I've started working on an opt-in way as last discussed in
> > september 2016, modifying the gnu-build-system with a
> > #:hardening-flags keyword.
> >
> > For my testing purposes I will use
> >
> >> CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2"
> > LDFLAGS="-Wl,-z,now -Wl,-z,relro"
> >
> > which is used by Gentoo, but adjustments (wether to opt-in or
> > opt-out) will be made.
>
> The flags I use (suggested by Debian Wiki[0]) are:
>
> CPPFLAGS=-D_FORTIFY_SOURCE=2
How does this differ from "-O2 -D_FORTIFY_SOURCE" in CFLAGS?
I know O2 is optimization and that FORTIFY_SOURCE requires optimization
to be specified.
> CFLAGS=-fstack-protector-strong
> CXXFLAGS=-fstack-protector-strong
> LDFLAGS=-Wl,-z,relro,-z,now,--as-needed
What are your opinions about:
-pipe -fPIE -fstack-shuffle -fstack-protector-all
> Also, should we use retpoline flags for all native binaries? This
> article[1] suggests ``applying a software mitigation (e.g., Google's
> Retpoline) to the hypervisor, operating system kernel, system programs
> and libraries, and user applications''. I've sent a patch to do so when
> bootstraping GCC 7 itself[2] but no reply are received yet (maybe I
> should have open a new bug instead of changing the title of an old
> bug).
>
> [0]: https://wiki.debian.org/Hardening
> [1]:
> https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
> [2]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30111
>
--
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is