guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hardening


From: ng0
Subject: Re: hardening
Date: Sun, 11 Mar 2018 13:37:32 +0000

Alex Vong transcribed 1.3K bytes:
> Hello,
> 
> address@hidden writes:
> 
> > Hi,
> >
> > as we've long talked and not really taken action on hardening builds
> > I've started working on an opt-in way as last discussed in
> > september 2016, modifying the gnu-build-system with a
> > #:hardening-flags keyword.
> >
> > For my testing purposes I will use
> >
> >> CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2"
> > LDFLAGS="-Wl,-z,now -Wl,-z,relro"
> >
> > which is used by Gentoo, but adjustments (wether to opt-in or
> > opt-out) will be made.
> 
> The flags I use (suggested by Debian Wiki[0]) are:
> 
>   CPPFLAGS=-D_FORTIFY_SOURCE=2

How does this differ from "-O2 -D_FORTIFY_SOURCE" in CFLAGS?
I know O2 is optimization and that FORTIFY_SOURCE requires optimization
to be specified.

>   CFLAGS=-fstack-protector-strong
>   CXXFLAGS=-fstack-protector-strong
>   LDFLAGS=-Wl,-z,relro,-z,now,--as-needed

What are your opinions about:
 -pipe -fPIE -fstack-shuffle -fstack-protector-all

> Also, should we use retpoline flags for all native binaries? This
> article[1] suggests ``applying a software mitigation (e.g., Google's
> Retpoline) to the hypervisor, operating system kernel, system programs
> and libraries, and user applications''. I've sent a patch to do so when
> bootstraping GCC 7 itself[2] but no reply are received yet (maybe I
> should have open a new bug instead of changing the title of an old
> bug).
> 
> [0]: https://wiki.debian.org/Hardening
> [1]: 
> https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
> [2]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=30111
> 

-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is



reply via email to

[Prev in Thread] Current Thread [Next in Thread]