diff --git a/buildflags.md b/buildflags.md index 8db4dc8..0fee80c 100644 --- a/buildflags.md +++ b/buildflags.md @@ -581,9 +581,9 @@ These compiler flags are enabled for all builds (hardened/annotated or not), but their selection depends on the architecture: * `-fcf-protection`: Instrument binaries to guard against - ROP/JOP attacks. Used on i686 and x86_64. + ROP/JOP exploitation techniques. Used on x86_64. * `-mbranch-protection=standard`: Instrument binaries to guard against - ROP/JOP attacks. Used on aarch64. + ROP/JOP exploitation techniques. Used on aarch64. * `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in the same compilation. For such architectures, the RPM build process explicitly selects the architecture variant by passing this compiler diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index fa48a4b..5ba7783 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -4,7 +4,7 @@ # 2) When making changes, increment the version (in baserelease) by 1. # rpmdev-bumpspec and other tools update the macro below, which is used # in Version: to get the desired effect. -%global baserelease 279 +%global baserelease 280 Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config @@ -262,6 +262,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua %doc buildflags.md %changelog +* Tue Jan 16 2024 Florian Weimer - 280-1 +- Drop -fcf-protection for i686 because there won't be kernel support + * Tue Jan 16 2024 Nils Philippsen - 279-1 - Obsolete rpmautospec-rpm-macros without version diff --git a/rpmrc b/rpmrc index a407129..cd37043 100644 --- a/rpmrc +++ b/rpmrc @@ -3,7 +3,7 @@ include: /usr/lib/rpm/rpmrc optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection +optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection optflags: x86_64 %{__global_compiler_flags} -m64 %{__cflags_arch_x86_64} %__cflags_arch_x86_64_common optflags: x86_64_v2 %{__global_compiler_flags} -m64 -march=x86-64-v2 %__cflags_arch_x86_64_common