From 1b296f01fc3c5be942d6cf08393957550785952f Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 29 Jan 2018 15:08:43 +0100 Subject: [PATCH] Build flags: Enable CET on i686, x86_64 (#1538725) --- buildflags.md | 2 ++ redhat-rpm-config.spec | 8 +++++++- rpmrc | 4 ++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/buildflags.md b/buildflags.md index 83ccc38..c740892 100644 --- a/buildflags.md +++ b/buildflags.md @@ -204,6 +204,8 @@ not), but their selection depends on the architecture: fully ABI-compatible and has adds very little run-time overhead, but is only available on certain architectures (currently aarch64, i386, ppc64, ppc64le, s390x, x86_64). +* ` -mcet -fcf-protection`: Instrument binaries to guard against + ROP/JOP attacks. Used on i686 and x86_64. * `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in the same compilation. For such architectures, the RPM build process explicitly selects the architecture variant by passing this compiler diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index 4e52916..bdb9bf5 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -6,7 +6,7 @@ Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config -Version: 85 +Version: 86 Release: 1%{?dist} # No version specified. License: GPL+ @@ -88,6 +88,9 @@ Requires: dwz >= 0.4 Requires: zip Requires: (annobin if gcc) +# -fstack-clash-protection and CET requires GCC 8. +Conflicts: gcc < 8.0 + Provides: system-rpm-config = %{version}-%{release} %global rrcdir /usr/lib/rpm/redhat @@ -157,6 +160,9 @@ install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kmod.prov %{_rpmconfigdir}/macros.d/macros.kmp %changelog +* Mon Jan 29 2018 Florian Weimer - 86-1 +- Build flags: Enable CET on i686, x86_64 (#1538725) + * Thu Jan 25 2018 Florian Weimer - 85-1 - Build flags: Switch to generic tuning on i686 (#1538693) diff --git a/rpmrc b/rpmrc index 8928689..223d828 100644 --- a/rpmrc +++ b/rpmrc @@ -3,10 +3,10 @@ include: /usr/lib/rpm/rpmrc optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection +optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection optflags: ia64 %{__global_compiler_flags} -optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection +optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection optflags: alpha %{__global_compiler_flags} -mieee optflags: alphaev5 %{__global_compiler_flags} -mieee -mcpu=ev5