From 6b620c91fb353b5ee9637818a809015df8e9596f Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Wed, 2 May 2018 11:39:39 +0200 Subject: [PATCH] Use plain -fcf-protection compiler flag, without -mcet (#1570823) --- buildflags.md | 2 +- redhat-rpm-config.spec | 9 ++++++--- rpmrc | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/buildflags.md b/buildflags.md index 723e236..7f85aca 100644 --- a/buildflags.md +++ b/buildflags.md @@ -247,7 +247,7 @@ not), but their selection depends on the architecture: fully ABI-compatible and has adds very little run-time overhead, but is only available on certain architectures (currently aarch64, i386, ppc64, ppc64le, s390x, x86_64). -* ` -mcet -fcf-protection`: Instrument binaries to guard against +* `-fcf-protection`: Instrument binaries to guard against ROP/JOP attacks. Used on i686 and x86_64. * `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in the same compilation. For such architectures, the RPM build process diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index 178815c..f327d60 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -6,7 +6,7 @@ Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config -Version: 108 +Version: 109 Release: 1%{?dist} # No version specified. License: GPL+ @@ -106,8 +106,8 @@ Requires: %{_bindir}/grep Requires: %{_bindir}/sed Requires: %{_bindir}/xargs -# -fstack-clash-protection and CET requires GCC 8. -Conflicts: gcc < 8.0 +# -fstack-clash-protection and -fcf-protection require GCC 8. +Conflicts: gcc < 8.0.1-0.22 Provides: system-rpm-config = %{version}-%{release} @@ -184,6 +184,9 @@ install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kmod.prov %{_rpmconfigdir}/macros.d/macros.kmp %changelog +* Wed May 2 2018 Florian Weimer - 109-1 +- Use plain -fcf-protection compiler flag, without -mcet (#1570823) + * Tue May 01 2018 Peter Jones - 108-1 - Add Requires: efi-srpm-macros for %%{efi} diff --git a/rpmrc b/rpmrc index 17161f7..dc8fa85 100644 --- a/rpmrc +++ b/rpmrc @@ -3,10 +3,10 @@ include: /usr/lib/rpm/rpmrc optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection +optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection optflags: ia64 %{__global_compiler_flags} -optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection +optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection optflags: alpha %{__global_compiler_flags} -mieee optflags: alphaev5 %{__global_compiler_flags} -mieee -mcpu=ev5