[arch-dev-public] Adding hardening compiler/linker flags
Stéphane Gaudreault
stephane at archlinux.org
Thu May 5 14:56:10 EDT 2011
Le 4 mai 2011 11:29:17, Allan McRae a écrit :
> There have been requests for some hardening of our default
> CFLAGS/LDFLAGS (e.g. FS#18864). I believe this was discussed on this
> list previously and there were no real objections. So actually doing
> this has been on the table for some time but has been delayed by a
> combination of lack of time on my behalf and inconvenient timing with
> toolchain updates. I think now would be a good time to look at doing this.
>
> The plan is to add "-fstack-protector-all -D_FORTIFY_SOURCE=2
> --param=ssp-buffer-size=4" to our C{XX}FLAGS and "-Wl,-z,relro" to our
> LDFLAGS. We could also add "-Wl,-O1" and maybe "-Wl,--sort-common" to
> our LDFLAGS at the same time for some optimisation.
>
> I am taking the approach of adding C/CXX/LDFLAGS rather than the
> patching the default compiler options approach most other distros use as
> it is more consistent with our patching policy and will reduce my
> maintenance burden. It also make it easier to disable an option if
> necessary by just changing their values. The disadvantage being that we
> have to make sure software listens to our CFLAGS values...
>
> What I do not intend to add:
>
> -Wl,-z,now - has a performance hit (mainly for large programs?).
> -fPIE -pie - large performance hit (5-10%) on i686, almost none on x86_64
>
> These should be enabled for individual programs as the maintainer sees
> fit. PIE stuff is also more difficult and would probably require
> patching of the gcc specs file to start dealing with properly and would
> still lead to a bunch of issues. So that is something that I may look
> at in the distant future for x86_64 only.
>
>
> So the plan is....
>
> 1) Finalise the CFLAGS/LDFLAGS
> 2) I get the toolchain built and working with these
> 3) I upload a pacman package with the changed makepkg.conf
> 4) Consider a [core] rebuild ???
>
>
> Starting with #1. Are there any comments on the proposed CFLAGS/LDFLAGS
> or any further additions that people think might be of use at the same
> time.
>
> Allan
Debian has a nice "hardening-check" script [1] to verify that an ELF binary
have hardening features enabled. Maybe we could include something similar in
our devtools ?
Stéphane
[1] http://packages.debian.org/sid/hardening-includes
More information about the arch-dev-public
mailing list