On Mon, Sep 18, 2023 at 08:57:39AM +0200, Richard Biener wrote: > On Fri, Sep 15, 2023 at 5:09 PM Marek Polacek via Gcc-patches > <gcc-patches@gcc.gnu.org> wrote: > > > > Bootstrapped/regtested on x86_64-pc-linux-gnu, > > powerpc64le-unknown-linux-gnu, > > and aarch64-unknown-linux-gnu; ok for trunk? > > > > -- >8 -- > > In <https://gcc.gnu.org/pipermail/gcc-patches/2023-August/628748.html> > > I proposed -fhardened, a new umbrella option that enables a reasonable set > > of hardening flags. The read of the room seems to be that the option > > would be useful. So here's a patch implementing that option. > > > > Currently, -fhardened enables: > > > > -D_FORTIFY_SOURCE=3 (or =2 for older glibcs) > > -D_GLIBCXX_ASSERTIONS > > -ftrivial-auto-var-init=pattern > > -fPIE -pie -Wl,-z,relro,-z,now > > -fstack-protector-strong > > -fstack-clash-protection > > -fcf-protection=full (x86 GNU/Linux only) > > > > -fhardened will not override options that were specified on the command line > > (before or after -fhardened). For example, > > > > -D_FORTIFY_SOURCE=1 -fhardened > > > > means that _FORTIFY_SOURCE=1 will be used. Similarly, > > > > -fhardened -fstack-protector > > > > will not enable -fstack-protector-strong. > > > > In DW_AT_producer it is reflected only as -fhardened; it doesn't expand > > to anything. I think we need a better way to show what it actually > > enables. > > I do think we need to find a solution here to solve asserting compliance.
Fair enough. > Maybe we can have -Whardened that will diagnose any altering of > -fhardened by other options on the command-line or by missed target > implementations? People might for example use -fstack-protector > but don't really want to make protection lower than requested with -fhardened. > > Any such conflict is much less appearant than when you use the > flags -fhardened composes. How about: --help=hardened says which options -fhardened attempts to enable, and -Whardened warns when it didn't enable an option? E.g., -fstack-protector -fhardened -Whardened would say that it didn't enable -fstack-protector-strong because -fstack-protector was specified on the command line? If !HAVE_LD_NOW_SUPPORT, --help=hardened probably doesn't even have to list -z now, likewise for -z relro. Unclear if -Whardened should be enabled by default, but probably yes? Marek
