Dear Guillaume, I'm not a Gentoo Dev either.
If there's a place to promote useful gcc flags from their security aspect, Gentoo Hardened is a good place to become a leader of such efforts - like it happened in the past. 1. Regarding fcf-protection: "Currently the x86 GNU/Linux target provides an implementation based on Intel Control-flow Enforcement Technology (CET)." - anybody knows which Intel processor actually supports that since its announcement in 2016? - also it worth to take a look at on these comments by Spender @ grsecurity: https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks.php It would be good if hardware developers would discuss their plans with more security experts before they put something into production. 2. Regarding stack-clash "Most targets do not fully support stack clash protection." - some information would be helpful to elaborate a little bit more on "not fully" and exactly which targets we are talking about. Anybody has a more detailed documentation? Best regards: Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057 2019.Február 24.(V) 14:27 időpontban Guillaume Ceccarelli ezt írta: > Hello gentoo-hardened, > > I just looked into the release notes for the recently-released GCC 8.3.0 > present in ~arch, and two items grabbed my attention: > 1. The addition of a -fcf-protection=[full|branch|return|none] flag to > help with control flow integrity > 2. The addition of -fstack-clash-protection to help protect against Stack > Clash attacks > > At some point in the past, gentoo-hardened pioneered the use of > -fstack-protector by default in its hardened profiles, amongst other > things listed here : https://wiki.gentoo.org/wiki/Hardened/Toolchain > > I was wondering what this list thought of the new CFI and Stack Clash GCC > options, if it’d be worth looking into working with them in the context of > the Gentoo Hardened project, and perhaps in the future, integrating them > into gentoo-hardened if they turn out to prove valuable? > > I’m no Gentoo Developer, but I have been using hardened gentoo on > production systems for a while and so I’m wondering: how do we go about > this? > > Best regards, > > – Guillaume Ceccarelli >
