Thanks! Updated description. ** Description changed:
> Currently, -fhardened enables: > > -D_FORTIFY_SOURCE=3 (or =2 for older glibcs) > -D_GLIBCXX_ASSERTIONS - > -ftrivial-auto-var-init=pattern + > -ftrivial-auto-var-init=zero > -fPIE -pie -Wl,-z,relro,-z,now > -fstack-protector-strong > -fstack-clash-protection > -fcf-protection=full (x86 GNU/Linux only) > > -fhardened will not override options that were specified on the command line > (before or after -fhardened). For example, > > -D_FORTIFY_SOURCE=1 -fhardened > > means that _FORTIFY_SOURCE=1 will be used. Similarly, > > -fhardened -fstack-protector > > will not enable -fstack-protector-strong. - From [0]. Please also see [1] + From [0][1]. For Ubuntu, this would effectively add -D_GLIBCXX_ASSERTIONS [2], -ftrivial-auto-var-init=pattern [related to 3], and fixes our implementation of Full RELRO [4]. From an ecosystem and distro perspective, -fhardened is a very nice way to implement gcc compiler flags. Since the GCC project maintains these flags, distros will inherit new flags as they are added. This circumvents the security vs performance debate each distro internally has each time they add a new flag. When a distro adopts a new hardening flag, there will likely be packages which fail to build from source (often bugs in the package). The first distro to rebuild their archive with a new flag pays the highest cost, since most of the bugs have not been discovered or discussed yet. Being first to market has a high cost and slows down hardening adoption. Major distros can share this burden by using -fhardened, so that they inherit flags and begin finding bugs at roughly the same time. Ubuntu can lead compiler hardening, by becoming the first distro to adopt -fhardened [5]. [0] https://gcc.gnu.org/pipermail/gcc-patches/2023-September/630550.html [1] https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fhardened [2] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2016042 [3] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/1972043 [4] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989 [5] https://github.com/jvoisin/compiler-flags-distro/ ** Description changed: > Currently, -fhardened enables: > > -D_FORTIFY_SOURCE=3 (or =2 for older glibcs) > -D_GLIBCXX_ASSERTIONS > -ftrivial-auto-var-init=zero > -fPIE -pie -Wl,-z,relro,-z,now > -fstack-protector-strong > -fstack-clash-protection > -fcf-protection=full (x86 GNU/Linux only) > > -fhardened will not override options that were specified on the command line > (before or after -fhardened). For example, > > -D_FORTIFY_SOURCE=1 -fhardened > > means that _FORTIFY_SOURCE=1 will be used. Similarly, > > -fhardened -fstack-protector > > will not enable -fstack-protector-strong. From [0][1]. For Ubuntu, this would effectively add -D_GLIBCXX_ASSERTIONS [2], - -ftrivial-auto-var-init=pattern [related to 3], and fixes our implementation of Full RELRO + -ftrivial-auto-var-init=pattern [3], and fixes our implementation of Full RELRO [4]. From an ecosystem and distro perspective, -fhardened is a very nice way to implement gcc compiler flags. Since the GCC project maintains these flags, distros will inherit new flags as they are added. This circumvents the security vs performance debate each distro internally has each time they add a new flag. When a distro adopts a new hardening flag, there will likely be packages which fail to build from source (often bugs in the package). The first distro to rebuild their archive with a new flag pays the highest cost, since most of the bugs have not been discovered or discussed yet. Being first to market has a high cost and slows down hardening adoption. Major distros can share this burden by using -fhardened, so that they inherit flags and begin finding bugs at roughly the same time. Ubuntu can lead compiler hardening, by becoming the first distro to adopt -fhardened [5]. [0] https://gcc.gnu.org/pipermail/gcc-patches/2023-September/630550.html [1] https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fhardened [2] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2016042 [3] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/1972043 [4] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989 [5] https://github.com/jvoisin/compiler-flags-distro/ ** Description changed: > Currently, -fhardened enables: > > -D_FORTIFY_SOURCE=3 (or =2 for older glibcs) > -D_GLIBCXX_ASSERTIONS > -ftrivial-auto-var-init=zero > -fPIE -pie -Wl,-z,relro,-z,now > -fstack-protector-strong > -fstack-clash-protection > -fcf-protection=full (x86 GNU/Linux only) > > -fhardened will not override options that were specified on the command line > (before or after -fhardened). For example, > > -D_FORTIFY_SOURCE=1 -fhardened > > means that _FORTIFY_SOURCE=1 will be used. Similarly, > > -fhardened -fstack-protector > > will not enable -fstack-protector-strong. From [0][1]. For Ubuntu, this would effectively add -D_GLIBCXX_ASSERTIONS [2], - -ftrivial-auto-var-init=pattern [3], and fixes our implementation of Full RELRO + -ftrivial-auto-var-init=zero [3], and fixes our implementation of Full RELRO [4]. From an ecosystem and distro perspective, -fhardened is a very nice way to implement gcc compiler flags. Since the GCC project maintains these flags, distros will inherit new flags as they are added. This circumvents the security vs performance debate each distro internally has each time they add a new flag. When a distro adopts a new hardening flag, there will likely be packages which fail to build from source (often bugs in the package). The first distro to rebuild their archive with a new flag pays the highest cost, since most of the bugs have not been discovered or discussed yet. Being first to market has a high cost and slows down hardening adoption. Major distros can share this burden by using -fhardened, so that they inherit flags and begin finding bugs at roughly the same time. Ubuntu can lead compiler hardening, by becoming the first distro to adopt -fhardened [5]. [0] https://gcc.gnu.org/pipermail/gcc-patches/2023-September/630550.html [1] https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fhardened [2] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2016042 [3] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/1972043 [4] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989 [5] https://github.com/jvoisin/compiler-flags-distro/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2080267 Title: Please add -fhardened to default build flags To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2080267/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
