-fcf-protection enables Indirect Branch Tracking, which we have recently enabled in the kernel. We should enable this in userspace, too.
I could not find out what GCC defaults to without any value, so this patch is explicitely enabling IBT for function returns, indirect function calls and indirect jumps.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- make.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/make.sh b/make.sh index 57b6c6f15..f07604073 100755 --- a/make.sh +++ b/make.sh @@ -145,7 +145,7 @@ configure_build() { BUILDTARGET="${build_arch}-pc-linux-gnu" CROSSTARGET="${build_arch}-cross-linux-gnu" BUILD_PLATFORM="x86" - CFLAGS_ARCH="-m64 -mtune=generic -fcf-protection" + CFLAGS_ARCH="-m64 -mtune=generic -fcf-protection=full" ;;
aarch64)
At this time, this will enable return address signing, and branch target identification.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- make.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/make.sh b/make.sh index f07604073..7c279b197 100755 --- a/make.sh +++ b/make.sh @@ -152,7 +152,7 @@ configure_build() { BUILDTARGET="${build_arch}-pc-linux-gnu" CROSSTARGET="${build_arch}-cross-linux-gnu" BUILD_PLATFORM="arm" - CFLAGS_ARCH="" + CFLAGS_ARCH="-mbranch-protection=standard" ;;
riscv64)