[devel] I: LTO in %optflags by default

[Denis Medvedev]

В Wed, 25 Aug 2021 09:27:50 +0400
"Ivan A. Melnikov" <iv на altlinux.org> пишет:

> On Tue, Aug 24, 2021 at 09:20:50PM +0300, Dmitry V. Levin wrote:
> > Hi,
> > 
> > Пришло время включить в Сизифе LTO (link-time optimization).
> > К сожалению, ещё не все пакеты собираются с этой оптимизацией,
> > некоторые предстоит исправить.  
> 
> Скажите, а как это влияет на время сборки пакетов?
> 
> Это тестировалось только на основных архитектурах? На всех?
> 

Я, конечно, понимаю, что запоздал с этим,
но можно ли включить
по умолчаниию заодно вот это:


-mmitigate-rop
Attempt to compile code without unintended return addresses, making ROP just a little harder.

-mindirect-branch=thunk -mfunction-return=thunk
Enables retpoline (return trampolines) to mitigate some variants of Spectre V2. The second flag is necessary on Skylake+ due to the fact that the branch target buffer is vulnerable.

-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4
choice of "-fstack-protector" does not protect all functions . You need -fstack-protector-all to guarantee guards are applied to all functions, although this will likely incur a performance penalty. Consider -fstack-protector-strong as a middle ground.
The -Wstack-protector flag here gives warnings for any functions that aren't going to get protected.

-fstack-clash-protection
Defeats a class of attacks called stack clashing.

-pie -fPIE
Required to obtain the full security benefits of ASLR.

-ftrapv
Generates traps for signed overflow (currently bugged in gcc, and may interfere with UBSAN).

-­D_FORTIFY_SOURCE=2
Buffer overflow checks. See also difference between =2 and =1.

­-Wl,-z,relro,-z,now
RELRO (read-only relocation). The options relro & now specified
together are known as "Full RELRO". You can specify "Partial RELRO" by
omitting the now flag. RELRO marks various ELF memory sections
read­only (E.g. the GOT).