[devel] I: LTO in %optflags by default

Denis Medvedev nbr на altlinux.org
Ср Авг 25 08:46:40 MSK 2021

В Wed, 25 Aug 2021 09:27:50 +0400
"Ivan A. Melnikov" <iv на altlinux.org> пишет:

> On Tue, Aug 24, 2021 at 09:20:50PM +0300, Dmitry V. Levin wrote:
> > Hi,
> > 
> > Пришло время включить в Сизифе LTO (link-time optimization).
> > К сожалению, ещё не все пакеты собираются с этой оптимизацией,
> > некоторые предстоит исправить.  
> Скажите, а как это влияет на время сборки пакетов?
> Это тестировалось только на основных архитектурах? На всех?

Я, конечно, понимаю, что запоздал с этим,
но можно ли включить
по умолчаниию заодно вот это:

Attempt to compile code without unintended return addresses, making ROP just a little harder.

-mindirect-branch=thunk -mfunction-return=thunk
Enables retpoline (return trampolines) to mitigate some variants of Spectre V2. The second flag is necessary on Skylake+ due to the fact that the branch target buffer is vulnerable.

-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4
choice of "-fstack-protector" does not protect all functions . You need -fstack-protector-all to guarantee guards are applied to all functions, although this will likely incur a performance penalty. Consider -fstack-protector-strong as a middle ground.
The -Wstack-protector flag here gives warnings for any functions that aren't going to get protected.

Defeats a class of attacks called stack clashing.

-pie -fPIE
Required to obtain the full security benefits of ASLR.

Generates traps for signed overflow (currently bugged in gcc, and may interfere with UBSAN).

Buffer overflow checks. See also difference between =2 and =1.

RELRO (read-only relocation). The options relro & now specified
together are known as "Full RELRO". You can specify "Partial RELRO" by
omitting the now flag. RELRO marks various ELF memory sections
read­only (E.g. the GOT).

Подробная информация о списке рассылки Devel