[devel] I: LTO in %optflags by default

Denis Medvedev nbr на altlinux.org
Ср Авг 25 08:50:39 MSK 2021 

В Wed, 25 Aug 2021 08:46:40 +0300
Denis Medvedev <nbr на altlinux.org> пишет:

> В Wed, 25 Aug 2021 09:27:50 +0400
> "Ivan A. Melnikov" <iv на altlinux.org> пишет:
> 
> > On Tue, Aug 24, 2021 at 09:20:50PM +0300, Dmitry V. Levin wrote:
> > > Hi,
> > > 
> > > Пришло время включить в Сизифе LTO (link-time optimization).
> > > К сожалению, ещё не все пакеты собираются с этой оптимизацией,
> > > некоторые предстоит исправить.  
> > 
> > Скажите, а как это влияет на время сборки пакетов?
> > 
> > Это тестировалось только на основных архитектурах? На всех?
> > 
> 
> Я, конечно, понимаю, что запоздал с этим,
> но можно ли включить
> по умолчаниию заодно вот это:
> 
> 
> -mmitigate-rop
> Attempt to compile code without unintended return addresses, making
> ROP just a little harder.
> 
> -mindirect-branch=thunk -mfunction-return=thunk
> Enables retpoline (return trampolines) to mitigate some variants of
> Spectre V2. The second flag is necessary on Skylake+ due to the fact
> that the branch target buffer is vulnerable.
> 
> -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4
> choice of "-fstack-protector" does not protect all functions . You
> need -fstack-protector-all to guarantee guards are applied to all
> functions, although this will likely incur a performance penalty.
> Consider -fstack-protector-strong as a middle ground. The
> -Wstack-protector flag here gives warnings for any functions that
> aren't going to get protected.
> 
> -fstack-clash-protection
> Defeats a class of attacks called stack clashing.
> 
> -pie -fPIE
> Required to obtain the full security benefits of ASLR.
> 
> -ftrapv
> Generates traps for signed overflow (currently bugged in gcc, and may
> interfere with UBSAN).
Интересно, оно до сих пор bugged?
> 
> -­D_FORTIFY_SOURCE=2
> Buffer overflow checks. See also difference between =2 and =1.
> 
> ­-Wl,-z,relro,-z,now
> RELRO (read-only relocation). The options relro & now specified
> together are known as "Full RELRO". You can specify "Partial RELRO" by
> omitting the now flag. RELRO marks various ELF memory sections
> read­only (E.g. the GOT).
> _______________________________________________
> Devel mailing list
> Devel на lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel

Подробная информация о списке рассылки Devel