From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 25 Aug 2021 08:46:40 +0300 From: Denis Medvedev To: devel@lists.altlinux.org Message-ID: <20210825084640.2412f2e2@homerun.localdomain> In-Reply-To: <20210825052750.pcv2xtridwc3wgqq@titan.localdomain> References: <20210824182050.GA5179@altlinux.org> <20210825052750.pcv2xtridwc3wgqq@titan.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [devel] I: LTO in %optflags by default X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2021 05:46:41 -0000 Archived-At: List-Archive: List-Post: =D0=92 Wed, 25 Aug 2021 09:27:50 +0400 "Ivan A. Melnikov" =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > On Tue, Aug 24, 2021 at 09:20:50PM +0300, Dmitry V. Levin wrote: > > Hi, > >=20 > > =D0=9F=D1=80=D0=B8=D1=88=D0=BB=D0=BE =D0=B2=D1=80=D0=B5=D0=BC=D1=8F =D0= =B2=D0=BA=D0=BB=D1=8E=D1=87=D0=B8=D1=82=D1=8C =D0=B2 =D0=A1=D0=B8=D0=B7=D0= =B8=D1=84=D0=B5 LTO (link-time optimization). > > =D0=9A =D1=81=D0=BE=D0=B6=D0=B0=D0=BB=D0=B5=D0=BD=D0=B8=D1=8E, =D0=B5= =D1=89=D1=91 =D0=BD=D0=B5 =D0=B2=D1=81=D0=B5 =D0=BF=D0=B0=D0=BA=D0=B5=D1=82= =D1=8B =D1=81=D0=BE=D0=B1=D0=B8=D1=80=D0=B0=D1=8E=D1=82=D1=81=D1=8F =D1=81 = =D1=8D=D1=82=D0=BE=D0=B9 =D0=BE=D0=BF=D1=82=D0=B8=D0=BC=D0=B8=D0=B7=D0=B0= =D1=86=D0=B8=D0=B5=D0=B9, > > =D0=BD=D0=B5=D0=BA=D0=BE=D1=82=D0=BE=D1=80=D1=8B=D0=B5 =D0=BF=D1=80=D0= =B5=D0=B4=D1=81=D1=82=D0=BE=D0=B8=D1=82 =D0=B8=D1=81=D0=BF=D1=80=D0=B0=D0= =B2=D0=B8=D1=82=D1=8C. =20 >=20 > =D0=A1=D0=BA=D0=B0=D0=B6=D0=B8=D1=82=D0=B5, =D0=B0 =D0=BA=D0=B0=D0=BA =D1= =8D=D1=82=D0=BE =D0=B2=D0=BB=D0=B8=D1=8F=D0=B5=D1=82 =D0=BD=D0=B0 =D0=B2=D1= =80=D0=B5=D0=BC=D1=8F =D1=81=D0=B1=D0=BE=D1=80=D0=BA=D0=B8 =D0=BF=D0=B0=D0= =BA=D0=B5=D1=82=D0=BE=D0=B2? >=20 > =D0=AD=D1=82=D0=BE =D1=82=D0=B5=D1=81=D1=82=D0=B8=D1=80=D0=BE=D0=B2=D0=B0= =D0=BB=D0=BE=D1=81=D1=8C =D1=82=D0=BE=D0=BB=D1=8C=D0=BA=D0=BE =D0=BD=D0=B0 = =D0=BE=D1=81=D0=BD=D0=BE=D0=B2=D0=BD=D1=8B=D1=85 =D0=B0=D1=80=D1=85=D0=B8= =D1=82=D0=B5=D0=BA=D1=82=D1=83=D1=80=D0=B0=D1=85? =D0=9D=D0=B0 =D0=B2=D1=81= =D0=B5=D1=85? >=20 =D0=AF, =D0=BA=D0=BE=D0=BD=D0=B5=D1=87=D0=BD=D0=BE, =D0=BF=D0=BE=D0=BD=D0= =B8=D0=BC=D0=B0=D1=8E, =D1=87=D1=82=D0=BE =D0=B7=D0=B0=D0=BF=D0=BE=D0=B7=D0= =B4=D0=B0=D0=BB =D1=81 =D1=8D=D1=82=D0=B8=D0=BC, =D0=BD=D0=BE =D0=BC=D0=BE=D0=B6=D0=BD=D0=BE =D0=BB=D0=B8 =D0=B2=D0=BA=D0=BB= =D1=8E=D1=87=D0=B8=D1=82=D1=8C =D0=BF=D0=BE =D1=83=D0=BC=D0=BE=D0=BB=D1=87=D0=B0=D0=BD=D0=B8=D0=B8=D1=8E = =D0=B7=D0=B0=D0=BE=D0=B4=D0=BD=D0=BE =D0=B2=D0=BE=D1=82 =D1=8D=D1=82=D0=BE: -mmitigate-rop Attempt to compile code without unintended return addresses, making ROP jus= t a little harder. -mindirect-branch=3Dthunk -mfunction-return=3Dthunk Enables retpoline (return trampolines) to mitigate some variants of Spectre= V2. The second flag is necessary on Skylake+ due to the fact that the bran= ch target buffer is vulnerable. -fstack-protector-all -Wstack-protector --param ssp-buffer-size=3D4 choice of "-fstack-protector" does not protect all functions . You need -fs= tack-protector-all to guarantee guards are applied to all functions, althou= gh this will likely incur a performance penalty. Consider -fstack-protector= -strong as a middle ground. The -Wstack-protector flag here gives warnings for any functions that aren'= t going to get protected. -fstack-clash-protection Defeats a class of attacks called stack clashing. -pie -fPIE Required to obtain the full security benefits of ASLR. -ftrapv Generates traps for signed overflow (currently bugged in gcc, and may inter= fere with UBSAN). -=C2=ADD_FORTIFY_SOURCE=3D2 Buffer overflow checks. See also difference between =3D2 and =3D1. =C2=AD-Wl,-z,relro,-z,now RELRO (read-only relocation). The options relro & now specified together are known as "Full RELRO". You can specify "Partial RELRO" by omitting the now flag. RELRO marks various ELF memory sections read=C2=ADonly (E.g. the GOT).