Skip to content

Commit

Permalink
gentoo: Enable CET (-fcf-protection=full) by default
Browse files Browse the repository at this point in the history 
Needs:
- CET to be enabled for GCC
- -DEXTRA_OPTIONS_CF to be passed during build (via toolchain.eclass).

Only supported on amd64.
  • Loading branch information
@thesamesam
thesamesam committed Nov 28, 2024
1 parent b287399 commit 0d1b9d2
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 19 deletions.
10 changes: 5 additions & 5 deletions gcc/cp/lang-specs.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ along with GCC; see the file COPYING3. If not see
" %{save-temps*:%b.ii} %{!save-temps*:%g.ii}}"
" %{!save-temps*:%{!no-integrated-cpp:%(cpp_unique_options)}}"
" %{fmodules-ts:-fmodule-header %{fpreprocessed:-fdirectives-only}}"
" %(cc1_options) %2"
" %(cc1_options) %(default_flag_cf_spec) %2"
" %{!fsyntax-only:"
" %{!S:-o %g.s}"
" %{!fmodule-*:%{!fmodules-*:%{!fdump-ada-spec*:"
Expand All @@ -72,7 +72,7 @@ along with GCC; see the file COPYING3. If not see
" %{!save-temps*:%{!no-integrated-cpp:%(cpp_unique_options)}}"
" %{fmodules-ts:-fmodule-header=system"
" %{fpreprocessed:-fdirectives-only}}"
" %(cc1_options) %2"
" %(cc1_options) %(default_flag_cf_spec) %2"
" %{!fsyntax-only:"
" %{!S:-o %g.s}"
" %{!fmodule-*:%{!fmodules-*:%{!fdump-ada-spec*:"
Expand All @@ -92,7 +92,7 @@ along with GCC; see the file COPYING3. If not see
" %{save-temps*:%b.ii} %{!save-temps*:%g.ii}}"
" %{!save-temps*:%{!no-integrated-cpp:%(cpp_unique_options)}}"
" %{fmodules-ts:-fmodule-header=user %{fpreprocessed:-fdirectives-only}}"
" %(cc1_options) %2"
" %(cc1_options) %(default_flag_cf_spec) %2"
" %{!fsyntax-only:"
" %{!S:-o %g.s}"
" %{!fmodule-*:%{!fmodules-*:%{!fdump-ada-spec*:"
Expand All @@ -107,7 +107,7 @@ along with GCC; see the file COPYING3. If not see
" cc1plus %{save-temps*|no-integrated-cpp:-fpreprocessed"
" %{save-temps*:%b.ii} %{!save-temps*:%g.ii}}"
" %{!save-temps*:%{!no-integrated-cpp:%(cpp_unique_options)}}"
" %(cc1_options) %2"
" %(cc1_options) %(default_flag_cf_spec) %2"
" %{!fsyntax-only:"
" %{fmodule-only:%{!S:-o %g.s%V}}"
" %{!fmodule-only:%(invoke_as)}}"
Expand All @@ -116,7 +116,7 @@ along with GCC; see the file COPYING3. If not see
{".ii", "@c++-cpp-output", 0, 0, 0},
{"@c++-cpp-output",
"%{!E:%{!M:%{!MM:"
" cc1plus -fpreprocessed %i %(cc1_options) %2"
" cc1plus -fpreprocessed %i %(cc1_options) %(default_flag_cf_spec) %2"
" %{!fsyntax-only:"
" %{fmodule-only:%{!S:-o %g.s%V}}"
" %{!fmodule-only:%{!fmodule-header*:%(invoke_as)}}}"
Expand Down
22 changes: 18 additions & 4 deletions gcc/gcc.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1007,6 +1007,18 @@ proper position among the other output files. */
#define LINK_NOW_SPEC ""
#endif

/* Default value for flag_cf_protection when flag_cf_protection is
initialized to CF_FULL.
We use a new option (EXTRA_OPTIONS_CF) here to avoid turning
this on accidentally for other arches. */
#ifdef EXTRA_OPTIONS_CF
#define DEFAULT_FLAG_CF_SPEC " %{!m16:%{!m32:%{!fcf-protection*:%{!fno-cf-protection:-fcf-protection}}}}"
#endif
#ifndef DEFAULT_FLAG_CF_SPEC
#define DEFAULT_FLAG_CF_SPEC ""
#endif

#ifdef ENABLE_DEFAULT_PIE
#define PIE_SPEC "!no-pie"
#define NO_FPIE1_SPEC "fno-pie"
Expand Down Expand Up @@ -1213,6 +1225,7 @@ static const char *cpp_spec = CPP_SPEC;
static const char *cc1_spec = CC1_SPEC OS_CC1_SPEC;
static const char *cc1plus_spec = CC1PLUS_SPEC;
static const char *link_gcc_c_sequence_spec = LINK_GCC_C_SEQUENCE_SPEC;
static const char *default_flag_cf_spec = DEFAULT_FLAG_CF_SPEC;
static const char *link_ssp_spec = LINK_SSP_SPEC;
static const char *asm_spec = ASM_SPEC;
static const char *asm_final_spec = ASM_FINAL_SPEC;
Expand Down Expand Up @@ -1273,7 +1286,7 @@ static const char *cpp_options =
"%(cpp_unique_options) %1 %{m*} %{std*&ansi&trigraphs} %{W*&pedantic*} %{w}\
%{f*} %{g*:%{%:debug-level-gt(0):%{g*}\
%{!fno-working-directory:-fworking-directory}}} %{O*}\
%{undef} %{save-temps*:-fpch-preprocess}";
%{undef} %{save-temps*:-fpch-preprocess} %(default_flag_cf_spec)";

/* Pass -d* flags, possibly modifying -dumpdir, -dumpbase et al.
Expand Down Expand Up @@ -1467,9 +1480,9 @@ static const struct compiler default_compilers[] =
%{save-temps*|traditional-cpp|no-integrated-cpp:%(trad_capable_cpp) \
%(cpp_options) -o %{save-temps*:%b.i} %{!save-temps*:%g.i} \n\
cc1 -fpreprocessed %{save-temps*:%b.i} %{!save-temps*:%g.i} \
%(cc1_options)}\
%(cc1_options)%(default_flag_cf_spec)}\
%{!save-temps*:%{!traditional-cpp:%{!no-integrated-cpp:\
cc1 %(cpp_unique_options) %(cc1_options)}}}\
cc1 %(cpp_unique_options) %(cc1_options) %(default_flag_cf_spec)}}}\
%{!fsyntax-only:%(invoke_as)}}}}", 0, 0, 1},
{"-",
"%{!E:%e-E or -x required when input is from standard input}\
Expand All @@ -1494,7 +1507,7 @@ static const struct compiler default_compilers[] =
%W{o*:--output-pch %w%*}}%{!S:%V}}}}}}}}", 0, 0, 0},
{".i", "@cpp-output", 0, 0, 0},
{"@cpp-output",
"%{!M:%{!MM:%{!E:cc1 -fpreprocessed %i %(cc1_options) %{!fsyntax-only:%(invoke_as)}}}}", 0, 0, 0},
"%{!M:%{!MM:%{!E:cc1 -fpreprocessed %i %(cc1_options) %(default_flag_cf_spec) %{!fsyntax-only:%(invoke_as)}}}}", 0, 0, 0},
{".s", "@assembler", 0, 0, 0},
{"@assembler",
"%{!M:%{!MM:%{!E:%{!S:as %(asm_debug) %(asm_options) %i %A }}}}", 0, 0, 0},
Expand Down Expand Up @@ -1726,6 +1739,7 @@ static struct spec_list static_specs[] =
INIT_STATIC_SPEC ("cc1_options", &cc1_options),
INIT_STATIC_SPEC ("cc1plus", &cc1plus_spec),
INIT_STATIC_SPEC ("link_gcc_c_sequence", &link_gcc_c_sequence_spec),
INIT_STATIC_SPEC ("default_flag_cf_spec", &default_flag_cf_spec),
INIT_STATIC_SPEC ("link_ssp", &link_ssp_spec),
INIT_STATIC_SPEC ("endfile", &endfile_spec),
INIT_STATIC_SPEC ("link", &link_spec),
Expand Down
12 changes: 6 additions & 6 deletions gcc/objc/lang-specs.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,9 @@ along with GCC; see the file COPYING3. If not see
%{traditional|traditional-cpp:\
%eGNU Objective C no longer supports traditional compilation}\
%{save-temps*|no-integrated-cpp:cc1obj -E %(cpp_options) -o %{save-temps*:%b.mi} %{!save-temps*:%g.mi} \n\
cc1obj -fpreprocessed %{save-temps*:%b.mi} %{!save-temps*:%g.mi} %(cc1_options) %{print-objc-runtime-info} %{gen-decls}}\
cc1obj -fpreprocessed %{save-temps*:%b.mi} %{!save-temps*:%g.mi} %(cc1_options) %(default_flag_cf_spec) %{print-objc-runtime-info} %{gen-decls}}\
%{!save-temps*:%{!no-integrated-cpp:\
cc1obj %(cpp_unique_options) %(cc1_options) %{print-objc-runtime-info} %{gen-decls}}}\
cc1obj %(cpp_unique_options) %(cc1_options) %(default_flag_cf_spec) %{print-objc-runtime-info} %{gen-decls}}}\
%{!fsyntax-only:%(invoke_as)}}}}", 0, 0, 0},
{"@objective-c-header",
"%{E|M|MM:cc1obj -E %{traditional|traditional-cpp:-traditional-cpp}\
Expand All @@ -40,18 +40,18 @@ along with GCC; see the file COPYING3. If not see
%{traditional|traditional-cpp:\
%eGNU Objective C no longer supports traditional compilation}\
%{save-temps*|no-integrated-cpp:cc1obj -E %(cpp_options) -o %{save-temps*:%b.mi} %{!save-temps*:%g.mi} \n\
cc1obj -fpreprocessed %b.mi %(cc1_options) %{print-objc-runtime-info} %{gen-decls}\
cc1obj -fpreprocessed %b.mi %(cc1_options) %(default_flag_cf_spec) %{print-objc-runtime-info} %{gen-decls}\
-o %g.s %{!o*:--output-pch %i.gch}\
%W{o*:--output-pch %*}%V}\
%{!save-temps*:%{!no-integrated-cpp:\
cc1obj %(cpp_unique_options) %(cc1_options) %{print-objc-runtime-info} %{gen-decls}\
cc1obj %(cpp_unique_options) %(cc1_options) %(default_flag_cf_spec) %{print-objc-runtime-info} %{gen-decls}\
-o %g.s %{!o*:--output-pch %i.gch}\
%W{o*:--output-pch %*}%V}}}}}", 0, 0, 0},
{".mi", "@objective-c-cpp-output", 0, 0, 0},
{"@objective-c-cpp-output",
"%{!M:%{!MM:%{!E:cc1obj -fpreprocessed %i %(cc1_options) %{print-objc-runtime-info} %{gen-decls}\
"%{!M:%{!MM:%{!E:cc1obj -fpreprocessed %i %(cc1_options) %(default_flag_cf_spec) %{print-objc-runtime-info} %{gen-decls}\
%{!fsyntax-only:%(invoke_as)}}}}", 0, 0, 0},
{"@objc-cpp-output",
"%nobjc-cpp-output is deprecated; please use objective-c-cpp-output instead\n\
%{!M:%{!MM:%{!E:cc1obj -fpreprocessed %i %(cc1_options) %{print-objc-runtime-info} %{gen-decls}\
%{!M:%{!MM:%{!E:cc1obj -fpreprocessed %i %(cc1_options) %(default_flag_cf_spec) %{print-objc-runtime-info} %{gen-decls}\
%{!fsyntax-only:%(invoke_as)}}}}", 0, 0, 0},
8 changes: 4 additions & 4 deletions gcc/objcp/lang-specs.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ along with GCC; see the file COPYING3. If not see
%(cpp_options) %2 -o %{save-temps*:%b.mii} %{!save-temps*:%g.mii} \n}\
cc1objplus %{save-temps*|no-integrated-cpp:-fpreprocessed %{save-temps*:%b.mii} %{!save-temps*:%g.mii}}\
%{!save-temps*:%{!no-integrated-cpp:%(cpp_unique_options)}}\
%(cc1_options) %2\
%(cc1_options) %(default_flag_cf_spec) %2\
-o %g.s %{!o*:--output-pch %i.gch} %W{o*:--output-pch %*}%V}}}",
CPLUSPLUS_CPP_SPEC, 0, 0},
{"@objective-c++",
Expand All @@ -46,16 +46,16 @@ along with GCC; see the file COPYING3. If not see
%(cpp_options) %2 -o %{save-temps*:%b.mii} %{!save-temps*:%g.mii} \n}\
cc1objplus %{save-temps*|no-integrated-cpp:-fpreprocessed %{save-temps*:%b.mii} %{!save-temps*:%g.mii}}\
%{!save-temps*:%{!no-integrated-cpp:%(cpp_unique_options)}}\
%(cc1_options) %2\
%(cc1_options) %(default_flag_cf_spec) %2\
%{!fsyntax-only:%(invoke_as)}}}}",
CPLUSPLUS_CPP_SPEC, 0, 0},
{".mii", "@objective-c++-cpp-output", 0, 0, 0},
{"@objective-c++-cpp-output",
"%{!M:%{!MM:%{!E:\
cc1objplus -fpreprocessed %i %(cc1_options) %2\
cc1objplus -fpreprocessed %i %(cc1_options) %(default_flag_cf_spec) %2\
%{!fsyntax-only:%(invoke_as)}}}}", 0, 0, 0},
{"@objc++-cpp-output",
"%nobjc++-cpp-output is deprecated; please use objective-c++-cpp-output instead\n\
%{!M:%{!MM:%{!E:\
cc1objplus -fpreprocessed %i %(cc1_options) %2\
cc1objplus -fpreprocessed %i %(cc1_options) %(default_flag_cf_spec) %2\
%{!fsyntax-only:%(invoke_as)}}}}", 0, 0, 0},

0 comments on commit 0d1b9d2

Please sign in to comment.