diff mbox series

[1/2] make.sh: x86_64: Enable CET full

Message ID	20230711132719.785979-1-michael.tremer@ipfire.org
State	Staged
Commit	9ea072e6272b7df7ec604a6799d27ed316e7d740
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 1/2] make.sh: x86_64: Enable CET full Date: Tue, 11 Jul 2023 13:27:18 +0000 Message-Id: <20230711132719.785979-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	[1/2] make.sh: x86_64: Enable CET full \| [1/2] make.sh: x86_64: Enable CET full [2/2] make.sh: aarch64: Enable all branch protection methods

Commit Message

Michael Tremer July 11, 2023, 1:27 p.m. UTC

  -fcf-protection enables Indirect Branch Tracking, which we have recently
enabled in the kernel. We should enable this in userspace, too.

I could not find out what GCC defaults to without any value, so this
patch is explicitely enabling IBT for function returns, indirect
function calls and indirect jumps.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 make.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff mbox series

Patch

diff --git a/make.sh b/make.sh
index 57b6c6f15..f07604073 100755
--- a/make.sh
+++ b/make.sh
@@ -145,7 +145,7 @@  configure_build() {
 			BUILDTARGET="${build_arch}-pc-linux-gnu"
 			CROSSTARGET="${build_arch}-cross-linux-gnu"
 			BUILD_PLATFORM="x86"
-			CFLAGS_ARCH="-m64 -mtune=generic -fcf-protection"
+			CFLAGS_ARCH="-m64 -mtune=generic -fcf-protection=full"
 			;;
 
 		aarch64)