From patchwork Tue Jul 11 13:27:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 6987 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4R0hW65GMjz3wfS for ; Tue, 11 Jul 2023 13:27:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4R0hW26dbvz1xJ; Tue, 11 Jul 2023 13:27:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4R0hW23n5dz303q; Tue, 11 Jul 2023 13:27:26 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4R0hW12lGZz2xdh for ; Tue, 11 Jul 2023 13:27:25 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4R0hW04YmDzQF; Tue, 11 Jul 2023 13:27:24 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4R0hW02mm7zTgg9; Tue, 11 Jul 2023 13:27:24 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/2] make.sh: x86_64: Enable CET full Date: Tue, 11 Jul 2023 13:27:18 +0000 Message-Id: <20230711132719.785979-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" -fcf-protection enables Indirect Branch Tracking, which we have recently enabled in the kernel. We should enable this in userspace, too. I could not find out what GCC defaults to without any value, so this patch is explicitely enabling IBT for function returns, indirect function calls and indirect jumps. Signed-off-by: Michael Tremer --- make.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make.sh b/make.sh index 57b6c6f15..f07604073 100755 --- a/make.sh +++ b/make.sh @@ -145,7 +145,7 @@ configure_build() { BUILDTARGET="${build_arch}-pc-linux-gnu" CROSSTARGET="${build_arch}-cross-linux-gnu" BUILD_PLATFORM="x86" - CFLAGS_ARCH="-m64 -mtune=generic -fcf-protection" + CFLAGS_ARCH="-m64 -mtune=generic -fcf-protection=full" ;; aarch64) From patchwork Tue Jul 11 13:27:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 6986 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4R0hW42gTNz3wfS for ; Tue, 11 Jul 2023 13:27:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4R0hW24mTQzQF; Tue, 11 Jul 2023 13:27:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4R0hW23K3Hz2yWN; Tue, 11 Jul 2023 13:27:26 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4R0hW12M1Nz2xR7 for ; Tue, 11 Jul 2023 13:27:25 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4R0hW04tQtzgG; Tue, 11 Jul 2023 13:27:24 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4R0hW02v4SzTgHr; Tue, 11 Jul 2023 13:27:24 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/2] make.sh: aarch64: Enable all branch protection methods Date: Tue, 11 Jul 2023 13:27:19 +0000 Message-Id: <20230711132719.785979-2-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230711132719.785979-1-michael.tremer@ipfire.org> References: <20230711132719.785979-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" At this time, this will enable return address signing, and branch target identification. Signed-off-by: Michael Tremer --- make.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make.sh b/make.sh index f07604073..7c279b197 100755 --- a/make.sh +++ b/make.sh @@ -152,7 +152,7 @@ configure_build() { BUILDTARGET="${build_arch}-pc-linux-gnu" CROSSTARGET="${build_arch}-cross-linux-gnu" BUILD_PLATFORM="arm" - CFLAGS_ARCH="" + CFLAGS_ARCH="-mbranch-protection=standard" ;; riscv64)