-
Notifications
You must be signed in to change notification settings - Fork 1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This commit enables hardened-specific checks and codegen, inspired by GCC 14's -fhardened command line switch and LLVM/libc++'s hardened modes. We enable (depending on compiler capabilities): * -ftrivial-auto-var-init=pattern; * -fstack-protector-strong; * -fstack-clash-protection; * -fcf-protection=full or /CETCOMPAT; * -D_FORTIFY_SOURCE=3 or 2 on Glibc, depending on the Glibc version, provided that some optimization level is enabled (release build or optimized debug build); * on libstdc++, -D_GLIBCXX_ASSERTIONS; * on libc++, -D_LIBCPP_HARDENING_MODE set to _LIBCPP_HARDENING_MODE_EXTENSIVE in debug and to _LIBCPP_HARDENING_MODE_FAST in release (_DEBUG is too slow); * -Wl,-z,relro,-z,now. This aligns us 100% with -fhardened (we already pass -fPIE and -pie anyhow). Some Linux distributions already ship GCC/Clang with some of these options enabled by default. The check for Intel CET has been amended to always test if the compiler supports the corresponding flag; and, if so, enable the feature. Before, it was behind a configure option and the test only checked if the compiler had CET support automatically active (the test didn't pass -fcf-protection to the compiler). The check for -fstack-protector-strong has been made general (rather than QNX-specific). We don't support QNX < 7 anyhow. Finally, the qt_config_linker_supports_flag_test test has been amended to also support MSVC. All of the hardening options are enabled by default. [ChangeLog][Build System] Qt builds by default in "hardened mode", meaning that a series of security-related compiler options are automatically enabled. In the unlikely case in which these options constitute an unacceptable performance hit, it is possible to disable individual hardening options when configuring Qt. Change-Id: I2c026b0438010ad10d5e7b1136fedf4ae3af8822 Reviewed-by: Qt CI Bot <[email protected]> Reviewed-by: Thiago Macieira <[email protected]>
- Loading branch information
Showing
5 changed files
with
203 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters