[Bug 2080267] [NEW] Please add -fhardened to default build flags

Mark Esler 2080267 at bugs.launchpad.net
Tue Sep 10 17:43:56 UTC 2024 

Public bug reported:

> Currently, -fhardened enables:
>
>   -D_FORTIFY_SOURCE=3 (or =2 for older glibcs)
>   -D_GLIBCXX_ASSERTIONS
>   -ftrivial-auto-var-init=pattern
>   -fPIE  -pie  -Wl,-z,relro,-z,now
>   -fstack-protector-strong
>   -fstack-clash-protection
>   -fcf-protection=full (x86 GNU/Linux only)
>
> -fhardened will not override options that were specified on the command line
> (before or after -fhardened).  For example,
>
>      -D_FORTIFY_SOURCE=1 -fhardened
>
> means that _FORTIFY_SOURCE=1 will be used.  Similarly,
>
>       -fhardened -fstack-protector
>
> will not enable -fstack-protector-strong.

>From [0]. Please also see [1]

For Ubuntu, this would effectively add -D_GLIBCXX_ASSERTIONS [2],
-ftrivial-auto-var-init=pattern [3], and fix our implementation of Full RELRO
[4].

>From an ecosystem and distro perspective, -fhardened is a very nice way to
implement gcc compiler flags. Since the GCC project maintains these flags,
distros will inherit new flags as they are added. This circumvents the security
vs performance debate each distro internally has each time they add a new flag.
When a distro adopts a new hardening flag, there will likely be packages which
fail to build from source (often bugs in the package). The first distro to
rebuild their archive with a new flag pays the highest cost, since most of the
bugs have not been discovered or discussed yet. Being first to market has a
high cost and slows down hardening adoption. Major distros can share this
burden by using -fhardened, so that they inherit flags and begin finding bugs
at roughly the same time.

Ubuntu can lead compiler hardening, by becoming the first distro to adopt
-fhardened [5].

[0] https://gcc.gnu.org/pipermail/gcc-patches/2023-September/630550.html
[1] https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fhardened
[2] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2016042
[3] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/1972043
[4] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989
[5] https://github.com/jvoisin/compiler-flags-distro/

** Affects: gcc-14 (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  > Currently, -fhardened enables:
  >
  >   -D_FORTIFY_SOURCE=3 (or =2 for older glibcs)
  >   -D_GLIBCXX_ASSERTIONS
  >   -ftrivial-auto-var-init=pattern
  >   -fPIE  -pie  -Wl,-z,relro,-z,now
  >   -fstack-protector-strong
  >   -fstack-clash-protection
  >   -fcf-protection=full (x86 GNU/Linux only)
  >
  > -fhardened will not override options that were specified on the command line
  > (before or after -fhardened).  For example,
  >
  >      -D_FORTIFY_SOURCE=1 -fhardened
  >
  > means that _FORTIFY_SOURCE=1 will be used.  Similarly,
  >
  >       -fhardened -fstack-protector
  >
  > will not enable -fstack-protector-strong.
  
  From [0]. Please also see [1]
  
  For Ubuntu, this would effectively add -D_GLIBCXX_ASSERTIONS [2],
  -ftrivial-auto-var-init=pattern, and fix our implementation of Full RELRO [3].
  
- I added this to the top of the list, since it enables so many other flags and
- because it helps distros work together on hardening.
- 
  From an ecosystem and distro perspective, -fhardened is a very nice way to
  implement gcc compiler flags. Since the GCC project maintains these flags,
  distros will inherit new flags as they are added. This circumvents the security
  vs performance debate each distro internally has each time they add a new flag.
  When a distro adopts a new hardening flag, there will likely be packages which
  fail to build from source (often bugs in the package). The first distro to
  rebuild their archive with a new flag pays the highest cost, since most of the
  bugs have not been discovered or discussed yet. Being first to market has a
  high cost and slows down hardening adoption. Major distros can share this
  burden by using -fhardened, so that they inherit flags and begin finding bugs
  at roughly the same time.
  
  Ubuntu can lead compiler hardening, by becoming the first distro to adopt
  -fhardened [4].
  
  [0] https://gcc.gnu.org/pipermail/gcc-patches/2023-September/630550.html
  [1] https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fhardened
  [2] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2016042
  [3] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989
  [4] https://github.com/jvoisin/compiler-flags-distro/

** Description changed:

  > Currently, -fhardened enables:
  >
  >   -D_FORTIFY_SOURCE=3 (or =2 for older glibcs)
  >   -D_GLIBCXX_ASSERTIONS
  >   -ftrivial-auto-var-init=pattern
  >   -fPIE  -pie  -Wl,-z,relro,-z,now
  >   -fstack-protector-strong
  >   -fstack-clash-protection
  >   -fcf-protection=full (x86 GNU/Linux only)
  >
  > -fhardened will not override options that were specified on the command line
  > (before or after -fhardened).  For example,
  >
  >      -D_FORTIFY_SOURCE=1 -fhardened
  >
  > means that _FORTIFY_SOURCE=1 will be used.  Similarly,
  >
  >       -fhardened -fstack-protector
  >
  > will not enable -fstack-protector-strong.
  
  From [0]. Please also see [1]
  
  For Ubuntu, this would effectively add -D_GLIBCXX_ASSERTIONS [2],
- -ftrivial-auto-var-init=pattern, and fix our implementation of Full RELRO [3].
+ -ftrivial-auto-var-init=pattern [3], and fix our implementation of Full RELRO
+ [4].
  
  From an ecosystem and distro perspective, -fhardened is a very nice way to
  implement gcc compiler flags. Since the GCC project maintains these flags,
  distros will inherit new flags as they are added. This circumvents the security
  vs performance debate each distro internally has each time they add a new flag.
  When a distro adopts a new hardening flag, there will likely be packages which
  fail to build from source (often bugs in the package). The first distro to
  rebuild their archive with a new flag pays the highest cost, since most of the
  bugs have not been discovered or discussed yet. Being first to market has a
  high cost and slows down hardening adoption. Major distros can share this
  burden by using -fhardened, so that they inherit flags and begin finding bugs
  at roughly the same time.
  
  Ubuntu can lead compiler hardening, by becoming the first distro to adopt
- -fhardened [4].
+ -fhardened [5].
  
  [0] https://gcc.gnu.org/pipermail/gcc-patches/2023-September/630550.html
  [1] https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fhardened
  [2] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2016042
- [3] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989
- [4] https://github.com/jvoisin/compiler-flags-distro/
+ [3] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/1972043
+ [4] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989
+ [5] https://github.com/jvoisin/compiler-flags-distro/

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-14 in Ubuntu.
https://bugs.launchpad.net/bugs/2080267

Title:
  Please add -fhardened to default build flags

Status in gcc-14 package in Ubuntu:
  New

Bug description:
  > Currently, -fhardened enables:
  >
  >   -D_FORTIFY_SOURCE=3 (or =2 for older glibcs)
  >   -D_GLIBCXX_ASSERTIONS
  >   -ftrivial-auto-var-init=pattern
  >   -fPIE  -pie  -Wl,-z,relro,-z,now
  >   -fstack-protector-strong
  >   -fstack-clash-protection
  >   -fcf-protection=full (x86 GNU/Linux only)
  >
  > -fhardened will not override options that were specified on the command line
  > (before or after -fhardened).  For example,
  >
  >      -D_FORTIFY_SOURCE=1 -fhardened
  >
  > means that _FORTIFY_SOURCE=1 will be used.  Similarly,
  >
  >       -fhardened -fstack-protector
  >
  > will not enable -fstack-protector-strong.

  From [0]. Please also see [1]

  For Ubuntu, this would effectively add -D_GLIBCXX_ASSERTIONS [2],
  -ftrivial-auto-var-init=pattern [3], and fix our implementation of Full RELRO
  [4].

  From an ecosystem and distro perspective, -fhardened is a very nice way to
  implement gcc compiler flags. Since the GCC project maintains these flags,
  distros will inherit new flags as they are added. This circumvents the security
  vs performance debate each distro internally has each time they add a new flag.
  When a distro adopts a new hardening flag, there will likely be packages which
  fail to build from source (often bugs in the package). The first distro to
  rebuild their archive with a new flag pays the highest cost, since most of the
  bugs have not been discovered or discussed yet. Being first to market has a
  high cost and slows down hardening adoption. Major distros can share this
  burden by using -fhardened, so that they inherit flags and begin finding bugs
  at roughly the same time.

  Ubuntu can lead compiler hardening, by becoming the first distro to adopt
  -fhardened [5].

  [0] https://gcc.gnu.org/pipermail/gcc-patches/2023-September/630550.html
  [1] https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fhardened
  [2] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2016042
  [3] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/1972043
  [4] https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989
  [5] https://github.com/jvoisin/compiler-flags-distro/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2080267/+subscriptions

More information about the foundations-bugs mailing list