From 89bf11b807252fe5839b5b18742e24568dfe7bbd Mon Sep 17 00:00:00 2001 From: fanquake Date: Wed, 10 Jul 2024 10:20:27 +0100 Subject: [PATCH] guix: build Linux GCC with --enable-cet Similar to #29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option. --- contrib/guix/manifest.scm | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index 5f62765a65b..3da98cf6510 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -434,6 +434,7 @@ inspecting signatures in Mach-O binaries.") "--enable-default-ssp=yes", "--enable-default-pie=yes", "--enable-standard-branch-protection=yes", + "--enable-cet=yes", building-on))) ((#:phases phases) `(modify-phases ,phases