Best way to enable -mbranch-protection for package
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
Hi,
Upgrading NetworkManager-sstp to the latest version, I've noticed that
there is a failed test related to missing branch protection on AArch64
[1]. After reading that and [2], I know what it is all about, however, I
wonder what is the best way to apply it to my package?
Should I check if the build is for AArch64 and for Fedora 33+ (35+?) and
just add "-mbranch-protection=standard"? Or there is some magic macro to
add that (and maybe some other useful security options), similar to
%{?_smp_mflags} (or maybe even included in %make_build on ARM64)?
[1] -
https://sourceware.org/annobin/annobin.html/Test-branch-protection.html
[2] - https://fedoraproject.org/wiki/Changes/Aarch64_PointerAuthentication
Marcin
V Thu, Apr 21, 2022 at 11:12:41PM +0200, Marcin Zajączkowski napsal(a):
Upgrading NetworkManager-sstp to the latest version, I've noticed
that
there is a failed test related to missing branch protection on AArch64
[1].
Check annocheck version installed when building your package (root.log). There
was a bug manifesting as -mbranch-protection=standard failure on AArch64 and
fixed in 10.66:
* Wed Apr 13 2022 Nick Clifton <nickc(a)redhat.com> - 10.66-1
- Annocheck: Do not complain about missing -mbranch-protection option in AArch64 binaries
if compiled in LTO mode.
After reading that and [2], I know what it is all about, however, I
wonder what is the best way to apply it to my package?
Should I check if the build is for AArch64 and for Fedora 33+ (35+?) and
just add "-mbranch-protection=standard"? Or there is some magic macro to
add that (and maybe some other useful security options), similar to
%{?_smp_mflags} (or maybe even included in %make_build on ARM64)?
The option is already presented in system-wide CFLAGS. Check any build.log.
If you package respects the flags (check your build.log), you don't need to do
anything. Otherwise, you should correct your package use all the options from
CFLAGS enviroment variable or %{build_cflags} RPM macro.
-- Petr
On 2022-04-22 11:01, Petr Pisar wrote:
V Thu, Apr 21, 2022 at 11:12:41PM +0200, Marcin Zajączkowski
napsal(a):
> Upgrading NetworkManager-sstp to the latest version, I've noticed that
> there is a failed test related to missing branch protection on AArch64
> [1].
Check annocheck version installed when building your package (root.log). There
was a bug manifesting as -mbranch-protection=standard failure on AArch64 and
fixed in 10.66:
* Wed Apr 13 2022 Nick Clifton <nickc(a)redhat.com> - 10.66-1
- Annocheck: Do not complain about missing -mbranch-protection option in AArch64 binaries
if compiled in LTO mode.
Thanks Petr! It might be that. When I increase the build verbosity I
clearly see that "-mbranch-protection=standard" is used [3] (it was
missing on my x86_64 for obvious reasons :) ).
The test itself was executed with:
annocheck: Version 10.65.
Everything explained. Thanks.
[3] -
https://osci-jenkins-1.ci.fedoraproject.org/job/fedora-ci/job/rpminspect-...
Marcin
> After reading that and [2], I know what it is all about, however, I
> wonder what is the best way to apply it to my package?
>
> Should I check if the build is for AArch64 and for Fedora 33+ (35+?) and
> just add "-mbranch-protection=standard"? Or there is some magic macro to
> add that (and maybe some other useful security options), similar to
> %{?_smp_mflags} (or maybe even included in %make_build on ARM64)?
>
The option is already presented in system-wide CFLAGS. Check any build.log.
If you package respects the flags (check your build.log), you don't need to do
anything. Otherwise, you should correct your package use all the options from
CFLAGS enviroment variable or %{build_cflags} RPM macro.
-- Petr
745
days inactive
746
days old
2 comments
2 participants
tags (0)
participants (2)
-
Marcin Zajączkowski -
Petr Pisar