#97 rpmrc: Add PAC/BTI for aarch64 BZ 1847148
Merged 9 months ago by ignatenkobrain. Opened 9 months ago by jlinton.
rpms/ jlinton/redhat-rpm-config master  into  master

file modified
+1 -1
@@ -74,7 +74,7 @@ 

  optflags: s390 %{__global_compiler_flags} -m31 -march=zEC12 -mtune=z13 -fasynchronous-unwind-tables

  optflags: s390x %{__global_compiler_flags} -m64 -march=zEC12 -mtune=z13 -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ]

  

- optflags: aarch64 %{__global_compiler_flags} -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ]

+ optflags: aarch64 %{__global_compiler_flags} -mbranch-protection=standard -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ]

  

  optflags: riscv64 %{__global_compiler_flags} -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ]

  

Enable PAC/BTI ROP hardening on aarch64.

This is for BZ 1847148, which is an approved systemwide change for F33.

Signed-off-by: Jeremy Linton jeremy.linton@arm.com

This should be dependent on https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94891
which has been backported to gcc 9 as well as being in 10.2. So depending on what the plans are for the mass rebuild I can post a PR for gcc if needed.

Pull-Request has been merged by ignatenkobrain

9 months ago
Metadata
Changes Summary 1