diff --git a/macros b/macros
index e2bdcf3..d7bf415 100644
--- a/macros
+++ b/macros
@@ -184,12 +184,12 @@ unset DISPLAY\
 %__find_provides        /usr/lib/rpm/redhat/find-provides
 %__find_requires        /usr/lib/rpm/redhat/find-requires
 
-#_hardened_build	0
-%_hardened_cflags	%{?_hardened_build:-fPIE}
-%_hardened_ldflags	%{?_hardened_build:-Wl,-z,now -pie}
+# define _hardened_build to non-zero to enable
+%_hardened_cflags       %{?_hardened_build:-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1}
+%_hardened_ldflags      %{?_hardened_build:-specs=/usr/lib/rpm/redhat/redhat-hardened-ld}
 
-%__global_cflags	-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 %{?_hardened_cflags}
-%__global_ldflags	-Wl,-z,relro %{?_hardened_ldflags}
+%__global_cflags	-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 %{_hardened_cflags}
+%__global_ldflags	-Wl,-z,relro %{_hardened_ldflags}
 
 # Use these macros to differentiate between RH and other KMP implementation(s).
 redhat_kernel_module_package	1
diff --git a/redhat-hardened-cc1 b/redhat-hardened-cc1
new file mode 100644
index 0000000..04b8f3c
--- /dev/null
+++ b/redhat-hardened-cc1
@@ -0,0 +1,4 @@
+%rename cc1_options rh_cc1_options_old
+
+*cc1_options:
+%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIC}}}}} %(rh_cc1_options_old)
diff --git a/redhat-hardened-ld b/redhat-hardened-ld
new file mode 100644
index 0000000..b26049c
--- /dev/null
+++ b/redhat-hardened-ld
@@ -0,0 +1,9 @@
+%rename self_spec rh_self_spec_old
+
+*self_spec:
+%{!shared:-pie} %(rh_self_spec_old)
+
+%rename link rh_link_old
+
+*link:
+-z now %(rh_link_old)