aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorfanquake <fanquake@gmail.com>2024-07-10 10:20:27 +0100
committerfanquake <fanquake@gmail.com>2024-09-13 10:28:31 +0100
commit89bf11b807252fe5839b5b18742e24568dfe7bbd (patch)
treedcf9d26fa23fbf5ea54632c74940d661d07c6e5f
parentcf0120ff024aa73a56f2975c832fda6aa8146dfa (diff)
guix: build Linux GCC with --enable-cet
Similar to #29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option.
-rw-r--r--contrib/guix/manifest.scm1
1 files changed, 1 insertions, 0 deletions
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index 5f62765a65..3da98cf651 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -434,6 +434,7 @@ inspecting signatures in Mach-O binaries.")
"--enable-default-ssp=yes",
"--enable-default-pie=yes",
"--enable-standard-branch-protection=yes",
+ "--enable-cet=yes",
building-on)))
((#:phases phases)
`(modify-phases ,phases