build: enable full read-only relocations and control flow integrity f…

…or hardening check Signed-off-by: Tomasz Kantecki <[email protected]>
intel · Dec 18, 2023 · c183961 · c183961
1 parent 809f536
commit c183961
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/configure.ac b/configure.ac
@@ -285,9 +285,18 @@ my_CFLAGS="\
 -Wshadow \
 -Wstrict-prototypes \
 -Wtype-limits \
+-fstack-protector \
+-D_FORTIFY_SOURCE=2 \
 "
 AC_SUBST([my_CFLAGS])
 
+AM_LDFLAGS="\
+-Wl,-z,noexecstack \
+-Wl,-z,relro \
+-Wl,-z,now \
+"
+AC_SUBST([AM_LDFLAGS])
+
 AC_CONFIG_FILES([\
 	Makefile\
 	libisal.pc

diff --git a/make.inc b/make.inc
@@ -57,7 +57,7 @@ DEBUG_yasm = -g dwarf2
 DEBUG_nasm = -g
 
 # Default arch= build options
-CFLAGS_    = -Wall
+CFLAGS_    = -Wall -Wchar-subscripts -Wformat-security -Wnested-externs -Wpointer-arith -Wshadow -Wstrict-prototypes -Wtype-limits -fstack-protector -D_FORTIFY_SOURCE=2
 ASFLAGS_   = -f elf64
 ARFLAGS_   = cr $@
 STRIP_gcc  = strip -d -R .comment $@
@@ -76,7 +76,14 @@ ARFLAGS_win64 = -out:$@
 ASFLAGS_mingw = -f win64
 ARFLAGS_mingw = cr $@
 
-LDFLAGS_so = -Wl,-soname,$(soname)
+LDFLAGS_so = -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,-soname,$(soname)
+
+ifeq ($(shell uname),Linux)
+ifeq ($(host_cpu),x86_64)
+  CFLAGS_ = -fcf-protection=full
+  LDFLAGS += -Wl,-z,ibt -Wl,-z,shstk -Wl,-z,cet-report=error
+endif
+endif
 
 ifeq ($(arch),mingw)
   CC=x86_64-w64-mingw32-gcc