From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7749D15800F for ; Mon, 23 Jan 2023 06:23:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ADFE4E07EE; Mon, 23 Jan 2023 06:22:59 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 89281E07EE for ; Mon, 23 Jan 2023 06:22:59 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4C668340F1F for ; Mon, 23 Jan 2023 06:22:58 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 5FCE9828 for ; Mon, 23 Jan 2023 06:22:56 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1674454943.6bb5978549aaac5802f704d4aa1a53ad4fcdbcd7.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-devel/gcc/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-devel/gcc/metadata.xml X-VCS-Directories: sys-devel/gcc/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: 6bb5978549aaac5802f704d4aa1a53ad4fcdbcd7 X-VCS-Branch: master Date: Mon, 23 Jan 2023 06:22:56 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: fc8634be-da71-4968-9187-7926c92c232c X-Archives-Hash: dd5be0415c50fd5b8130ef15249dcaba commit: 6bb5978549aaac5802f704d4aa1a53ad4fcdbcd7 Author: Sam James gentoo org> AuthorDate: Mon Jan 23 06:21:41 2023 +0000 Commit: Sam James gentoo org> CommitDate: Mon Jan 23 06:22:23 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6bb59785 sys-devel/gcc: provide detailed explanations of USE flags Prompted by a question on the forums, but been meaning to do this for a while: https://forums.gentoo.org/viewtopic-t-1160941.html. Folks may also be interested in https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes. Signed-off-by: Sam James gentoo.org> sys-devel/gcc/metadata.xml | 81 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 73 insertions(+), 8 deletions(-) diff --git a/sys-devel/gcc/metadata.xml b/sys-devel/gcc/metadata.xml index 4d9f63a02b27..ccedf9b38e3f 100644 --- a/sys-devel/gcc/metadata.xml +++ b/sys-devel/gcc/metadata.xml @@ -7,29 +7,94 @@ Build the ADA language (GNAT) frontend - Enable support for Intel Control Flow Enforcement Technology (CET) + + Enable support for Intel Control Flow Enforcement Technology (CET). + + Only provides benefits on newer CPUs. For Intel, the CPU + must be at least as new as Tiger Lake. For AMD, it must be + at least as new as Zen 3. This is harmless on older CPUs, + but provides no benefit either. + + When combined with USE=hardened, GCC will set -fcf-protection + by default when building software. The effect is minimal + on systems which do not support it, other than a possible + small increase in codesize for the NOPs. + Enable support for the D programming language - Build packages with stack clash protection on by default - Request full relocation on start from ld.so by default + + Build packages with stack clash protection on by default as + a hardening measure. + + This enables -fstack-clash-protection by default which protects against + large memory allocations allowing stack smashing. + + May cause slightly increased codesize, but modern compilers + have been adapted to optimize well for this case, as + this mitigation is now quite common. + + See https://developers.redhat.com/blog/2020/05/22/stack-clash-mitigation-in-gcc-part-3 + and https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt. + + + Request full relocation on start from ld.so by default. + + This sets the -z,now (BIND_NOW) flag by default on all linker invocations. By + resolving all dynamic symbols at application startup, parts of the program + can be made read-only as a hardening measure. + + This is closely related to RELRO which is also separately + enabled by default. + + In some applications with many unresolved symbols (heavily plugin based, + for example), startup time may be impacted. + Enable fixed-point arithmetic support for MIPS targets in gcc (Warning: significantly increases compile time!) Build the GCC Go language frontend. Add support for the framework for loop optimizations based on a polyhedral intermediate representation Use accelerated 128-bit IEEE long double ABI (ppc64le only) Enable libgccjit so other applications can embed gcc for Just-In-Time compilation. Build SSP support into a dedicated library rather than use the code in the C library (DO NOT ENABLE THIS IF YOU DON'T KNOW WHAT IT DOES) - Build using Link Time Optimizations (LTO) + + Build using Link Time Optimizations (LTO). + + Note that GCC is always built with support for building + other programs with LTO. This USE flag is for whether + GCC itself is built and optimized with LTO. + Enable support for Intel Memory Protection Extensions (MPX) Enable support for Native POSIX Threads Library, the new threading module (requires linux-2.6 or better usually) Build support for the Objective C code language Build support for the Objective C++ language Build support for the Objective C code language Garbage Collector - Build GCC using Profile Guided Optimization (PGO) + + Build GCC using Profile Guided Optimization (PGO). + + GCC will build itself and then analyze the just-built + binary and then rebuild itself using the data obtained + from analysis of codepaths taken. + + It does not affect whether GCC itself supports PGO + when building other software. + + This substantially increases the build time needed for + building GCC itself. + Build support for the Rust language, installs gccrs. - Build support for various sanitizer functions (ASAN/TSAN/etc...) - Build packages with stack smashing protector on by default + + Build support for various sanitizer functions (ASAN/TSAN/etc...) + to find runtime problems in applications. + + Build packages with stack smashing protection on by default enable systemtap static probe points Enable valgrind annotations for gcc internals (useful for gcc debugging). - Build support for virtual table verification (a C++ hardening feature) + + Build support for virtual table verification (a C++ hardening feature). + + This does not control whether GCC defaults to using VTV> + + Note that actually using VTV breaks ABI and hence the whole + system must be built with -fvtable-verify. + cpe:/a:gnu:gcc