From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4EE18158041 for ; Mon, 11 Mar 2024 19:20:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 63F85E2A6C; Mon, 11 Mar 2024 19:20:27 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4411EE2A6C for ; Mon, 11 Mar 2024 19:20:27 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 2CB7E341214 for ; Mon, 11 Mar 2024 19:20:26 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 8A4681514 for ; Mon, 11 Mar 2024 19:20:24 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1710184817.84d8df0d57240632244bcc7487faa18220492af0.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-devel/gcc/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-devel/gcc/metadata.xml X-VCS-Directories: sys-devel/gcc/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: 84d8df0d57240632244bcc7487faa18220492af0 X-VCS-Branch: master Date: Mon, 11 Mar 2024 19:20:24 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: df9c55db-ce30-4be8-94df-c3a426530428 X-Archives-Hash: 8069a6058243c980bd4e76d5333b0515 commit: 84d8df0d57240632244bcc7487faa18220492af0 Author: Sam James gentoo org> AuthorDate: Mon Mar 11 19:11:19 2024 +0000 Commit: Sam James gentoo org> CommitDate: Mon Mar 11 19:20:17 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84d8df0d sys-devel/gcc: update USE=cet description for arm64 BTI/PAC (branch-protection) Also, update the description for CET not being supported on x86 (see 21a25eb278b04b204b043bc23750eec632e3bef0). It was originally planned upstream but has been dropped. Bug: https://bugs.gentoo.org/916381 Signed-off-by: Sam James gentoo.org> sys-devel/gcc/metadata.xml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/sys-devel/gcc/metadata.xml b/sys-devel/gcc/metadata.xml index 93ff067baadb..853d96579504 100644 --- a/sys-devel/gcc/metadata.xml +++ b/sys-devel/gcc/metadata.xml @@ -8,20 +8,31 @@ Build the ADA language (GNAT) frontend - Enable support for Intel Control Flow Enforcement Technology (CET). + Enable support for control flow hijacking protection. - Only effective on amd64/x86. + On amd64, this provides Intel Control Flow Enforcement Technology (CET). + + On arm64, this provides Branch Target Identification (BTI) + and Pointer Authentication Code (PAC) support. + + This is only effective on amd64 or arm64. Only provides benefits on newer CPUs. For Intel, the CPU must be at least as new as Tiger Lake. For AMD, it must be at least as new as Zen 3. This is harmless on older CPUs, but provides no benefit either. - When combined with USE=hardened, GCC will set -fcf-protection + For ARM64, PAC was introduced in armv8.3-a, and BTI was + introduced in armv8.5-a. + + When combined with USE=hardened on amd64, GCC will set -fcf-protection by default when building software. The effect is minimal on systems which do not support it, other than a possible small increase in codesize for the NOPs. The generated code is therefore compatible with i686 at the earliest. + + On arm64, GCC will set -mbranch-protection=standard by default + when building software. Enable support for the D programming language