When compiling compilers, make their defaults secure

[david-a-wheeler]

No description provided.

[david-a-wheeler]

@eslerm @thomasnyman - comments?

[kees]

Perhaps refer to Ubuntu's compiler flag wiki page, as this is what Ubuntu already does. (I'm not aware of any other distro that enables hardening options in their compiler, unfortunately.)
https://wiki.ubuntu.com/ToolChain/CompilerFlags

[eslerm]

The Ubuntu compiler flag wiki page is out of date when it comes to PIE (flags are not set, but compiler is built with --enable-default-pie). I'll be addressing this.

[setharnold]

The Ubuntu compiler flag wiki page is out of date when it comes to PIE (flags are not set, but compiler is built with --enable-default-pie). I'll be addressing this.

Depending upon the context of the discussion, either one might be appropriate. A developer looking for the 'best' options to use in their build might want the -fPIE or -fPIC options but someone packaging GCC might want the --enable-default-pie compiler option.

[siddhesh]

Perhaps refer to Ubuntu's compiler flag wiki page, as this is what Ubuntu already does. (I'm not aware of any other distro that enables hardening options in their compiler, unfortunately.) https://wiki.ubuntu.com/ToolChain/CompilerFlags

I believe Gentoo also defaults to enabling many hardening features in their toolchain.

[eslerm]

clang sets --enable-default-pie as a default on Linux now:

CMake -DCLANG_DEFAULT_PIE_ON_LINUX=ON is now the default. This is used by
linux-gnu systems to decide whether -fPIE -pie is the default (instead of
-fno-pic -no-pie). This matches GCC installations on many Linux distros.
Note: linux-android and linux-musl always default to -fPIE -pie, ignoring
this variable. -DCLANG_DEFAULT_PIE_ON_LINUX will be removed in the future.

However, gcc itself does not.

[gkunz]

LGTM expect for the small nit-pick.

[thomasnyman]

I can understand the rationale for including this, but I'm not so sure about whether the introductory section (which is already rather long) is the best place for this. I'm mindful of the feedback we have received regarding the amount of prose.

I'm also not a big fan of jumping straight into specific options in this section (apart from the TLDR).

Would this be a better fit as either a separate section or appendix with the options in a table for consistency?

[david-a-wheeler]

Let's move it later into its own section. Most people don't compile their own compilers.

[thesamesam]

Perhaps refer to Ubuntu's compiler flag wiki page, as this is what Ubuntu already does. (I'm not aware of any other distro that enables hardening options in their compiler, unfortunately.) wiki.ubuntu.com/ToolChain/CompilerFlags

I believe Gentoo also defaults to enabling many hardening features in their toolchain.

You can see what we do at https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes. We don't set any of that via flags-per-package, instead via either patches or configure arguments to GCC or Binutils. For Clang, we use config files in /etc/clang as upstream are trying to move towards that rather than adding many CMake configuration options for stuff like this (we barely got them to add PIE).

I'm happy to help describe what we do and also document how others can do the same, as well as anything else you think I can help with.

@jvoisin and I have also been working on https://github.com/jvoisin/compiler-flags-distro.

[david-a-wheeler]

I think this tweaked version covers the gist: If you control compiling the compiler, make the defaults the secure ones.

That said, many people aren't recompiling their compilers, so we need to give them guidance for their cases. If they include lots of options in their builds, the code is likely to work with those options elsewhere too :-).

[thesamesam]

We should talk about doing more here in future, but the guidance here is solid and there's no reason not to just add more stuff later.

Thanks!

[david-a-wheeler]

Ok. I'll merge this now, we can add more later. Thank you everyone!