chore: revamp and add additional build hardening

build/trivalent.sh

@@ -23,6 +23,12 @@ declare -rx XDG_RUNTIME_DIR="$XDG_RUNTIME_DIR"
 declare -rx XAUTHORITY="$XAUTHORITY"
 declare -rx DISPLAY="$DISPLAY"
 
+# enable hardware CFI feature
+# https://www.gnu.org/software/libc/manual/html_node/Hardware-Capability-Tunables.html
+if [[ "$(arch)" == "x86_64" ]]; then
+  declare -rx GLIBC_TUNABLES="glibc.cpu.x86_ibt=on:glibc.cpu.x86_shstk=permissive"
+fi
+
 # unify branding
 declare -r CHROMIUM_NAME="@@CHROMIUM_NAME@@"
 

patches/build-hardening.patch

@@ -1,19 +1,41 @@
 diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn
-index 5898b8c54bef2..d924cec372c1a 100644
+index 59942a3cf6..c80eadf2c0 100644
 --- a/build/config/compiler/BUILD.gn
 +++ b/build/config/compiler/BUILD.gn
-@@ -371,6 +371,10 @@ config("compiler") {
+@@ -373,12 +373,18 @@ config("compiler") {
+       # On Aarch64, SCS requires the x18 register to be unused because it will hold
+       # a pointer to the shadow stack. For Android we know that Clang doesn't use
+       # x18 by default. On other OSs adding "-ffixed-x18" might be required.
+-      assert(is_android)
++      assert(is_android || is_linux)
+
+       scs_parameters = [
+         "-fsanitize=shadow-call-stack",
+-        "-fno-stack-protector",
++        "-fstack-protector-strong",
+       ]
++
++      # fixed-x18 may be required for ShadowCallStack
++      if (is_linux) {
++        scs_paramaters += [ "-ffixed-x18" ]
++      }
++
+       cflags += scs_parameters
+       ldflags += scs_parameters
+     } else {
+@@ -400,6 +406,11 @@ config("compiler") {
        }
      }
 
 +    if (is_linux) {
 +      cflags += [ "-fstack-clash-protection" ]
++      cflags += [ "-mharden-sls=all" ]
 +    }
 +
      if (use_lld) {
        ldflags += [ "-fuse-ld=lld" ]
        if (lld_path != "") {
-@@ -2059,7 +2063,7 @@ config("chromium_code") {
+@@ -2282,7 +2293,7 @@ config("chromium_code") {
        # Non-chromium code is not guaranteed to compile cleanly with
        # _FORTIFY_SOURCE. Also, fortified build may fail when optimizations are
        # disabled, so only do that for Release build.
@@ -22,3 +44,42 @@ index 5898b8c54bef2..d924cec372c1a 100644
 
        # ChromeOS's toolchain supports a high-quality _FORTIFY_SOURCE=3
        # implementation with a few custom glibc patches. Use that if it's
+@@ -3363,8 +3374,14 @@ buildflag_header("compiler_buildflags") {
+ }
+
+ config("cet_shadow_stack") {
+-  if (enable_cet_shadow_stack && is_win) {
++  if (enable_cet_shadow_stack) {
+     assert(target_cpu == "x64")
+-    ldflags = [ "/CETCOMPAT" ]
++    if (is_win) {
++      ldflags = [ "/CETCOMPAT" ]
++    } else if (is_linux) {
++      cflags = [ "-fcf-protection=full" ]
++      ldflags = [ "-fcf-protection=full", "-Wl,-z,shstk" ]
++      rustflags = [ "-Zcf-protection=full" ]
++    }
+   }
+ }
+diff --git a/build/config/linux/BUILD.gn b/build/config/linux/BUILD.gn
+index 131bb71d1d..b584e8d547 100644
+--- a/build/config/linux/BUILD.gn
++++ b/build/config/linux/BUILD.gn
+@@ -20,11 +20,13 @@ config("compiler") {
+     cflags = []
+     asmflags = []
+     if (arm_control_flow_integrity == "standard") {
+-      cflags += [ "-mbranch-protection=standard" ]
+-      asmflags += [ "-mbranch-protection=standard" ]
++      cflags += [ "-mbranch-protection=pac-ret+leaf+bti" ]
++      asmflags += [ "-mbranch-protection=pac-ret+leaf+bti" ]
++      rustflags += [ "-Zbranch-protection=bti,pac-ret,leaf" ]
+     } else if (arm_control_flow_integrity == "pac") {
+-      cflags += [ "-mbranch-protection=pac-ret" ]
+-      asmflags += [ "-mbranch-protection=pac-ret" ]
++      cflags += [ "-mbranch-protection=pac-ret+leaf" ]
++      asmflags += [ "-mbranch-protection=pac-ret+leaf" ]
++      rustflags += [ "-Zbranch-protection=pac-ret,leaf" ]
+     }
+   }
+ }