From 5cc59192bcaa4b3618712e2f6e5c4f6be685954c Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Sun, 22 Feb 2026 18:23:57 +0100 Subject: [PATCH] Hardening: add -mbranch-protection=standard for arm64 that support it. e.g. raspberry pi 5, aws ec2 graviton2 and higher, etc. This does the same as -fcf-protection on x64 (well, those that support it). --- configure | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++- configure.ac | 5 ++++- 2 files changed, 60 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 42e430436..2d9a2ac9d 100755 --- a/configure +++ b/configure @@ -4975,7 +4975,7 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ ac_compiler_gnu=$ac_cv_c_compiler_gnu - # Control Flow Enforcement (ROP hardening) - requires CPU hardware support + # Control Flow Enforcement (ROP hardening) - requires CPU hardware support (x64) ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -5030,6 +5030,61 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ ac_compiler_gnu=$ac_cv_c_compiler_gnu + # Similar to above but for arm64 + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mbranch-protection=standard" >&5 +printf %s "checking whether C compiler accepts -mbranch-protection=standard... " >&6; } +if test ${ax_cv_check_cflags__Werror___mbranch_protection_standard+y} +then : + printf %s "(cached) " >&6 +else case e in #( + e) + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -Werror -mbranch-protection=standard" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + ax_cv_check_cflags__Werror___mbranch_protection_standard=yes +else case e in #( + e) ax_cv_check_cflags__Werror___mbranch_protection_standard=no ;; +esac +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS=$ax_check_save_flags ;; +esac +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags__Werror___mbranch_protection_standard" >&5 +printf "%s\n" "$ax_cv_check_cflags__Werror___mbranch_protection_standard" >&6; } +if test x"$ax_cv_check_cflags__Werror___mbranch_protection_standard" = xyes +then : + HARDEN_CFLAGS="$HARDEN_CFLAGS -mbranch-protection=standard" +else case e in #( + e) : ;; +esac +fi + + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + # Since we have moved from name[1] to name[], setting this should help bounds checking: ac_ext=c ac_cpp='$CPP $CPPFLAGS' diff --git a/configure.ac b/configure.ac index 3150bad2e..add8fa4ce 100644 --- a/configure.ac +++ b/configure.ac @@ -144,9 +144,12 @@ AS_IF([test x"$hardening" != x"no"], [ # Added in UnrealIRCd 5.0.5 (default on Ubuntu 19.10) check_cc_flag([-fstack-clash-protection], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fstack-clash-protection"]) - # Control Flow Enforcement (ROP hardening) - requires CPU hardware support + # Control Flow Enforcement (ROP hardening) - requires CPU hardware support (x64) check_cc_flag([-fcf-protection], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fcf-protection"]) + # Similar to above but for arm64 + check_cc_flag([-mbranch-protection=standard], [HARDEN_CFLAGS="$HARDEN_CFLAGS -mbranch-protection=standard"]) + # Since we have moved from name[1] to name[], setting this should help bounds checking: check_cc_flag([-fstrict-flex-arrays=3], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fstrict-flex-arrays=3"])