diff options
author | Robert Scott <code@humanleg.org.uk> | 2024-06-05 23:09:12 +0100 |
---|---|---|
committer | Robert Scott <code@humanleg.org.uk> | 2024-06-05 23:10:20 +0100 |
commit | 39f39b5568c34b2b40681cdb021c04cd6ae3bbef (patch) | |
tree | 23786bd04bd2f27f0a2fa8445adb5f85c6544eb3 /doc/stdenv/stdenv.chapter.md | |
parent | 65cc6d3cf151552de1a5ed2868daea3c8e4aa5bc (diff) |
doc/stdenv: hardening flags: add section on zerocallusedregs
Diffstat (limited to 'doc/stdenv/stdenv.chapter.md')
-rw-r--r-- | doc/stdenv/stdenv.chapter.md | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md index a331ceb689ece..93ddeff7d016d 100644 --- a/doc/stdenv/stdenv.chapter.md +++ b/doc/stdenv/stdenv.chapter.md @@ -1667,6 +1667,10 @@ Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Execut Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option. If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`. +#### `zerocallusedregs` {#zerocallusedregs} + +Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call. + [^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation. [^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`. [^footnote-stdenv-propagated-dependencies]: Nix itself already takes a package’s transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like [setup hooks](#ssec-setup-hooks) also are run as if it were a propagated dependency. |