Use plain -fcf-protection compiler flag, without -mcet (#1570823)

2018-05-02 11:39:39 +02:00 · 2018-05-02 11:39:39 +02:00 · 6b620c91fb
commit 6b620c91fb
parent 60cf200c3c
3 changed files with 9 additions and 6 deletions
--- a/buildflags.md
+++ b/buildflags.md
@ -247,7 +247,7 @@ not), but their selection depends on the architecture:
    fully ABI-compatible and has adds very little run-time overhead, but
    is only available on certain architectures (currently aarch64, i386,
    ppc64, ppc64le, s390x, x86_64).
-*   ` -mcet -fcf-protection`: Instrument binaries to guard against
+*   `-fcf-protection`: Instrument binaries to guard against
    ROP/JOP attacks.  Used on i686 and x86_64.
 *   `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in
    the same compilation.  For such architectures, the RPM build process
--- a/redhat-rpm-config.spec
+++ b/redhat-rpm-config.spec
@ -6,7 +6,7 @@
 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
-Version: 108
+Version: 109
 Release: 1%{?dist}
 # No version specified.
 License: GPL+
@ -106,8 +106,8 @@ Requires: %{_bindir}/grep
 Requires: %{_bindir}/sed
 Requires: %{_bindir}/xargs
-# -fstack-clash-protection and CET requires GCC 8.
+# -fstack-clash-protection and -fcf-protection require GCC 8.
-Conflicts: gcc < 8.0
+Conflicts: gcc < 8.0.1-0.22
 Provides: system-rpm-config = %{version}-%{release}
@ -184,6 +184,9 @@ install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kmod.prov
 %{_rpmconfigdir}/macros.d/macros.kmp
 %changelog
 * Wed May  2 2018 Florian Weimer <fweimer@redhat.com> - 109-1
 - Use plain -fcf-protection compiler flag, without -mcet (#1570823)
 * Tue May 01 2018 Peter Jones <pjones@redhat.com> - 108-1
 - Add Requires: efi-srpm-macros for %%{efi}
--- a/4
+++ b/4
@ -3,10 +3,10 @@ include: /usr/lib/rpm/rpmrc
 optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
 optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection
 optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
-optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection
+optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
 optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection
 optflags: ia64 %{__global_compiler_flags}
-optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection
+optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
 optflags: alpha %{__global_compiler_flags} -mieee
 optflags: alphaev5 %{__global_compiler_flags} -mieee -mcpu=ev5