mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-25 08:23:09 +00:00
doc/stdenv: hardening flags: add section on zerocallusedregs
This commit is contained in:
parent
65cc6d3cf1
commit
39f39b5568
@ -1667,6 +1667,10 @@ Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Execut
|
||||
Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
|
||||
If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
|
||||
|
||||
#### `zerocallusedregs` {#zerocallusedregs}
|
||||
|
||||
Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call.
|
||||
|
||||
[^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation.
|
||||
[^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`.
|
||||
[^footnote-stdenv-propagated-dependencies]: Nix itself already takes a package’s transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like [setup hooks](#ssec-setup-hooks) also are run as if it were a propagated dependency.
|
||||
|
Loading…
Reference in New Issue
Block a user