Re: Enabling hardening flags for HIP libraries

To: debian-ai@lists.debian.org
Subject: Re: Enabling hardening flags for HIP libraries
From: Cordell Bloor <cgmb-deb@slerp.xyz>
Date: Mon, 6 Mar 2023 01:59:26 -0700
Message-id: <[🔎] df939d3e-17ff-2abe-fb57-5c00b83f9f44@slerp.xyz>
In-reply-to: <[🔎] e0896759-7de1-d1c3-500a-ce205f326e50@debian.org>
References: <[🔎] 1661a76c-0845-4930-13be-b741ced72db4@slerp.xyz> <[🔎] ae39d8ccf44f6f28a953b483e02c71c8f613af67.camel@debian.org> <[🔎] e0896759-7de1-d1c3-500a-ce205f326e50@debian.org>

On 2023-03-04 02:44, Christian Kastner wrote:

src:libcap2 builds both executables and libraries, and hardening=+all
adding -fPIE to CFLAGS interfered with the library build, so I patched
upstream's Makefile [1] to filter out those flags where necessary.

Thanks for the example! That made it very clear how the options could be filtered. It turns out that the only flag that was not working in device code was -fstack-protector-strong, so I've begun enabling +all and adding this substitution rule:

CFLAGS   := $(subst -fstack-protector-strong,-Xarch_host -fstack-protector-strong,$(CFLAGS))
CXXFLAGS := $(subst -fstack-protector-strong,-Xarch_host -fstack-protector-strong,$(CXXFLAGS))

[1] https://sources.debian.org/src/libcap2/1%3A2.66-3/debian/patches/Filter-out-PIE-flags-when-building-shared-objects.patch/

Regards,
Cory Bloor

Reply to:

References:
- Enabling hardening flags for HIP libraries
  - From: Cordell Bloor <cgmb-deb@slerp.xyz>
- Re: Enabling hardening flags for HIP libraries
  - From: "M. Zhou" <lumin@debian.org>
- Re: Enabling hardening flags for HIP libraries
  - From: Christian Kastner <ckk@debian.org>

Prev by Date: Re: status of hipcc? and pytorch-rocm
Next by Date: Processing of rocprim_5.3.3-3_source.changes
Previous by thread: Re: Enabling hardening flags for HIP libraries
Next by thread: status of hipcc? and pytorch-rocm
Index(es):
- Date
- Thread