Bug#1055711: Bug#1057469: gcc-13: Please build gcc with -mbranch-protection=standard to fix PAC/BTI support on arm64
Hi Matthias,
you can find an updated patch attached, it allows to disable the flag by
building with DEB_BUILD_MAINT_OPTIONS=hardening=-branch.
It does the right thing on libgcc-13-dev built on arm64 as well as
libgcc-13-dev-arm64-cross built on amd64. I haven't tested it on
cross-builds of the native compiler as that currently fails due to
unsatisfied dependencies in sid. That case should work fine too though.
Thanks,
ema
diff -Nru gcc-13-13.3.0/debian/rules2 gcc-13-13.3.0/debian/rules2
--- gcc-13-13.3.0/debian/rules2 2024-03-23 11:56:05.000000000 +0100
+++ gcc-13-13.3.0/debian/rules2 2024-07-01 14:32:35.000000000 +0200
@@ -199,6 +199,35 @@
STAGE1_LDFLAGS =
endif
+ifeq ($(DEB_TARGET_ARCH),arm64)
+ # Build with PAC/BTI support if enabled in the build flags
+ # https://wiki.debian.org/ToolChain/PACBTI
+ ifneq (,$(findstring -mbranch-protection=standard,$(shell DEB_HOST_ARCH=arm64 dpkg-buildflags --get CFLAGS)))
+ CFLAGS_SECURE = -mbranch-protection=standard
+ else
+ CFLAGS_SECURE =
+ endif
+ ifneq (,$(findstring -mbranch-protection=standard,$(shell DEB_HOST_ARCH=arm64 dpkg-buildflags --get CXXFLAGS)))
+ CXXFLAGS_SECURE = -mbranch-protection=standard
+ else
+ CXXFLAGS_SECURE =
+ endif
+
+ ifeq ($(DEB_CROSS),yes)
+ # Building cross compilers
+ CFLAGS_FOR_TARGET += $(CFLAGS_SECURE)
+ CXXFLAGS_FOR_TARGET += $(CXXFLAGS_SECURE)
+ else ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+ # Cross build of the native compiler
+ CFLAGS_FOR_TARGET += $(CFLAGS_SECURE)
+ CXXFLAGS_FOR_TARGET += $(CXXFLAGS_SECURE)
+ else
+ # Native build
+ CFLAGS += $(CFLAGS_SECURE)
+ CXXFLAGS += $(CXXFLAGS_SECURE)
+ endif
+endif
+
# set CFLAGS/LDFLAGS for the configure step only, maybe be modifed for some target
# all other flags are passed to the make step.
pass_vars = $(foreach v,$(1),$(if $($(v)),$(v)="$($(v))"))
Reply to: