Re: Additional hardening options

Bernhard Rosenkränzer <bero@...>


On Wed, Jan 26, 2022 at 02:39 AM, Paul Eggleton wrote:
I've been looking into a couple of compiler flags for hardening that I think we
might want to consider enabling by default in
1) -fstack-clash-protection
2) -z noexecstack (or alternative mitigations)
I've been looking into those flags (and a few more) a while back when picking compiler flags to use for Oniro.

-Wl,-z,-noexecstack is unproblematic, -fstack-clash-protection adds a bit of overhead, but it isn't all that bad (typically in the 2% range).

I've been able to build working systems with both flags enabled.

My full report is at


Join to automatically receive all group messages.