CET support and general compiler-based hardening
It would be neat to have Alpine binaries built with CET support by default: it's supported on Intel hardware since Tiger Lake released in 2020 and AMD Zen 3 also released in 2020. CET provides strong control-flow guarantees (~killing ROP) on supported hardware, and is equivalent to a
nop on unsupported one.
- Ubuntu has it since 20.04LTS (2020)
- Fedora has it since Fedora 28 (2018)
- Windows has it since Windows 10, version 2004 (November 2020)
While looking at this, I wondered what hardening-related compilation flags Alpine was using by default, and didn't manage to find a single source of truth:
GOFLAGS="-buildmode=pieis enabled in abuild.conf.
-stack-protector: enabled by default via a clang patch, but what about gcc?
-D_FORTIFY_SOURCE=2is apparently enabled by default as per this commit, but cool kids are using
- Arch Linux moved to it in April 2023
-z relro -z noware apparently enabled by default as per this commit
-fstack-clash-protection: enabled via abuild@4f7a2aff
- Fedora is using by default
-fpic -sharedare enabled by default
-Werror=format-securityis enabled as well
A decent subset of UBSan like
- Ubuntu is working on enabling it by default
libcxx related, added via abuild!221 (merged)
-fcf-protection: needs musl support.
It would be great to have the flags and their tradeoffs documented somewhere.