diff --git a/SOURCES/buildflags.md b/SOURCES/buildflags.md index abcfcbb..fe7b812 100644 --- a/SOURCES/buildflags.md +++ b/SOURCES/buildflags.md @@ -13,6 +13,8 @@ this: This will invoke the `./configure` with arguments (such as `--prefix=/usr`) to adjust the paths to the packaging defaults. +Prior to that, some common problems in autotools scripts are +automatically patched across the source tree. As a side effect, this will set the environment variables `CFLAGS`, `CXXFLAGS`, `FFLAGS`, `FCFLAGS`, and `LDFLAGS`, so they can be used by @@ -25,7 +27,8 @@ environment variables using %set_build_flags early in the `%build` section. (Again, existing environment variables -are not overwritten.) +are not overwritten.) `%set_build_flags` does not perform autotools +script rewriting, unlike `%configure`. Individual build flags are also available through RPM macros: @@ -66,11 +69,24 @@ For other considerations involving shared objects, see: * [Fedora Packaging Guidelines: Shared Libraries](https://fedoraproject.org/wiki/Packaging:Guidelines#Shared_Libraries) -# Customizing compiler flags +# Customizing compiler and other build flags It is possible to set RPM macros to change some aspects of the compiler flags. Changing these flags should be used as a last -recourse if other workarunds are not available. +recourse if other workarounds are not available. + +### Disable autotools compatibility patching + +By default, the invocation of the `%configure` macro replaces +`config.guess` files in the source tree with the system version. To +disable that, define this macro: + + %global _configure_gnuconfig_hack 0 + +`%configure` also patches `ltmain.sh` scripts, so that linker flags +are set as well during libtool-. This can be switched off using: + + %global _configure_libtool_hardening_hack 0 ### Lazy binding @@ -145,6 +161,63 @@ to the RPM spec file to disable these strict checks. Alternatively, you can pass `-z undefs` to ld (written as `-Wl,-z,undefs` on the gcc command line). The latter needs binutils 2.29.1-12.fc28 or later. +### Post-build ELF object processing + +By default, DWARF debugging information is separated from installed +ELF objects and put into `-debuginfo` subpackages. To disable most +debuginfo processing (and thus the generation of these subpackages), +define `_enable_debug_packages` as `0`. + +Processing of debugging information is controlled using the +`find-debuginfo` tool from the `debugedit` package. Several aspects +of its operation can be controlled at the RPM level. + +* Creation of `-debuginfo` subpackages is enabled by default. + To disable, undefine `_debuginfo_subpackages`. +* Likewise, `-debugsource` subpackages are automatically created. + To disable, undefine `_debugsource_subpackages`. + See [Separate Subpackage and Source Debuginfo](https://fedoraproject.org/wiki/Changes/SubpackageAndSourceDebuginfo) + for background information. +* `_build_id_links`, `_unique_build_ids`, `_unique_debug_names`, + `_unique_debug_srcs` control how debugging information and + corresponding source files are represented on disk. + See `/usr/lib/rpm/macros` for details. The defaults + enable parallel installation of `-debuginfo` packages for + different package versions, as described in + [Parallel Installable Debuginfo](https://fedoraproject.org/wiki/Changes/ParallelInstallableDebuginfo). +* By default, a compressed symbol table is preserved in the + `.gnu_debugdata` section. To disable that, undefine + `_include_minidebuginfo`. +* To speed up debuggers, a `.gdb_index` section is created. It can be + disabled by undefining `_include_gdb_index`. +* Missing build IDs result in a build failure. To ignore such + problems, undefine `_missing_build_ids_terminate_build`. +* During processing, build IDs are recomputed to match the binary + content. To skip this step, define `_no_recompute_build_ids` as `1`. +* By default, the options in `_find_debuginfo_dwz_opts` turn on `dwz` + (DWARF compression) processing. Undefine this macro to disable this + step. +* Additional options can be passed by defining the + `_find_debuginfo_opts` macro. + +After separation of debugging information, additional transformations +are applied, most of them also related to debugging information. +These steps can be skipped by undefining the corresponding macros: + +* `__brp_strip`: Removal of leftover debugging information. The tool + specified by the `__strip` macro is invoked with the `-g` option on + ELF object (`.o`) files. +* `__brp_strip_static_archive`: This is similar to `__brp_strip`, but + processes static `.a` archives instead. +* `__brp_strip_comment_note`: This step removes unallocated `.note` + sections, and `.comment` sections from ELF files. +* `__brp_ldconfig`: For each shared object on the library search path + whose soname does not match its file name, a symbolic link from the + soname to the file name is created. This way, these shared objects + are loadable immediately after installation, even if they are not yet + listed in the `/etc/ld.so.cache` file (because `ldconfig` has not been + invoked yet). + # Individual compiler flags Compiler flags end up in the environment variables `CFLAGS`, @@ -202,6 +275,11 @@ The general (architecture-independent) build flags are: variables. (If the address of a variable is never taken, it is not possible that a buffer overflow is caused by incorrect pointer arithmetic involving a pointer to that variable.) +* `-fstack-clash-protection`: Turn on instrumentation to avoid + skipping the guard page in large stack frames. (Without this flag, + vulnerabilities can result where the stack overlaps with the heap, + or thread stacks spill into other regions of memory.) This flag is + fully ABI-compatible and has adds very little run-time overhead. * `-grecord-gcc-switches`: Include select GCC command line switches in the DWARF debugging information. This is useful for detecting the presence of certain build flags and general hardening coverage. @@ -240,13 +318,6 @@ added by default. This can be switched off by undefining the These compiler flags are enabled for all builds (hardened/annotated or not), but their selection depends on the architecture: -* `-fstack-clash-protection`: Turn on instrumentation to avoid - skipping the guard page in large stack frames. (Without this flag, - vulnerabilities can result where the stack overlaps with the heap, - or thread stacks spill into other regions of memory.) This flag is - fully ABI-compatible and has adds very little run-time overhead, but - is only available on certain architectures (currently aarch64, i386, - ppc64, ppc64le, s390x, x86_64). * `-fcf-protection`: Instrument binaries to guard against ROP/JOP attacks. Used on i686 and x86_64. * `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in @@ -260,24 +331,18 @@ not), but their selection depends on the architecture: useful because unwind information is available without having to install (and load) debugging ienformation. Asynchronous unwind tables are enabled for aarch64, i686, s390x, - and x86_64. They are not needed on armhfp, ppc64 and ppc64le due + and x86_64. They are not needed on ppc64le due to architectural differences in stack management. On these architectures, `-fexceptions` (see above) still enables regular unwind tables (or they are enabled by default even without this option). * `-funwind-tables`: A subset of the unwind information restricted - to actual call sites. Used on ppc64, ppc64le. Also implied by + to actual call sites. Used on ppc64le. Also implied by `-fexceptions`. In addition, `redhat-rpm-config` re-selects the built-in default tuning in the `gcc` package. These settings are: -* **armhfp**: `-march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard` - selects an Arm subarchitecture based on the ARMv7-A architecture - with 16 64-bit floating point registers. `-mtune=cortex-8a` selects - tuning for the Cortex-A8 implementation (while preserving compatibility - with other ARMv7-A implementations). `-mabi=aapcs-linux` switches to - the AAPCS ABI for GNU/Linux. * **i686**: `-march=x86-64` is used to select a minimum supported CPU level matching the baseline for the x86_64 architecture. `-mtune=generic` activates tuning for a current blend of CPUs. @@ -296,7 +361,7 @@ tuning in the `gcc` package. These settings are: (z14). * **x86_64**: `-mtune=generic` selects tuning which is expected to beneficial for a broad range of current CPUs. -* **ppc64** and **aarch64** do not have any architecture-specific tuning. +* **aarch64** does not have any architecture-specific tuning. # Individual linker flags diff --git a/SOURCES/dist.sh b/SOURCES/dist.sh index 23bb032..db6c053 100755 --- a/SOURCES/dist.sh +++ b/SOURCES/dist.sh @@ -25,7 +25,7 @@ function check_rhl { } function check_rhel { - egrep -q "(Enterprise|Advanced|CentOS)" $RELEASEFILE && echo $DISTNUM + egrep -q "(Enterprise|Advanced)" $RELEASEFILE && echo $DISTNUM } function check_fedora { diff --git a/SPECS/redhat-rpm-config.spec b/SPECS/redhat-rpm-config.spec index 458fc6e..0e427ff 100644 --- a/SPECS/redhat-rpm-config.spec +++ b/SPECS/redhat-rpm-config.spec @@ -6,7 +6,7 @@ Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config -Version: 125 +Version: 126 Release: 1%{?dist} # No version specified. License: GPL+ @@ -205,6 +205,9 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh %{_rpmconfigdir}/macros.d/macros.kmp %changelog +* Mon Nov 29 2021 Florian Weimer - 126-1 +- buildflags.md: Documentation updates (#2005079) + * Fri Nov 27 2020 Florian Festi - 125-1 - Add missing macros.fedora-misc file (#1874576)