qmake/cmake MSYS2 commented linker security

Commented all linker security features on MSYS2 and MinGW-w64 as they are all enabled by default. - added detailed comments - added todo task [skip ci]
silverqx · Aug 26, 2024 · ecf93f1 · ecf93f1
1 parent ea71bdf
commit ecf93f1
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 10 deletions.
diff --git a/cmake/CommonModules/TinyCommon.cmake b/cmake/CommonModules/TinyCommon.cmake
@@ -193,11 +193,28 @@ ${TINY_UNPARSED_ARGUMENTS}")
             $<$<CXX_COMPILER_ID:Clang,AppleClang>:-Wno-ignored-attributes>
         )
 
-        target_link_options(${target} INTERFACE
-            $<$<CONFIG:Debug,RelWithDebInfo>:
-                LINKER:--dynamicbase,--high-entropy-va,--nxcompat
-                LINKER:--default-image-base-high>
-        )
+        # All security flags below are enabled by default on MSYS2 and MinGW-w64
+        # Legend:
+        # - ASLR - Address space layout randomization
+        #   - same as PIC on Linux (position-independent code)
+        # - DEP - Windows Data Execution Prevention feature
+        # ---
+        # Linker options (supported by both bfd and LLD):
+        # --dynamicbase - Randomly rebase at load time by using the ASLR
+        # --high-entropy-va - ASLR can use the entire 64-bit address space
+        # --nxcompat - Executable is DEP compatible
+        # --default-image-base-high - Default image bases over 4GB (ASLR)
+        # ---
+        # Can be checked by:
+        # - Exe64bitDetector.exe -f .\TinyOrm0.dll
+        # - dumpbin.exe /HEADERS .\TinyOrm0.dll
+
+        # TODO cmake MSYS2 track /GUARD:CF progress and enable it when will work everywhere; see: https://gist.github.com/alvinhochun/a65e4177e2b34d551d7ecb02b55a4b0a silverqx
+        # target_link_options(${target} INTERFACE
+        #     $<$<CONFIG:Debug,RelWithDebInfo>:
+        #         LINKER:--dynamicbase,--high-entropy-va,--nxcompat
+        #         LINKER:--default-image-base-high>
+        # )
     endif()
 
     if(NOT MSVC AND

diff --git a/qmake/common/unixconf.pri b/qmake/common/unixconf.pri
@@ -103,11 +103,26 @@ mingw {
         # Enable colors in diagnostics and use ANSI escape codes for diagnostics
         llvm: QMAKE_LFLAGS *= -fansi-escape-codes -fcolor-diagnostics
 
-        # Enable all possible security flags and features
-        QMAKE_LFLAGS += -Xlinker --dynamicbase
-        QMAKE_LFLAGS += -Xlinker --high-entropy-va
-        QMAKE_LFLAGS += -Xlinker --nxcompat
-        QMAKE_LFLAGS += -Xlinker --default-image-base-high
+        # All security flags below are enabled by default on MSYS2 and MinGW-w64
+        # Legend:
+        # - ASLR - Address space layout randomization
+        #   - same as PIC on Linux (position-independent code)
+        # - DEP - Windows Data Execution Prevention feature
+        # ---
+        # Can be checked by:
+        # - Exe64bitDetector.exe -f .\TinyOrm0.dll
+        # - dumpbin.exe /HEADERS .\TinyOrm0.dll
+
+        # TODO qmake MSYS2 track /GUARD:CF progress and enable it when will work everywhere; see: https://gist.github.com/alvinhochun/a65e4177e2b34d551d7ecb02b55a4b0a silverqx
+
+        # Randomly rebase at load time by using the ASLR
+        # QMAKE_LFLAGS += -Xlinker --dynamicbase
+        # ASLR can use the entire 64-bit address space
+        # QMAKE_LFLAGS += -Xlinker --high-entropy-va
+        # Executable is DEP compatible
+        # QMAKE_LFLAGS += -Xlinker --nxcompat
+        # Default image bases over 4GB (ASLR)
+        # QMAKE_LFLAGS += -Xlinker --default-image-base-high
 
         # The QMAKE_LFLAGS_CONSOLE -= -Wl,-subsystem,console is correct, lld recognizes
         # this correctly, but eg. cmake isn't using this linker parameter, the reason