From ecf93f1d84da369ce48da6aeee1fff3e322546cf Mon Sep 17 00:00:00 2001 From: silverqx Date: Mon, 26 Aug 2024 20:14:23 +0200 Subject: [PATCH] qmake/cmake MSYS2 commented linker security Commented all linker security features on MSYS2 and MinGW-w64 as they are all enabled by default. - added detailed comments - added todo task [skip ci] --- cmake/CommonModules/TinyCommon.cmake | 27 ++++++++++++++++++++++----- qmake/common/unixconf.pri | 25 ++++++++++++++++++++----- 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/cmake/CommonModules/TinyCommon.cmake b/cmake/CommonModules/TinyCommon.cmake index abc25967c..54d5351f4 100644 --- a/cmake/CommonModules/TinyCommon.cmake +++ b/cmake/CommonModules/TinyCommon.cmake @@ -193,11 +193,28 @@ ${TINY_UNPARSED_ARGUMENTS}") $<$:-Wno-ignored-attributes> ) - target_link_options(${target} INTERFACE - $<$: - LINKER:--dynamicbase,--high-entropy-va,--nxcompat - LINKER:--default-image-base-high> - ) + # All security flags below are enabled by default on MSYS2 and MinGW-w64 + # Legend: + # - ASLR - Address space layout randomization + # - same as PIC on Linux (position-independent code) + # - DEP - Windows Data Execution Prevention feature + # --- + # Linker options (supported by both bfd and LLD): + # --dynamicbase - Randomly rebase at load time by using the ASLR + # --high-entropy-va - ASLR can use the entire 64-bit address space + # --nxcompat - Executable is DEP compatible + # --default-image-base-high - Default image bases over 4GB (ASLR) + # --- + # Can be checked by: + # - Exe64bitDetector.exe -f .\TinyOrm0.dll + # - dumpbin.exe /HEADERS .\TinyOrm0.dll + + # TODO cmake MSYS2 track /GUARD:CF progress and enable it when will work everywhere; see: https://gist.github.com/alvinhochun/a65e4177e2b34d551d7ecb02b55a4b0a silverqx + # target_link_options(${target} INTERFACE + # $<$: + # LINKER:--dynamicbase,--high-entropy-va,--nxcompat + # LINKER:--default-image-base-high> + # ) endif() if(NOT MSVC AND diff --git a/qmake/common/unixconf.pri b/qmake/common/unixconf.pri index 1f76d324d..247a16bdf 100644 --- a/qmake/common/unixconf.pri +++ b/qmake/common/unixconf.pri @@ -103,11 +103,26 @@ mingw { # Enable colors in diagnostics and use ANSI escape codes for diagnostics llvm: QMAKE_LFLAGS *= -fansi-escape-codes -fcolor-diagnostics - # Enable all possible security flags and features - QMAKE_LFLAGS += -Xlinker --dynamicbase - QMAKE_LFLAGS += -Xlinker --high-entropy-va - QMAKE_LFLAGS += -Xlinker --nxcompat - QMAKE_LFLAGS += -Xlinker --default-image-base-high + # All security flags below are enabled by default on MSYS2 and MinGW-w64 + # Legend: + # - ASLR - Address space layout randomization + # - same as PIC on Linux (position-independent code) + # - DEP - Windows Data Execution Prevention feature + # --- + # Can be checked by: + # - Exe64bitDetector.exe -f .\TinyOrm0.dll + # - dumpbin.exe /HEADERS .\TinyOrm0.dll + + # TODO qmake MSYS2 track /GUARD:CF progress and enable it when will work everywhere; see: https://gist.github.com/alvinhochun/a65e4177e2b34d551d7ecb02b55a4b0a silverqx + + # Randomly rebase at load time by using the ASLR + # QMAKE_LFLAGS += -Xlinker --dynamicbase + # ASLR can use the entire 64-bit address space + # QMAKE_LFLAGS += -Xlinker --high-entropy-va + # Executable is DEP compatible + # QMAKE_LFLAGS += -Xlinker --nxcompat + # Default image bases over 4GB (ASLR) + # QMAKE_LFLAGS += -Xlinker --default-image-base-high # The QMAKE_LFLAGS_CONSOLE -= -Wl,-subsystem,console is correct, lld recognizes # this correctly, but eg. cmake isn't using this linker parameter, the reason