On Wed, Sep 17, 2025 at 11:18:31AM +0200, Christian Melki wrote: > On 9/17/25 11:00 AM, ruggero rossi wrote: > > On Wed, 17 Sep 2025 10:30:04 +0200 > > Christian Melki <[email protected]> wrote: > > > Which version of gcc are we talking about? > > It is quite old, but I'm bound to it because some software does not > > compile with newer versions. It looks like that the -fzero-call-used-regs > > is supported from GCC 11 (released April 2021). > > > > > GCC 11 should support this, but I don't know over which archs. > > > It is there as a security enhancement. I would say something like less > > > gadgets for ROP style attacks? And while it does slow down execution, > > > for something like OpenSSL, it usually is worth it imho. > > I agree.... The option is a must, when it is supported. > > > > Moreover, I found a comment in some openssh (not openssl) tracking, > > saying that to detect whether a version of gcc supports the option or not > > may be not trivial.
Note, that there used to be a patch that removed the flag. I looked into this and decided it was time to remove it. I wanted the extra security. If you absolutely need to use an old compiler, then you can find the patch in older ptxdist versions and apply it locally. Michael > > > I don't see a suitable toolchain option or hardening flag in ptxdist > > > that currently fits this cleanly. Not sure if something like this fits > > > for a its own global pass either. Maybe someone else has another opinion. > > > > > > So my immediate suggestion would be to keep this local at your end for > > > now. > > > > OK - and these messages remain as a help if anyone else has the same > > problem. > > Indeed. Appreciate the time taken to report it. -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
