commit: 8bfd8afef6dd8c66def48ef52abcb624c0077ad1 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sat Mar 23 15:04:34 2024 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sat Mar 23 15:38:51 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bfd8afe
sys-devel/clang-common: updates for 23.0 * Promote -Wl,-z,now to vanilla, following GCC (bug #876923) * Add USE=cet to control -fcf-protection, following GCC (bug #908600, bug #927298) Bug: https://bugs.gentoo.org/876923 Bug: https://bugs.gentoo.org/927298 Closes: https://bugs.gentoo.org/908600 Signed-off-by: Sam James <sam <AT> gentoo.org> profiles/arch/amd64/package.use.mask | 1 + profiles/base/package.use.mask | 1 + profiles/features/musl/package.use.mask | 1 + ...0_pre20240316.ebuild => clang-common-17.0.6-r2.ebuild} | 15 ++++++++++----- ...0_pre20240316.ebuild => clang-common-18.1.2-r1.ebuild} | 11 +++++++++-- sys-devel/clang-common/clang-common-19.0.0.9999.ebuild | 10 ++++++++-- .../clang-common/clang-common-19.0.0_pre20240316.ebuild | 10 ++++++++-- sys-devel/clang-common/metadata.xml | 10 ++++++++++ 8 files changed, 48 insertions(+), 11 deletions(-) diff --git a/profiles/arch/amd64/package.use.mask b/profiles/arch/amd64/package.use.mask index 62aff0c6a407..72e1245bb5ac 100644 --- a/profiles/arch/amd64/package.use.mask +++ b/profiles/arch/amd64/package.use.mask @@ -29,6 +29,7 @@ media-libs/libplacebo -libdovi # Only works on amd64 (and x32). dev-debug/gdb -cet sys-devel/binutils -cet +sys-devel/clang-common -cet sys-devel/gcc -cet sys-libs/binutils-libs -cet sys-libs/glibc -cet diff --git a/profiles/base/package.use.mask b/profiles/base/package.use.mask index 8442575839e0..76b39e86f880 100644 --- a/profiles/base/package.use.mask +++ b/profiles/base/package.use.mask @@ -46,6 +46,7 @@ sci-physics/root R dev-debug/gdb cet sys-devel/binutils cet sys-devel/binutils-hppa64 cet +sys-devel/clang-common cet sys-devel/gcc cet sys-libs/binutils-libs cet sys-libs/glibc cet diff --git a/profiles/features/musl/package.use.mask b/profiles/features/musl/package.use.mask index 115beec584e2..83facb689f20 100644 --- a/profiles/features/musl/package.use.mask +++ b/profiles/features/musl/package.use.mask @@ -6,6 +6,7 @@ dev-debug/gdb cet sys-devel/binutils cet sys-devel/binutils-hppa64 cet +sys-devel/clang-common cet sys-devel/gcc cet sys-libs/binutils-libs cet sys-libs/glibc cet diff --git a/sys-devel/clang-common/clang-common-19.0.0_pre20240316.ebuild b/sys-devel/clang-common/clang-common-17.0.6-r2.ebuild similarity index 96% copy from sys-devel/clang-common/clang-common-19.0.0_pre20240316.ebuild copy to sys-devel/clang-common/clang-common-17.0.6-r2.ebuild index 80d989986d28..987b7b40aa50 100644 --- a/sys-devel/clang-common/clang-common-19.0.0_pre20240316.ebuild +++ b/sys-devel/clang-common/clang-common-17.0.6-r2.ebuild @@ -10,9 +10,10 @@ HOMEPAGE="https://llvm.org/"; LICENSE="Apache-2.0-with-LLVM-exceptions UoI-NCSA" SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~arm64-macos ~ppc-macos ~x64-macos" IUSE=" default-compiler-rt default-libcxx default-lld - bootstrap-prefix hardened llvm-libunwind + bootstrap-prefix cet hardened llvm-libunwind " PDEPEND=" @@ -174,6 +175,12 @@ src_install() { -include "${EPREFIX}/usr/include/gentoo/fortify.h" EOF + if use amd64; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -fcf-protection=$(usex cet full none) + EOF + fi + if use kernel_Darwin; then newins - gentoo-hardened-ld.cfg <<-EOF # There was -Wl,-z,relro here, but it's not supported on Mac @@ -184,6 +191,7 @@ src_install() { # Some of these options are added unconditionally, regardless of # USE=hardened, for parity with sys-devel/gcc. -Wl,-z,relro + -Wl,-z,now EOF fi @@ -228,8 +236,6 @@ src_install() { #endif EOF - # TODO: Maybe -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST for - # non-hardened? if use hardened ; then cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die # Options below are conditional on USE=hardened. @@ -238,12 +244,11 @@ src_install() { # Analogue to GLIBCXX_ASSERTIONS # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode # https://libcxx.llvm.org/Hardening.html#using-hardened-mode - -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE + -D_LIBCPP_ENABLE_ASSERTIONS=1 EOF cat >> "${ED}/etc/clang/gentoo-hardened-ld.cfg" <<-EOF || die # Options below are conditional on USE=hardened. - -Wl,-z,now EOF fi diff --git a/sys-devel/clang-common/clang-common-19.0.0_pre20240316.ebuild b/sys-devel/clang-common/clang-common-18.1.2-r1.ebuild similarity index 96% copy from sys-devel/clang-common/clang-common-19.0.0_pre20240316.ebuild copy to sys-devel/clang-common/clang-common-18.1.2-r1.ebuild index 80d989986d28..085bc3ca2202 100644 --- a/sys-devel/clang-common/clang-common-19.0.0_pre20240316.ebuild +++ b/sys-devel/clang-common/clang-common-18.1.2-r1.ebuild @@ -10,9 +10,10 @@ HOMEPAGE="https://llvm.org/"; LICENSE="Apache-2.0-with-LLVM-exceptions UoI-NCSA" SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~arm64-macos ~ppc-macos ~x64-macos" IUSE=" default-compiler-rt default-libcxx default-lld - bootstrap-prefix hardened llvm-libunwind + bootstrap-prefix cet hardened llvm-libunwind " PDEPEND=" @@ -174,6 +175,12 @@ src_install() { -include "${EPREFIX}/usr/include/gentoo/fortify.h" EOF + if use amd64; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -fcf-protection=$(usex cet full none) + EOF + fi + if use kernel_Darwin; then newins - gentoo-hardened-ld.cfg <<-EOF # There was -Wl,-z,relro here, but it's not supported on Mac @@ -184,6 +191,7 @@ src_install() { # Some of these options are added unconditionally, regardless of # USE=hardened, for parity with sys-devel/gcc. -Wl,-z,relro + -Wl,-z,now EOF fi @@ -243,7 +251,6 @@ src_install() { cat >> "${ED}/etc/clang/gentoo-hardened-ld.cfg" <<-EOF || die # Options below are conditional on USE=hardened. - -Wl,-z,now EOF fi diff --git a/sys-devel/clang-common/clang-common-19.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-19.0.0.9999.ebuild index 80d989986d28..290d4ee063fe 100644 --- a/sys-devel/clang-common/clang-common-19.0.0.9999.ebuild +++ b/sys-devel/clang-common/clang-common-19.0.0.9999.ebuild @@ -12,7 +12,7 @@ LICENSE="Apache-2.0-with-LLVM-exceptions UoI-NCSA" SLOT="0" IUSE=" default-compiler-rt default-libcxx default-lld - bootstrap-prefix hardened llvm-libunwind + bootstrap-prefix cet hardened llvm-libunwind " PDEPEND=" @@ -174,6 +174,12 @@ src_install() { -include "${EPREFIX}/usr/include/gentoo/fortify.h" EOF + if use amd64; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -fcf-protection=$(usex cet full none) + EOF + fi + if use kernel_Darwin; then newins - gentoo-hardened-ld.cfg <<-EOF # There was -Wl,-z,relro here, but it's not supported on Mac @@ -184,6 +190,7 @@ src_install() { # Some of these options are added unconditionally, regardless of # USE=hardened, for parity with sys-devel/gcc. -Wl,-z,relro + -Wl,-z,now EOF fi @@ -243,7 +250,6 @@ src_install() { cat >> "${ED}/etc/clang/gentoo-hardened-ld.cfg" <<-EOF || die # Options below are conditional on USE=hardened. - -Wl,-z,now EOF fi diff --git a/sys-devel/clang-common/clang-common-19.0.0_pre20240316.ebuild b/sys-devel/clang-common/clang-common-19.0.0_pre20240316.ebuild index 80d989986d28..290d4ee063fe 100644 --- a/sys-devel/clang-common/clang-common-19.0.0_pre20240316.ebuild +++ b/sys-devel/clang-common/clang-common-19.0.0_pre20240316.ebuild @@ -12,7 +12,7 @@ LICENSE="Apache-2.0-with-LLVM-exceptions UoI-NCSA" SLOT="0" IUSE=" default-compiler-rt default-libcxx default-lld - bootstrap-prefix hardened llvm-libunwind + bootstrap-prefix cet hardened llvm-libunwind " PDEPEND=" @@ -174,6 +174,12 @@ src_install() { -include "${EPREFIX}/usr/include/gentoo/fortify.h" EOF + if use amd64; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -fcf-protection=$(usex cet full none) + EOF + fi + if use kernel_Darwin; then newins - gentoo-hardened-ld.cfg <<-EOF # There was -Wl,-z,relro here, but it's not supported on Mac @@ -184,6 +190,7 @@ src_install() { # Some of these options are added unconditionally, regardless of # USE=hardened, for parity with sys-devel/gcc. -Wl,-z,relro + -Wl,-z,now EOF fi @@ -243,7 +250,6 @@ src_install() { cat >> "${ED}/etc/clang/gentoo-hardened-ld.cfg" <<-EOF || die # Options below are conditional on USE=hardened. - -Wl,-z,now EOF fi diff --git a/sys-devel/clang-common/metadata.xml b/sys-devel/clang-common/metadata.xml index 1b10f34f3338..da45c87b0e27 100644 --- a/sys-devel/clang-common/metadata.xml +++ b/sys-devel/clang-common/metadata.xml @@ -9,6 +9,16 @@ </upstream> <use> <flag name="bootstrap-prefix">!!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used for bootstrapping Gentoo Prefix</flag> + <flag name="cet"> + Enable support for control flow hijacking protection. + + On amd64, this provides Intel Control Flow Enforcement Technology (CET). + + Only provides benefits on newer CPUs. For Intel, the CPU + must be at least as new as Tiger Lake. For AMD, it must be + at least as new as Zen 3. This is harmless on older CPUs, + but provides no benefit either. + </flag> <flag name="default-compiler-rt">Use compiler-rt + libunwind instead of libgcc as the default rtlib for clang</flag> <flag name="default-libcxx">Use libc++ instead of libstdc++ as the default stdlib for clang</flag> <flag name="default-lld">Use lld as the default linker for clang</flag>
