guix: build Linux GCC with --enable-cet

Similar to #29695, and in the same vein of explicitly configuring
hardening options in our release toolchain.

See https://gcc.gnu.org/install/configure.html:

> Enable building target run-time libraries with control-flow instrumentation,
> see `-fcf-protection option`. When --enable-cet is specified target
> libraries are configured to add `-fcf-protection` and, if needed,
> other target specific options to a set of building options.

> `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target
> binutils supports Intel CET instructions and disabled otherwise.
> In this case, the target libraries are configured to get additional
> `-fcf-protection` option.
This commit is contained in:
fanquake 2024-07-10 10:20:27 +01:00
parent cf0120ff02
commit 89bf11b807
No known key found for this signature in database
GPG key ID: 2EEB9F5CC09526C1

View file

@ -434,6 +434,7 @@ inspecting signatures in Mach-O binaries.")
"--enable-default-ssp=yes", "--enable-default-ssp=yes",
"--enable-default-pie=yes", "--enable-default-pie=yes",
"--enable-standard-branch-protection=yes", "--enable-standard-branch-protection=yes",
"--enable-cet=yes",
building-on))) building-on)))
((#:phases phases) ((#:phases phases)
`(modify-phases ,phases `(modify-phases ,phases