Skip to content

Fix hardening flags on aarch64 #1699

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix hardening flags on aarch64 #1699

wants to merge 1 commit into from

Conversation

theoparis
Copy link

Description

This PR changes fcf-protection to only apply on x86_64. Please let me know if I should add a check for the ARM equivelent of -mbranch-protection=standard.

Fixes #1698

Type of change

Choose one or multiple, leave empty if none of the other choices apply

Add a respective label(s) to PR if you have permissions

  • bug fix - change that fixes an issue
  • new feature - change that adds functionality
  • tests - change in tests
  • infrastructure - change in infrastructure and CI
  • documentation - documentation update

Tests

  • added - required for new features and some bug fixes
  • not needed

Documentation

  • updated in # - add PR number
  • needs to be updated
  • not needed

Breaks backward compatibility

  • Yes
  • No
  • Unknown

Notify the following users

Other information

@dnmokhov dnmokhov requested review from omalyshe and isaevil April 7, 2025 22:04
dnmokhov
dnmokhov reviewed Apr 7, 2025
View reviewed changes
cmake/compilers/Clang.cmake
Comment on lines +68 to 69
if (NOT APPLE AND NOT ANDROID_PLATFORM AND CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64")
set(TBB_LIB_COMPILE_FLAGS ${TBB_LIB_COMPILE_FLAGS} -fstack-clash-protection $<$<NOT:$<BOOL:${EMSCRIPTEN}>>:-fcf-protection=full>)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also disables -fstack-clash-protection on aarch64. Is that intended?

omalyshe
omalyshe reviewed Apr 8, 2025
View reviewed changes
cmake/compilers/Clang.cmake
@@ -65,7 +65,7 @@ endif()
# Clang flags to prevent compiler from optimizing out security checks
set(TBB_COMMON_COMPILE_FLAGS ${TBB_COMMON_COMPILE_FLAGS} -Wformat -Wformat-security -Werror=format-security -fPIC $<$<NOT:$<BOOL:${EMSCRIPTEN}>>:-fstack-protector-strong>)

if (NOT APPLE AND NOT ANDROID_PLATFORM)
if (NOT APPLE AND NOT ANDROID_PLATFORM AND CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (NOT APPLE AND NOT ANDROID_PLATFORM AND CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64")
if (NOT APPLE AND NOT ANDROID_PLATFORM AND NOT CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64")

To align with https://github.com/uxlfoundation/oneTBB/pull/1680/files#diff-511cf22c7f911eed42e56343adc897ca5dcd8f995b7af3a5ed686ef988491fccR108

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omalyshe omalyshe omalyshe left review comments

@dnmokhov dnmokhov dnmokhov left review comments

@isaevil isaevil Awaiting requested review from isaevil

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Build fails on aarch64 linux due to cf-protection
3 participants
@theoparis @omalyshe @dnmokhov