From 5d01dc9a58d02c4ae3c3c45a37d4c7b45fa945a2 Mon Sep 17 00:00:00 2001 From: "Rick Farina (Zero_Chaos)" Date: Tue, 12 Nov 2024 15:26:36 -0500 Subject: [PATCH] profile: update CFLAGS et al I've been testing this stuff for months now, time for everyone to enjoy. Enabling -flto for execution speed improvement as well as a bunch of pending gcc 14 security flags which seem to work reliably without causing any issues. --- profiles/pentoo/base/make.defaults | 14 +++-- profiles/pentoo/base/profile.bashrc | 71 ++++++++++++++++------ profiles/pentoo/zero-system/make.defaults | 5 +- profiles/pentoo/zero-system/profile.bashrc | 46 -------------- 4 files changed, 65 insertions(+), 71 deletions(-) diff --git a/profiles/pentoo/base/make.defaults b/profiles/pentoo/base/make.defaults index 1665c95324..5bdb4d7135 100644 --- a/profiles/pentoo/base/make.defaults +++ b/profiles/pentoo/base/make.defaults @@ -1,4 +1,4 @@ -# Copyright 2004-2023 Gentoo Foundation. +# Copyright 2004-2024 Gentoo Foundation. # Distributed under the terms of the GNU General Public License v2 # $Header: $ @@ -8,10 +8,14 @@ LDFLAGS="${LDFLAGS} -Wl,--defsym=__gentoo_check_ldflags__=0" #Adding -frecord-gcc-switches to help track down packages which don't respect *FLAGS #should probably leave a note in /etc/portage/make.conf about keeping this when override -CFLAGS="${CFLAGS} -O3 -frecord-gcc-switches -pipe" -CXXFLAGS="${CXXFLAGS} -O3 -frecord-gcc-switches -pipe" -FFLAGS="${FFLAGS} -O3 -frecord-gcc-switches -pipe" -FCFLAGS="${FCFLAGS} -O3 -frecord-gcc-switches pipe" +SPEEDFLAGS="-O3 -flto" +WARNINGFLAGS="-frecord-gcc-switches -Wstringop-overread" +#adapted from gcc14 -fhardened without "-fPIE -pie" +SECURITYFLAGS="-D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS -ftrivial-auto-var-init=pattern -Wl,-z,relro,-z,now -fstack-protector-strong -fstack-clash-protection -fcf-protection=full" +CFLAGS="${CFLAGS} -pipe ${SPEEDFLAGS} ${WARNINGFLAGS} ${SECURITYFLAGS}" +CXXFLAGS="${CXXFLAGS} -pipe ${SPEEDFLAGS} ${WARNINGFLAGS} ${SECURITYFLAGS}" +FFLAGS="${FFLAGS} -pipe ${SPEEDFLAGS} ${WARNINGFLAGS} ${SECURITYFLAGS}" +FCFLAGS="${FCFLAGS} -pipe ${SPEEDFLAGS} ${WARNINGFLAGS} ${SECURITYFLAGS}" FEATURES="${FEATURES} usersandbox protect-owned userpriv userfetch fixlafiles news parallel-fetch sfperms unmerge-orphans unknown-features-warn usersync \ multilib-strict preserve-libs parallel-install -ebuild-locks binpkg-multi-instance -buildpkg-live splitdebug compressdebug" diff --git a/profiles/pentoo/base/profile.bashrc b/profiles/pentoo/base/profile.bashrc index a0ee851684..53668caea2 100644 --- a/profiles/pentoo/base/profile.bashrc +++ b/profiles/pentoo/base/profile.bashrc @@ -16,24 +16,6 @@ if [[ $CATEGORY/$PN-${PVR} == sys-fs/e2fsprogs-1.47.1 ]]; then export MAKEOPTS=" #bug if [[ $CATEGORY/$PN == sys-boot/os-prober ]] ; then FEATURES=${FEATURES/multilib-strict/} ; fi -#let's speed up the cracker's default cflags a bit. this bloats the binaries but speeds improve -if [[ $CATEGORY/$PN == net-wireless/aircrack-ng ]]; then - export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto" - export CXXFLAGS="${CXXFLAGS} -Werror=strict-aliasing -flto" -fi -if [[ $CATEGORY/$PN == app-crypt/asleap ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi -if [[ $CATEGORY/$PN == app-crypt/hashcat ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi -if [[ $CATEGORY/$PN == app-crypt/johntheripper ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi -if [[ $CATEGORY/$PN == app-crypt/johntheripper-jumbo ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi -if [[ $CATEGORY/$PN == dev-libs/pocl ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi -if [[ $CATEGORY/$PN == net-wireless/cowpatty ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi -if [[ $CATEGORY/$PN =~ net-wireless/soapy* ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; export CXXFLAGS="${CXXFLAGS} -Werror=strict-aliasing -flto"; fi - -#speaking of, why not build gcc fast like the crackers -if [[ $CATEGORY/$PN == sys-devel/gcc ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi -if [[ $CATEGORY/$PN == sys-devel/binutils ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi -if [[ $CATEGORY/$PN == sys-libs/binutils-libs ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi - #are you kidding me? if [[ $CATEGORY/$PN == net-misc/openssh ]]; then export OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes; fi @@ -47,6 +29,59 @@ if [[ $CATEGORY/$PN == dev-lang/rust ]]; then CFLAGS=${CFLAGS/-ggdb/} CXXFLAGS=${CXXFLAGS/-ggdb/} fi +#some packages break on LTO and should all have bugs +if [[ ${CATEGORY}/${PN} == app-crypt/mit-krb5 ]]; then + export CFLAGS="${CFLAGS/-flto/}" +fi +if [[ ${CATEGORY}/${PN} == dev-python/numpy ]]; then + export CFLAGS="${CFLAGS/-flto/}" +fi +if [[ ${CATEGORY}/${PN} == media-video/mplayer ]]; then + export CFLAGS="${CFLAGS/-flto/}" +fi +if [[ ${CATEGORY}/${PN} == net-wireless/bluez ]]; then + # Tests fail with -flto + export CFLAGS="${CFLAGS/-flto/}" +fi +if [[ ${CATEGORY}/${PN} == sys-apps/util-linux ]]; then + export CFLAGS="${CFLAGS/-flto/}" +fi +if [[ ${CATEGORY}/${PN} == sys-devel/binutils ]]; then + export CFLAGS="${CFLAGS/-flto/}" + # zero uses extra warnings to find bugs + export CFLAGS="${CFLAGS/-Werror=stringop-overread/}" +fi +if [[ ${CATEGORY}/${PN} == www-client/chromium ]]; then + export CFLAGS="${CFLAGS/-flto/}" + export CXXFLAGS="${CXXFLAGS/-flto/}" +fi +if [[ ${CATEGORY}/${PN} == dev-qt/qtnetwork ]]; then + export CXXFLAGS="${CXXFLAGS/-flto/}" + # zero uses extra warnings to find bugs + export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}" +fi +if [[ ${CATEGORY}/${PN} == kde-plasma/kwayland ]]; then + export CXXFLAGS="${CXXFLAGS/-flto/}" +fi +if [[ ${CATEGORY}/${PN} == media-gfx/geeqie ]]; then + export CXXFLAGS="${CXXFLAGS/-flto/}" +fi +if [[ ${CATEGORY}/${PN} == media-libs/mesa ]]; then + export CXXFLAGS="${CXXFLAGS/-flto/}" + # zero uses extra warnings to find bugs + export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}" +fi +if [[ ${CATEGORY}/${PN} == media-libs/x265 ]]; then + export CXXFLAGS="${CXXFLAGS/-flto/}" +fi +if [[ ${CATEGORY}/${PN} == net-ftp/filezilla ]]; then + export CXXFLAGS="${CXXFLAGS/-flto/}" +fi +# FFLAGS +if [[ ${CATEGORY}/${PN} == dev-python/scipy ]]; then + export FFLAGS="${FFLAGS/-flto/}" +fi + #Sign kernel modules, stolen unmodified on 20200514 from: #https://wiki.gentoo.org/wiki/Signed_kernel_module_support function pre_pkg_preinst() { diff --git a/profiles/pentoo/zero-system/make.defaults b/profiles/pentoo/zero-system/make.defaults index 582fac4605..2eb3ffce37 100644 --- a/profiles/pentoo/zero-system/make.defaults +++ b/profiles/pentoo/zero-system/make.defaults @@ -10,12 +10,13 @@ FEATURES="sign" ECHANGELOG_USER="Rick Farina " DCO_SIGNED_OFF_BY="Rick Farina " -CFLAGS="${CFLAGS} -flto -Werror=strict-aliasing -Werror=odr -Werror=lto-type-mismatch -Wstringop-overread -Werror=stringop-overread" -#CFLAGS="${CFLAGS} -Werror=format-security" +CFLAGS="${CFLAGS} -Werror=strict-aliasing -Werror=odr -Werror=lto-type-mismatch -Werror=stringop-overread -Werror=format-security" CXXFLAGS="${CFLAGS}" FCFLAGS="${CFLAGS}" FFLAGS="${CFLAGS}" +MAKEOPTS="--shuffle" + PORTAGE_NICENESS="19" DISTDIR=/usr/portage/distfiles diff --git a/profiles/pentoo/zero-system/profile.bashrc b/profiles/pentoo/zero-system/profile.bashrc index 2ba69272c2..f9185e75cb 100644 --- a/profiles/pentoo/zero-system/profile.bashrc +++ b/profiles/pentoo/zero-system/profile.bashrc @@ -13,8 +13,6 @@ fi # Packages that need shuffle disabled if [[ ${CATEGORY}/${PN} == www-client/chromium ]]; then export MAKEOPTS="${MAKEOPTS} --shuffle=none" - export CFLAGS="${CFLAGS/-flto/}" - export CXXFLAGS="${CXXFLAGS/-flto/}" fi if [[ ${CATEGORY}/${PN} == app-containers/containerd ]]; then export MAKEOPTS="${MAKEOPTS} --shuffle=none" @@ -30,9 +28,6 @@ fi # These packages need lto or similar disabled # CFLAGS -if [[ ${CATEGORY}/${PN} == app-crypt/mit-krb5 ]]; then - export CFLAGS="${CFLAGS/-flto/}" -fi if [[ ${CATEGORY}/${PN} == app-text/texlive-core ]]; then export CFLAGS="${CFLAGS/-Werror=lto-type-mismatch/}" export CFLAGS="${CFLAGS/-Werror=strict-aliasing/}" @@ -52,9 +47,6 @@ fi if [[ ${CATEGORY}/${PN} == dev-libs/libtecla ]]; then export CFLAGS="${CFLAGS/-Werror=stringop-overread/}" fi -if [[ ${CATEGORY}/${PN} == dev-python/numpy ]]; then - export CFLAGS="${CFLAGS/-flto/}" -fi if [[ ${CATEGORY}/${PN} == dev-python/protobuf-python ]]; then export CFLAGS="${CFLAGS/-Werror=stringop-overread/}" fi @@ -82,9 +74,6 @@ fi if [[ ${CATEGORY}/${PN} == media-libs/opus ]]; then export CFLAGS="${CFLAGS/-Werror=stringop-overread/}" fi -if [[ ${CATEGORY}/${PN} == media-video/mplayer ]]; then - export CFLAGS="${CFLAGS/-flto/}" -fi if [[ ${CATEGORY}/${PN} == media-video/vlc ]]; then export CFLAGS="${CFLAGS/-Werror=stringop-overread/}" export CFLAGS="${CFLAGS/-Werror=strict-aliasing/}" @@ -111,20 +100,9 @@ fi if [[ ${CATEGORY}/${PN} == net-misc/vde ]]; then export CFLAGS="${CFLAGS/-Werror=stringop-overread/}" fi -if [[ ${CATEGORY}/${PN} == net-wireless/bluez ]]; then - # Tests fail with -flto - export CFLAGS="${CFLAGS/-flto/}" -fi if [[ ${CATEGORY}/${PN} == net-wireless/bladerf ]]; then export CFLAGS="${CFLAGS/-Werror=lto-type-mismatch/}" fi -if [[ ${CATEGORY}/${PN} == sys-apps/util-linux ]]; then - export CFLAGS="${CFLAGS/-flto/}" -fi -if [[ ${CATEGORY}/${PN} == sys-devel/binutils ]]; then - export CFLAGS="${CFLAGS/-Werror=stringop-overread/}" - export CFLAGS="${CFLAGS/-flto/}" -fi if [[ ${CATEGORY}/${PN} == sys-cluster/openmpi ]]; then export CFLAGS="${CFLAGS/-Werror=stringop-overread/}" export CFLAGS="${CFLAGS/-Werror=lto-type-mismatch/}" @@ -162,10 +140,6 @@ fi if [[ ${CATEGORY}/${PN} == dev-qt/qtwebengine ]]; then export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}" fi -if [[ ${CATEGORY}/${PN} == dev-qt/qtnetwork ]]; then - export CXXFLAGS="${CXXFLAGS/-flto/}" - export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}" -fi if [[ ${CATEGORY}/${PN} == dev-util/android-tools ]]; then export CFLAGS="${CFLAGS/-Werror=stringop-overread/}" export CXXFLAGS="${CXXFLAGS/-Werror=strict-aliasing/}" @@ -190,9 +164,6 @@ fi if [[ ${CATEGORY}/${PN} == kde-frameworks/khtml ]]; then export CXXFLAGS="${CXXFLAGS/-Werror=odr/}" fi -if [[ ${CATEGORY}/${PN} == kde-plasma/kwayland ]]; then - export CXXFLAGS="${CXXFLAGS/-flto/}" -fi if [[ ${CATEGORY}/${PN} == kde-plasma/plasma-desktop ]]; then export CXXFLAGS="${CXXFLAGS/-Werror=odr/}" export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}" @@ -200,16 +171,6 @@ fi if [[ ${CATEGORY}/${PN} == kde-plasma/plasma-vault ]]; then export CXXFLAGS="${CXXFLAGS/-Werror=odr/}" fi -if [[ ${CATEGORY}/${PN} == media-gfx/geeqie ]]; then - export CXXFLAGS="${CXXFLAGS/-flto/}" -fi -if [[ ${CATEGORY}/${PN} == media-libs/mesa ]]; then - export CXXFLAGS="${CXXFLAGS/-flto/}" - export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}" -fi -if [[ ${CATEGORY}/${PN} == media-libs/x265 ]]; then - export CXXFLAGS="${CXXFLAGS/-flto/}" -fi if [[ ${CATEGORY}/${PN} == media-sound/audacity ]]; then export CXXFLAGS="${CXXFLAGS/-Werror=strict-aliasing/}" export CXXFLAGS="${CXXFLAGS/-Werror=odr/}" @@ -217,9 +178,6 @@ fi if [[ ${CATEGORY}/${PN} == net-analyzer/gspoof ]]; then export CXXFLAGS="${CXXFLAGS/-Werror=lto-type-mismatch/}" fi -if [[ ${CATEGORY}/${PN} == net-ftp/filezilla ]]; then - export CXXFLAGS="${CXXFLAGS/-flto/}" -fi if [[ ${CATEGORY}/${PN} == net-wireless/gnuradio ]]; then # https://github.com/gnuradio/gnuradio/issues/7056 export CXXFLAGS="${CXXFLAGS/-Werror=odr/}" @@ -236,10 +194,6 @@ fi if [[ ${CATEGORY}/${PN} == sys-devel/llvm ]]; then export CXXFLAGS="${CXXFLAGS/-Werror=odr/}" fi -# FFLAGS -if [[ ${CATEGORY}/${PN} == dev-python/scipy ]]; then - export FFLAGS="${FFLAGS/-flto/}" -fi #GCC14 Hardening Relaxations if [[ ${CATEGORY}/${PN} == sys-libs/efivar ]]; then