From nobody Tue Jun 24 09:55:31 2025 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bRL0z6VmLz5yZJy for ; Tue, 24 Jun 2025 09:55:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bRL0z5KPsz3ndr; Tue, 24 Jun 2025 09:55:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750758931; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mK+IO5+WlwSq5E8raBbHGtlfgoQjy81MgWwNcSn8hdQ=; b=M3aDY3oC4URWRrR92eczEolRZhMwmfvcxW96+AUHikd2eYeGmnV8r0lrDWWxdjc3zBD2VC IZm8PJXJfStkEHc/q6DhtCgr2ggDKp7D5uKE2eQa/FkQezlwkk/QX+wYVmBZNtTJ3j6Csy A5Gomj8zOvtUbd1Jv4VO7isoO7nPKzUPxRSF4z+h1o8izHLpDZaYC1AFlzAetBTtZ0IfrE Wd38S3qRbm0HlE1ZOUTX9uH9Gyy3DEeEFRvBDWQtb/6VsavhSsvnPxAD1Nj5NT/evcgEMI aHNB06sm4rfOBbJjAwSApbXEafSDGvdTldHd39iE8F9un/vkIIijElHGy5Ul8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750758931; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mK+IO5+WlwSq5E8raBbHGtlfgoQjy81MgWwNcSn8hdQ=; b=PrRR7zv0KVnscUVGAhvzaosO/M0ZcB37jB3aAtHWWgkH3dk0tS0N99gY6DZvwoy8xUXOw8 z6TpZXYbmMJdHdxLeph1P/NATsuMK8lMvJjgvQM7xbmdrlhtvZTKY4x8VxchHgTP437si2 vRlsrdKppRHZgrbT0IHV97ukj39xpps0fq//FN6jYX5e6qRPu5s9fClhl05E7nYVPVctJj XRlVRSxqD5497Zy1DJ/o7xfXknVw0KJmMhzCDFa3tBPlCcpl4gRw2v6aLRSm5XM2GEX5eQ ncNZEBFDTmJFrs4XYnBlgcBSOOoW6RYZ5auSo8odOWWn76tdJX/KFxUCswNmHQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750758931; a=rsa-sha256; cv=none; b=ZUC2HEnXQEeTXGJd8KtcXWrPlMJX7UF4UElXNK+tJr73r9nISErmkdNIoztA11xaC2/ihe ifWqPqZgGU8IrZOcL1J+XPh5A5h+be2uOsveOVbrzox8D1leZpL1NiG8JfRlHZNR985gXu KmwdIpR0bshK6j0Cf4t/+yMnDF5vlpNQ4vKBjJ5Rhc8PeTHHAK9uifqA8XZ8zwfeqxEzLI ZoLfaLmOH5uGiHfKhfCCyGTywpP3swrJg2llJNHSp02FwWGz66AKp5RrUgz/TRryxlmZOf ypF3MZzyGA4p+WLAC1/D2p88LuFFTknaLoU9SJZDzSWGOtFikuySJZiHpckqMA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bRL0z4M1NzjZM; Tue, 24 Jun 2025 09:55:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55O9tVGa026818; Tue, 24 Jun 2025 09:55:31 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55O9tVq3026815; Tue, 24 Jun 2025 09:55:31 GMT (envelope-from git) Date: Tue, 24 Jun 2025 09:55:31 GMT Message-Id: <202506240955.55O9tVq3026815@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Lorenzo Salvadore Subject: git: f8a111726e - main - Status/2025Q2/ports-security.adoc: Add report List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-doc-all@freebsd.org Sender: owner-dev-commits-doc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: salvadore X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f8a111726e5667aae84aaf7341815e81f78f8db5 Auto-Submitted: auto-generated The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=f8a111726e5667aae84aaf7341815e81f78f8db5 commit f8a111726e5667aae84aaf7341815e81f78f8db5 Author: Alexander Leidinger AuthorDate: 2025-06-24 09:25:06 +0000 Commit: Lorenzo Salvadore CommitDate: 2025-06-24 09:51:47 +0000 Status/2025Q2/ports-security.adoc: Add report Reviewed by: status (Pau Amma ) --- .../report-2025-04-2025-06/ports-security.adoc | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/website/content/en/status/report-2025-04-2025-06/ports-security.adoc b/website/content/en/status/report-2025-04-2025-06/ports-security.adoc new file mode 100644 index 0000000000..d4b4211b77 --- /dev/null +++ b/website/content/en/status/report-2025-04-2025-06/ports-security.adoc @@ -0,0 +1,24 @@ +=== Security Hardening Compiler Options for the Ports Collection + +Links: + +link:https://cgit.freebsd.org/ports/commit/Mk/Features/fortify.mk?id=7a489e95c51f47f5e25a5613e375ec000618e52a[Commit of the features] URL: link:https://cgit.freebsd.org/ports/commit/Mk/Features/fortify.mk?id=7a489e95c51f47f5e25a5613e375ec000618e52a[] + +link:https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/[FreeBSD security hardening with compiler options] URL: link:https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/[] + +Contact: Alexander Leidinger + +The Ports Collection gained the possibility to enable some security features of modern compilers for package builds. +As not all ports are compatible with them, this is not enabled by default. + +The 3 new features which can be enabled for the Ports Collection in [.filename]#make.conf# are: + +- WITH_FORTIFY=yes:: +This enables mitigations of common memory safety issues, such as buffer overflows, by adding checks to functions like memcpy, strcpy, sprintf, and others when the compiler can determine the size of the destination buffer at compile time. +This requires support from the FreeBSD base system and may only be available in FreeBSD 15 onwards. +WITH_STACK_AUTOINIT=yes:: +This enables a compiler specific option to automatically initialize local (automatic) variables to prevent the use of uninitialized memory. +WITH_ZEROREGS=yes:: +Zero call-used registers at function return to increase program security by either mitigating Return-Oriented Programming (ROP) attacks or preventing information leakage through registers. +This depends upon support from the compiler for a given architecture. +This is disabled for python ports; currently there are issues. + +The blog post referenced in the links section explains how to use them, how to exclude certain ports if needed, and provides a more detailed explaination of those 3 new features along the already existing build-time security options of the Ports Collection and the basesystem build.