enrollment is fully automated, without user interaction, unless disabled via a configuration file in the
ESP. The configuration file can also be used to disable enrollment completely.
+## Compiler Hardening
+The PE binaries are built with `-fstack-protector-strong`, and the stack canary is seeded with random data if
+the UEFI RNG protocol is available.
+
+The binaries also are linked with `-z relro` and ship with native PE relocations, with the conversion from
+ELF performed at build time, instead of containing ELF dynamic relocations, so the image loaded by
+firmware/Shim requires fewer writable pages.
+
+The binaries are linked by default with full LTO support, so no code will be shipped unless it's reachable.
+
+Finally, the binaries ship with the `NX_COMPAT` bit set.
+
+The CI infrastructure also employs fuzz testing on various components, including string functions and the
+BCD parser.
+
## SBAT
`systemd-boot` and `systemd-stub` are built with an `SBAT` section by default. There are build options to
allow customizations of the metadata included in the section, that can be used by downstream distributors.
projects / thirdparty / systemd.git / commitdiff
