make.sh: Add -fcf-protection for x86_64/i586

Instrument binaries to guard against ROP/JOP attacks.

This flag in only available on x86_64 and i586.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/make.sh b/make.sh
index fae75fdc99416fb71cc2f32fdaf956039fe49bfa..99ac1bc8523658dad1d480a812b3ca47248a3414 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -146,14 +146,14 @@ configure_build() {
                        BUILDTARGET="${build_arch}-unknown-linux-gnu"
                        CROSSTARGET="${build_arch}-cross-linux-gnu"
                        BUILD_PLATFORM="x86"
-                       CFLAGS_ARCH="-m64 -mtune=generic -fstack-clash-protection"
+                       CFLAGS_ARCH="-m64 -mtune=generic -fstack-clash-protection -fcf-protection"
                        ;;
 
                i586)
                        BUILDTARGET="${build_arch}-pc-linux-gnu"
                        CROSSTARGET="${build_arch}-cross-linux-gnu"
                        BUILD_PLATFORM="x86"
-                       CFLAGS_ARCH="-march=i586 -mtune=generic -fomit-frame-pointer"
+                       CFLAGS_ARCH="-march=i586 -mtune=generic -fomit-frame-pointer -fcf-protection"
                        ;;
 
                aarch64)