HEADS UP: Hardened compilation flags in ports
26 views
Skip to first unread message
Shawn Webb
Nov 18, 2025, 3:43:53 PM (8 days ago) Nov 18
to HardenedBSD Users
Hey all,
I just pushed a commit[1] that will enable extra hardening compilation
flags for C and C++ applications. This has the potential to cause a
major disruption in building ports. Specifically, the
-Wformat-security flag might wreak havoc.
Please use this mail list thread to notify me of breakages. My hope is
that we can address (all? most? some?) of the breakages, if any, in
the upstreams of each port.
I think it's good that we push the envelope. I apologize for any
breakages, but I think this pain will be worth it in the end.
As a tangent, what really makes the BSDs shine is that we can
experiment applying features to an entire ecosystem (the OS itself
plus third-party components.) That we can apply a given compiler flag
to 36,000+ packages and observe the results is a powerfull success
story in its own. I'm thankful for all the many volunteers working on
the FreeBSD ports tree.
[1]: https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/f3737f1d999bdfb5b2a0a4320232393b8adb31a9
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
I just pushed a commit[1] that will enable extra hardening compilation
flags for C and C++ applications. This has the potential to cause a
major disruption in building ports. Specifically, the
-Wformat-security flag might wreak havoc.
Please use this mail list thread to notify me of breakages. My hope is
that we can address (all? most? some?) of the breakages, if any, in
the upstreams of each port.
I think it's good that we push the envelope. I apologize for any
breakages, but I think this pain will be worth it in the end.
As a tangent, what really makes the BSDs shine is that we can
experiment applying features to an entire ecosystem (the OS itself
plus third-party components.) That we can apply a given compiler flag
to 36,000+ packages and observe the results is a powerfull success
story in its own. I'm thankful for all the many volunteers working on
the FreeBSD ports tree.
[1]: https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/f3737f1d999bdfb5b2a0a4320232393b8adb31a9
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Dewayne Geraghty
Nov 18, 2025, 5:34:23 PM (8 days ago) Nov 18
to HardenedBSD Users
A cautionary note as sometimes people build packages without proper
testing/use.
This morning I built openssh-portable with these CFLAG options:
-D_FORTIFY_SOURCE=3 -DHARDENEDBSD -DNDEBUG -DPIC -DSTRIP_FBSDID -flto -flto=full -fno-asynchronous-unwind-tables -fno-common -fno-delete-null-pointer-checks -fno-signed-zeros -fno-strict-overflow -fomit-frame-pointer -fPIC -fpie -fPIE -fsanitize=cfi -fstack-clash-protection -fstack-protector-strong -fstrict-flex-arrays=3 -ftrivial-auto-var-init=zero -fvisibility=hidden -fzero-call-used-regs=used -g0 -ggdb0 -isystem -march=nehalem -O3 -pipe -Qunused-arguments -UDEBUGGING -Wformat=2 -Wl,--build-id=md5 -Wl,--hash-style=sysv -Wl,--strip-debug -Wl,-plugin,/usr/bin/../lib/LLVMgold.so -Wl,-z,noexecstack -Wl,-z,now -Wl,-z,relro -Wno-error=macro-redefined -Wno-error=unknown-warning-option -Wno-error=unused-command-line-argument /usr/local/include
the package was successfully built, installed and ran. However I then experienced the following sshd crash (sshd pid is 67058)
Nov 19 07:38:17 cute103 kernel: [41147] [HBSD INTERNAL] sshd-session (jid 0, uid 0) exited on signal 4 (no core dump - bad address)
Nov 19 07:38:17 cute103 kernel: [41147] -> pid: 67247 ppid: 67058 p_pax: 0x68555<PAGEEXEC,MPROTECT,SEGVGUARD,ASLR,SHLIBRANDOM,DISALLOWMAP32BIT,<f15>,<f17>,<f18>>
this arose while attempting an ssh connection (signal 4 means illegal instruction)
Aside, I also modified, without success
hardening.pax.mprotect.status: 3 -> 0
hardening.pax.aslr.status: 3 -> 0
hardening.pax.pageexec.status: 3 -> 0
hardening.pax.segvguard.status: 3 -> 0
Solution: rebuild without CFI option.
I use the above CFLAGS for all my ports however I wind back typically in this order: cfi, safe-stack, lto based on failure. Usually the linker complains during a cfi build, so this was unusual.
Its very important to not assume that because a port builds and creates packages, that they'll work. 🙂
PS If anyone has any comments regarding my CFLAGS or if I'm missing something that will improve security or performance, I'd appreciate feedback.
This morning I built openssh-portable with these CFLAG options:
-D_FORTIFY_SOURCE=3 -DHARDENEDBSD -DNDEBUG -DPIC -DSTRIP_FBSDID -flto -flto=full -fno-asynchronous-unwind-tables -fno-common -fno-delete-null-pointer-checks -fno-signed-zeros -fno-strict-overflow -fomit-frame-pointer -fPIC -fpie -fPIE -fsanitize=cfi -fstack-clash-protection -fstack-protector-strong -fstrict-flex-arrays=3 -ftrivial-auto-var-init=zero -fvisibility=hidden -fzero-call-used-regs=used -g0 -ggdb0 -isystem -march=nehalem -O3 -pipe -Qunused-arguments -UDEBUGGING -Wformat=2 -Wl,--build-id=md5 -Wl,--hash-style=sysv -Wl,--strip-debug -Wl,-plugin,/usr/bin/../lib/LLVMgold.so -Wl,-z,noexecstack -Wl,-z,now -Wl,-z,relro -Wno-error=macro-redefined -Wno-error=unknown-warning-option -Wno-error=unused-command-line-argument /usr/local/include
the package was successfully built, installed and ran. However I then experienced the following sshd crash (sshd pid is 67058)
Nov 19 07:38:17 cute103 kernel: [41147] [HBSD INTERNAL] sshd-session (jid 0, uid 0) exited on signal 4 (no core dump - bad address)
Nov 19 07:38:17 cute103 kernel: [41147] -> pid: 67247 ppid: 67058 p_pax: 0x68555<PAGEEXEC,MPROTECT,SEGVGUARD,ASLR,SHLIBRANDOM,DISALLOWMAP32BIT,<f15>,<f17>,<f18>>
this arose while attempting an ssh connection (signal 4 means illegal instruction)
Aside, I also modified, without success
hardening.pax.mprotect.status: 3 -> 0
hardening.pax.aslr.status: 3 -> 0
hardening.pax.pageexec.status: 3 -> 0
hardening.pax.segvguard.status: 3 -> 0
Solution: rebuild without CFI option.
I use the above CFLAGS for all my ports however I wind back typically in this order: cfi, safe-stack, lto based on failure. Usually the linker complains during a cfi build, so this was unusual.
Its very important to not assume that because a port builds and creates packages, that they'll work. 🙂
Platform: amd64, 14.3-STABLE-HBSD myworkingbranch-n194318-e04d37b8f922
Kind regards, Dewayne.
PS If anyone has any comments regarding my CFLAGS or if I'm missing something that will improve security or performance, I'd appreciate feedback.
Shawn Webb
Nov 22, 2025, 3:09:42 PM (4 days ago) Nov 22
to HardenedBSD Users
On Tue, Nov 18, 2025 at 08:43:50PM +0000, Shawn Webb wrote:
> Hey all,
>
> I just pushed a commit[1] that will enable extra hardening compilation
> flags for C and C++ applications. This has the potential to cause a
> major disruption in building ports. Specifically, the
> -Wformat-security flag might wreak havoc.
>
> Please use this mail list thread to notify me of breakages. My hope is
> that we can address (all? most? some?) of the breakages, if any, in
> the upstreams of each port.
>
> I think it's good that we push the envelope. I apologize for any
> breakages, but I think this pain will be worth it in the end.
>
> As a tangent, what really makes the BSDs shine is that we can
> experiment applying features to an entire ecosystem (the OS itself
> plus third-party components.) That we can apply a given compiler flag
> to 36,000+ packages and observe the results is a powerfull success
> story in its own. I'm thankful for all the many volunteers working on
> the FreeBSD ports tree.
>
> [1]: https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/f3737f1d999bdfb5b2a0a4320232393b8adb31a9
I've started building my laptop packages locally and have fixed a few
> Hey all,
>
> I just pushed a commit[1] that will enable extra hardening compilation
> flags for C and C++ applications. This has the potential to cause a
> major disruption in building ports. Specifically, the
> -Wformat-security flag might wreak havoc.
>
> Please use this mail list thread to notify me of breakages. My hope is
> that we can address (all? most? some?) of the breakages, if any, in
> the upstreams of each port.
>
> I think it's good that we push the envelope. I apologize for any
> breakages, but I think this pain will be worth it in the end.
>
> As a tangent, what really makes the BSDs shine is that we can
> experiment applying features to an entire ecosystem (the OS itself
> plus third-party components.) That we can apply a given compiler flag
> to 36,000+ packages and observe the results is a powerfull success
> story in its own. I'm thankful for all the many volunteers working on
> the FreeBSD ports tree.
>
> [1]: https://git.hardenedbsd.org/hardenedbsd/ports/-/commit/f3737f1d999bdfb5b2a0a4320232393b8adb31a9
ports (preferring fixing over disabling the new feature.) Some ports
will have HARDCFLAGS disabled until I can get more time to fix them.
I'm only disabling HARDCFLAGS for more complex cases.
I've kicked off a new 14-STABLE package build. This package build will
be weird. You may see a number of missing packages once the repo is
published. I will be working through that queue while the package
build is taking place.
Reply all
Reply to author
Forward
0 new messages