git: f8a111726e - main - Status/2025Q2/ports-security.adoc: Add report

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Lorenzo Salvadore <salvadore_at_FreeBSD.org>
Date: Tue, 24 Jun 2025 09:55:31 UTC
The branch main has been updated by salvadore:

URL: https://cgit.FreeBSD.org/doc/commit/?id=f8a111726e5667aae84aaf7341815e81f78f8db5

commit f8a111726e5667aae84aaf7341815e81f78f8db5
Author:     Alexander Leidinger <netchild@FreeBSD.org>
AuthorDate: 2025-06-24 09:25:06 +0000
Commit:     Lorenzo Salvadore <salvadore@FreeBSD.org>
CommitDate: 2025-06-24 09:51:47 +0000

    Status/2025Q2/ports-security.adoc: Add report
    
    Reviewed by:    status (Pau Amma <pauamma@gundo.com>)
---
 .../report-2025-04-2025-06/ports-security.adoc     | 24 ++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/website/content/en/status/report-2025-04-2025-06/ports-security.adoc b/website/content/en/status/report-2025-04-2025-06/ports-security.adoc
new file mode 100644
index 0000000000..d4b4211b77
--- /dev/null
+++ b/website/content/en/status/report-2025-04-2025-06/ports-security.adoc
@@ -0,0 +1,24 @@
+=== Security Hardening Compiler Options for the Ports Collection
+
+Links: +
+link:https://cgit.freebsd.org/ports/commit/Mk/Features/fortify.mk?id=7a489e95c51f47f5e25a5613e375ec000618e52a[Commit of the features] URL: link:https://cgit.freebsd.org/ports/commit/Mk/Features/fortify.mk?id=7a489e95c51f47f5e25a5613e375ec000618e52a[] +
+link:https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/[FreeBSD security hardening with compiler options] URL: link:https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/[]
+
+Contact: Alexander Leidinger <netchild@FreeBSD.org>
+
+The Ports Collection gained the possibility to enable some security features of modern compilers for package builds.
+As not all ports are compatible with them, this is not enabled by default.
+
+The 3 new features which can be enabled for the Ports Collection in [.filename]#make.conf# are:
+
+- WITH_FORTIFY=yes::
+This enables mitigations of common memory safety issues, such as buffer overflows, by adding checks to functions like memcpy, strcpy, sprintf, and others when the compiler can determine the size of the destination buffer at compile time.
+This requires support from the FreeBSD base system and may only be available in FreeBSD 15 onwards.
+WITH_STACK_AUTOINIT=yes::
+This enables a compiler specific option to automatically initialize local (automatic) variables to prevent the use of uninitialized memory.
+WITH_ZEROREGS=yes::
+Zero call-used registers at function return to increase program security by either mitigating Return-Oriented Programming (ROP) attacks or preventing information leakage through registers.
+This depends upon support from the compiler for a given architecture.
+This is disabled for python ports; currently there are issues.
+
+The blog post referenced in the links section explains how to use them, how to exclude certain ports if needed, and provides a more detailed explaination of those 3 new features along the already existing build-time security options of the Ports Collection and the basesystem build.