Open osklunds opened 6 years ago
droidmonkey
commented
6 years ago Spectre is an extremely difficult attack to pull off. Please read the executive summary of the Google retpoline article: https://support.google.com/faqs/answer/7625886
The gcc flag to enable it is -mindirect-branch=thunk -mfunction-return=thunk and is only supported in GCC 7+
osklunds
commented
6 years ago How do I change the compiler to GCC when compiling KeePassXC? I tried changing
cmake -DWITH_XC_ALL=ON -DCMAKE_BUILD_TYPE=Release ..to
cmake -DCMAKE_C_COMPILER=/usr/bin/gccC -DCMAKE_CXX_COMPILER=/usr/bin/gccCPP -DWITH_XC_ALL=ON -DCMAKE_BUILD_TYPE=Release ..The content of gccC is
#!/bin/bash
gcc "$@"and of gccCPP it is
#!/bin/bash
gcc "$@" -xc++ -lstdc++ -shared-libgccSo far I don't use GCC-7. This is just to see if I can change the compiler. The cmake command works but make -j8 fails in the end. This is the first error message among others
[ 84%] Building CXX object src/autotype/test/CMakeFiles/keepassx-autotype-test.dir/keepassx-autotype-test_automoc.cpp.o
/usr/bin/ld: ../libzxcvbn.a(zxcvbn.c.o): undefined reference to symbol 'log@@GLIBC_2.2.5'
//lib/x86_64-linux-gnu/libm.so.6: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
src/cli/CMakeFiles/keepassxc-cli.dir/build.make:146: recipe for target 'src/cli/keepassxc-cli' failed
make[2]: *** [src/cli/keepassxc-cli] Error 1
CMakeFiles/Makefile2:1108: recipe for target 'src/cli/CMakeFiles/keepassxc-cli.dir/all' failed
make[1]: *** [src/cli/CMakeFiles/keepassxc-cli.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....Could you point me in the right direction ? :)
droidmonkey
commented
6 years ago What gcc version do you have? You could also use llvm (clang).
osklunds
commented
6 years ago I have gcc 6.3.0.
I tried with clang, and then I could compile and start KeePassXC. I don't have clang 6.0.0 though. Once I have it and tried to compile I'll report back.
osklunds
commented
6 years ago I downloaded llwm 6.0.0 from: http://releases.llvm.org/download.html and changed to those binaries, passing the -mretpoline flag in the same way I changed to GCC with the scripts. It worked! The compiled binary opens. Thanks for your help!
I suppose it's up to you if you want to include these steps in the building tutorial, or somewhere else, or just have them here
droidmonkey
commented
6 years ago Sweet, we can look to include this in 2.4
When it comes to spectre v2, one way to mitigate it is to compile the kernel and any other application with the
retpolineoption. Now, KeepassXC is certainly an application I want to protect... (I realize that if the microcode of the CPU is updated,retpolineisn't needed. But not all CPUs got their microcode updated).I'm very inexperienced when it comes to compilation of programs so I don't know how this would be done in practise. But to my understanding, you just set a flag to a
retpoline-aware compiler.Perhaps the binaries you compile don't need to be compiled with
retpoline. But if your "build from source" guide here described how to do it, it would be much appreciated.