=== Security Hardening Compiler Options for the Ports Collection Links: + link:https://cgit.freebsd.org/ports/commit/Mk/Features/fortify.mk?id=7a489e95c51f47f5e25a5613e375ec000618e52a[Commit of the features] URL: link:https://cgit.freebsd.org/ports/commit/Mk/Features/fortify.mk?id=7a489e95c51f47f5e25a5613e375ec000618e52a[] + link:https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/[FreeBSD security hardening with compiler options] URL: link:https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/[] Contact: Alexander Leidinger The Ports Collection gained the possibility to enable some security features of modern compilers for package builds. As not all ports are compatible with them, this is not enabled by default. The 3 new features which can be enabled for the Ports Collection in [.filename]#make.conf# are: - WITH_FORTIFY=yes: This enables mitigations of common memory safety issues, such as buffer overflows, by adding checks to functions like memcpy, strcpy, sprintf, and others when the compiler can determine the size of the destination buffer at compile time. This requires support from the FreeBSD base system and may only be available in FreeBSD 15 onwards. - WITH_STACK_AUTOINIT=yes: This enables a compiler specific option to automatically initialize local (automatic) variables to prevent the use of uninitialized memory. - WITH_ZEROREGS=yes: Zero call-used registers at function return to increase program security by either mitigating Return-Oriented Programming (ROP) attacks or preventing information leakage through registers. This depends upon support from the compiler for a given architecture. This is disabled for python ports; currently there are issues. The blog post referenced in the links section explains how to use them, how to exclude certain ports if needed, and provides a more detailed explanation of those 3 new features along the already existing build-time security options of the Ports Collection and the basesystem build.