Build binaries compatible with cf-protection

CMakeLists.txt

@@ -31,8 +31,10 @@ if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
                                                "MinSizeRel" "RelWithDebInfo")
 endif()
 
-add_compile_options(-fdata-sections -ffunction-sections -Wswitch-enum
+add_compile_options(
-                    -Werror=switch-enum -fPIC)
+  -Werror=switch-enum -Wswitch-enum -fPIC -fdata-sections -ffunction-sections
+  -fno-jump-tables # https://github.com/llvm/llvm-project/issues/54247
+)
 
 if(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
   add_link_options("-Wno-unused-command-line-argument")
@@ -62,6 +64,21 @@ if(HAS_FULL_RELRO)
 endif()
 cmake_pop_check_state()
 
+if(CMAKE_SYSTEM_PROCESSOR STREQUAL aarch64)
+  add_compile_options(-mbranch-protection=standard)
+else()
+  add_compile_options(-fcf-protection)
+  set(rewrite_endbr_flags "-fuse-ld=mold;LINKER:-z,rewrite-endbr")
+  cmake_push_check_state()
+  list(APPEND CMAKE_REQUIRED_LINK_OPTIONS ${rewrite_endbr_flags})
+  check_cxx_source_compiles("int main(){}" HAS_REWRITE_ENDBR FAIL_REGEX
+                            "warning:")
+  if(HAS_REWRITE_ENDBR)
+    add_link_options(${rewrite_endbr_flags})
+  endif()
+  cmake_pop_check_state()
+endif()
+
 set(version_script_flags
     LINKER:--version-script=${CMAKE_CURRENT_SOURCE_DIR}/linker.map)
 cmake_push_check_state()
@@ -329,7 +346,8 @@ if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR AND BUILD_TESTING)
   # c++98
   add_executable(conflict_set_cxx_api_test conflict_set_cxx_api_test.cpp)
   target_compile_options(conflict_set_cxx_api_test PRIVATE ${TEST_FLAGS})
-  target_link_libraries(conflict_set_cxx_api_test PRIVATE ${PROJECT_NAME})
+  target_link_libraries(conflict_set_cxx_api_test
+                        PRIVATE ${PROJECT_NAME}-static)
   set_target_properties(conflict_set_cxx_api_test PROPERTIES CXX_STANDARD 98)
   set_target_properties(conflict_set_cxx_api_test
                         PROPERTIES CXX_STANDARD_REQUIRED ON)
@@ -362,6 +380,13 @@ if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR AND BUILD_TESTING)
         ${symbol_imports})
   endif()
 
+  find_program(HARDENING_CHECK hardening-check)
+  if(HARDENING_CHECK)
+    add_test(NAME hardening_check
+             COMMAND ${HARDENING_CHECK} $<TARGET_FILE:${PROJECT_NAME}>
+                     --nofortify --nostackprotector)
+  endif()
+
   # bench
   add_executable(conflict_set_bench Bench.cpp)
   target_link_libraries(conflict_set_bench PRIVATE ${PROJECT_NAME} nanobench)

Dockerfile

@@ -13,12 +13,14 @@ RUN TZ=America/Los_Angeles DEBIAN_FRONTEND=noninteractive apt-get install -y \
     ccache \
     cmake \
     curl \
+    devscripts \
     g++-aarch64-linux-gnu \
     gcovr \
     git \
     gnupg \
     libc6-dbg \
     lsb-release \
+    mold \
     ninja-build \
     pre-commit \
     python3-requests \