diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 8139b7ac5351..cd5b1faabd02 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -611,8 +611,10 @@ jobs: fail-fast: false matrix: os: [ ubuntu-latest, macos-latest ] + cflags: + - '-O3' env: - CFLAGS: '-O3' + CFLAGS: ${{ matrix.cflags }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -623,3 +625,28 @@ jobs: run: cargo test -p aws-lc-rs --all-targets - name: Run tests w/ FIPS run: cargo test -p aws-lc-rs --all-targets --features fips + + hardened-environment: + if: github.repository_owner == 'aws' + name: Hardened environment + strategy: + fail-fast: false + matrix: + os: + - ubuntu-latest + cflags: + - '-O2 -fhardened' + gcc_version: + - 14 + env: + CC: gcc-${{ matrix.gcc_version }} + CXX: g++-${{ matrix.gcc_version }} + CFLAGS: ${{ matrix.cflags }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: 'recursive' + - uses: dtolnay/rust-toolchain@stable + - name: Run tests + run: cargo test -p aws-lc-rs --all-targets diff --git a/aws-lc-sys/builder/cc_builder.rs b/aws-lc-sys/builder/cc_builder.rs index 3c6730c06a49..5a996ed5bf40 100644 --- a/aws-lc-sys/builder/cc_builder.rs +++ b/aws-lc-sys/builder/cc_builder.rs @@ -375,7 +375,8 @@ impl CcBuilder { let compiler = if let Some(original_cflags) = optional_env_target("CFLAGS") { let mut new_cflags = original_cflags.clone(); - new_cflags.push_str(" -O0"); + // The `_FORTIFY_SOURCE` macro often requires optimizations to also be enabled, so unset it. + new_cflags.push_str(" -O0 -Wp,-U_FORTIFY_SOURCE"); set_env_for_target("CFLAGS", &new_cflags); // cc-rs currently prioritizes flags provided by CFLAGS over the flags provided by the build script. // The environment variables used by the compiler are set when `get_compiler` is called.