cc-wrapper: add zerocallusedregs hardening flag

this uses the value `used-gpr` which seems to be a commonly
chosen value for general use

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -195,6 +195,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `stdenv`: The `--replace` flag in `substitute`, `substituteInPlace`, `substituteAll`, `substituteAllStream`, and `substituteStream` is now deprecated if favor of the new `--replace-fail`, `--replace-warn` and `--replace-quiet`. The deprecated `--replace` equates to `--replace-warn`.
 
+- A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`.
+
 - The Yama LSM is now enabled by default in the kernel, which prevents ptracing
   non-child processes. This means you will not be able to attach gdb to an
   existing process, but will need to start that process from gdb (so it is a

pkgs/build-support/cc-wrapper/add-hardening.sh

@@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
 fi
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format)
+  declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format zerocallusedregs)
   declare -A hardeningDisableMap=()
 
   # Determine which flags were effectively disabled so we can report below.
@@ -110,6 +110,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi
       hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security')
       ;;
+    zerocallusedregs)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling zerocallusedregs >&2; fi
+      hardeningCFlagsBefore+=('-fzero-call-used-regs=used-gpr')
+      ;;
     *)
       # Ignore unsupported. Checked in Nix that at least *some*
       # tool supports each flag.

pkgs/development/compilers/gcc/default.nix

@@ -407,6 +407,7 @@ lib.pipe ((callFile ./common/builder.nix {}) ({
     inherit langC langCC langObjC langObjCpp langAda langFortran langGo langD langJava version;
     isGNU = true;
     hardeningUnsupportedFlags = lib.optional is48 "stackprotector"
+      ++ lib.optional (!atLeast11) "zerocallusedregs"
       ++ lib.optional (!atLeast12) "fortify3"
       ++ lib.optionals (langFortran) [ "fortify" "format" ];
   };

pkgs/development/compilers/llvm/10/clang/default.nix

@@ -90,7 +90,7 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
     };
 
     meta = llvm_meta // {

pkgs/development/compilers/llvm/11/clang/default.nix

@@ -95,7 +95,7 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
     };
 
     meta = llvm_meta // {

pkgs/development/compilers/llvm/12/clang/default.nix

@@ -89,7 +89,7 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
     };
 
     meta = llvm_meta // {

pkgs/development/compilers/llvm/13/clang/default.nix

@@ -83,7 +83,7 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
     };
 
     meta = llvm_meta // {

pkgs/development/compilers/llvm/14/clang/default.nix

@@ -86,7 +86,7 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
     };
 
     meta = llvm_meta // {

pkgs/development/compilers/llvm/15/clang/default.nix

@@ -97,7 +97,11 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [
+        "fortify3"
+        # supported on x86_64/aarch64 only
+        "zerocallusedregs"
+      ];
     };
 
     meta = llvm_meta // {

pkgs/development/compilers/llvm/16/clang/default.nix

@@ -91,7 +91,11 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [
+        "fortify3"
+        # supported on x86_64/aarch64 only
+        "zerocallusedregs"
+      ];
     };
 
     meta = llvm_meta // {

pkgs/development/compilers/llvm/17/clang/default.nix

@@ -95,7 +95,11 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [
+        "fortify3"
+        # supported on x86_64/aarch64 only
+        "zerocallusedregs"
+      ];
     };
 
     meta = llvm_meta // {

pkgs/development/compilers/llvm/8/clang/default.nix

@@ -102,7 +102,7 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
     };
 
     meta = llvm_meta // {

pkgs/development/compilers/llvm/9/clang/default.nix

@@ -97,7 +97,7 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
     };
 
     meta = llvm_meta // {

pkgs/development/compilers/llvm/git/clang/default.nix

@@ -95,7 +95,11 @@ let
     passthru = {
       inherit libllvm;
       isClang = true;
-      hardeningUnsupportedFlags = [ "fortify3" ];
+      hardeningUnsupportedFlags = [
+        "fortify3"
+        # supported on x86_64/aarch64 only
+        "zerocallusedregs"
+      ];
     };
 
     meta = llvm_meta // {

pkgs/stdenv/darwin/default.nix

@@ -341,7 +341,10 @@ in
                 ln -s ${bootstrapTools}/lib/clang $out/lib
                 ln -s ${bootstrapTools}/include   $out
               '';
-              passthru.isFromBootstrapFiles = true;
+              passthru = {
+                isFromBootstrapFiles = true;
+                hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
+              };
             };
             clang-unwrapped = selfTools.libclang;
             libllvm = self.stdenv.mkDerivation {

pkgs/stdenv/generic/make-derivation.nix

@@ -249,6 +249,7 @@ let
     "relro"
     "stackprotector"
     "strictoverflow"
+    "zerocallusedregs"
   ];
   defaultHardeningFlags =
     (if stdenv.hasCC then stdenv.cc else {}).defaultHardeningFlags or

pkgs/stdenv/linux/bootstrap-tools-musl/default.nix

@@ -15,5 +15,5 @@ derivation ({
   langC = true;
   langCC = true;
   isGNU = true;
-  hardeningUnsupportedFlags = [ "fortify3" ];
+  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
 } // extraAttrs)

pkgs/stdenv/linux/bootstrap-tools/default.nix

@@ -15,5 +15,5 @@ derivation ({
   langC = true;
   langCC = true;
   isGNU = true;
-  hardeningUnsupportedFlags = [ "fortify3" ];
+  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
 } // extraAttrs)