From 214f5f3d2bd389e468bc42ee6a419ab356315d97 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Tue, 12 Mar 2024 11:08:53 -0400
Subject: [PATCH] explicitly list userspace compiler hardening flags

Most of these features are now done upstream other than enabling PAC,
BTI and making signed integer overflow well-defined when overflow
checking isn't enabled. There are other things which could be considered
to be part of this set of features but are covered elsewhere already.
---
 static/features.html | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/static/features.html b/static/features.html
index 5547b082..99ba60a2 100644
--- a/static/features.html
+++ b/static/features.html
@@ -305,7 +305,11 @@
                                     been reused once and gone through the quarantines twice</li>
                                 </ul>
                             </li>
-                            <li>Hardened compiler toolchain</li>
+                            <li>On ARMv9, Branch Target Identification (BTI) and Pointer
+                            Authentication Code (PAC) return address protection are enabled for
+                            userspace OS code we build instead of only specific apps</li>
+                            <li>Signed integer overflow is made well defined in C and C++ for code
+                            where automatic overflow checking is disabled</li>
                             <li>
                                 Hardened kernel
                                 <ul>