cc-wrapper: add trivialautovarinit hardening flag support

this equates to -ftrivial-auto-var-init=pattern

clang has removed support for -ftrivial-auto-var-init=zero and
are unlikely to re-add it, so use -ftrivial-auto-var-init=pattern
on both compilers if only to make behaviour more consistent
between the two.

add to pkgsExtraHardening's defaultHardeningFlags.

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -310,6 +310,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`.
 
+- A new hardening flag, `trivialautovarinit` was made available, corresponding to the gcc/clang option `-ftrivial-auto-var-init=pattern`.
+
 - New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.).
   The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.
 

pkgs/build-support/cc-wrapper/add-hardening.sh

@@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
 fi
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format trivialautovarinit zerocallusedregs)
   declare -A hardeningDisableMap=()
 
   # Determine which flags were effectively disabled so we can report below.
@@ -106,6 +106,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
         hardeningCFlagsBefore+=('-fno-strict-overflow')
       fi
       ;;
+    trivialautovarinit)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling trivialautovarinit >&2; fi
+      hardeningCFlagsBefore+=('-ftrivial-auto-var-init=pattern')
+      ;;
     format)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi
       hardeningCFlagsBefore+=('-Wformat' '-Wformat-security' '-Werror=format-security')

pkgs/development/compilers/gcc/default.nix

@@ -408,7 +408,7 @@ lib.pipe ((callFile ./common/builder.nix {}) ({
     isGNU = true;
     hardeningUnsupportedFlags = lib.optional is48 "stackprotector"
       ++ lib.optional (!atLeast11) "zerocallusedregs"
-      ++ lib.optional (!atLeast12) "fortify3"
+      ++ lib.optionals (!atLeast12) [ "fortify3" "trivialautovarinit" ]
       ++ lib.optionals (langFortran) [ "fortify" "format" ];
   };
 

pkgs/stdenv/generic/make-derivation.nix

@@ -249,6 +249,7 @@ let
     "relro"
     "stackprotector"
     "strictoverflow"
+    "trivialautovarinit"
     "zerocallusedregs"
   ];
   defaultHardeningFlags =

pkgs/stdenv/linux/bootstrap-tools-musl/default.nix

@@ -15,5 +15,5 @@ derivation ({
   langC = true;
   langCC = true;
   isGNU = true;
-  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
+  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ];
 } // extraAttrs)

pkgs/stdenv/linux/bootstrap-tools/default.nix

@@ -15,5 +15,5 @@ derivation ({
   langC = true;
   langCC = true;
   isGNU = true;
-  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" ];
+  hardeningUnsupportedFlags = [ "fortify3" "zerocallusedregs" "trivialautovarinit" ];
 } // extraAttrs)

pkgs/top-level/stage.nix

@@ -284,6 +284,7 @@ let
           stdenv = super'.withDefaultHardeningFlags (
             super'.stdenv.cc.defaultHardeningFlags ++ [
               "zerocallusedregs"
+              "trivialautovarinit"
             ]
           ) super'.stdenv;
         })