GCC in Gentoo Hardened generates PIE by default clang could have configure option to generate PIE by default
Does GCC have such a configure option (I don't see one in mainline GCC)?
GCC supports optional configuration file named "specs", which can be used to enable PIE by default. If specs file isn't present default built-in specs is used. On Gentoo modification of built-in specs is used to enable PIE by default. optional specs file on my PC is located at /usr/lib/gcc/x86_64-pc-linux-gnu/4.5.4/specs
Created attachment 8933 [details] built-in specs file generated by: gcc -dumpspecs
GCC 6 has configure option https://gcc.gnu.org/gcc-6/changes.html The --enable-default-pie configure option enables generation of PIE by default.
In addition to an option to enable PIE by default, it would also be nice to have an option to enable SSP by default; something similar to GCC's: --enable-default-ssp: Default flag_stack_protect to -fstack-protector-strong
+Richard and I were talking about this recently. IMO, we should link PIE by default and not bother with an configure option. If you want a no-pie link, use the -no-pie flag. Source packages already have to specify -no-pie if they want to link against a non-pie .o file when building with a distro-distributed GCCs, because distro GCCs already enable PIC by default through the GCC configure flag.
FYI, distros are starting to patch clang to add the feature just as they enable the configure flag for GCC. Here's one from ArchLinux referencing this bug: https://git.archlinux.org/svntogit/packages.git/tree/trunk/0002-Enable-SSP-and-PIE-by-default.patch?h=packages/llvm&id=1d5568f96e56efb2186b3ae081488e1e5a509397
Arch Linux patch was updated for llvm 9 , see https://git.archlinux.org/svntogit/packages.git/tree/trunk/enable-SSP-and-PIE-by-default.patch?h=packages/clang