compiler/gcc: _FORTIFY_SOURCE=1 doesn't mean compile-time only checks

_FORTIFY_SOURCE=1 differs from _FORTIFY_SOURCE=2 only in the bounds
checking mode that it uses.

With _FORTIFY_SOURCE=1, bounds checks are 'loose', allowing access to the
whole underlying object, not just the subset referenced in the expression
(e.g, the bounds of a struct member is the whole struct, not just the
member).

With _FORTIFY_SOURCE=2, bounds checks are strict, meaning that the bounds
of an expression are limited to the referenced value.

Both of these perform their checks at runtime, calling _chk_fail if the
bounds check fails. That's done in the __*_chk functions included in the C
library. These are always called when _FORTIFY_SOURCE > 0, unless the
compiler replaces the call with inline code.

GCC already does all of the compile-time bounds checking for string and mem
functions when not using -ffreestanding, so there's nothing we need to add
for that to work. That means the security_fortify_compile_time property
should be empty.

Signed-off-by: Keith Packard <keithp@keithp.com>

cmake/compiler/gcc/compiler_flags.cmake

@@ -169,9 +169,11 @@ endif()
 
 if(NOT CONFIG_NO_OPTIMIZATIONS)
   # _FORTIFY_SOURCE: Detect common-case buffer overflows for certain functions
-  # _FORTIFY_SOURCE=1 : Compile-time checks (requires -O1 at least)
+  # _FORTIFY_SOURCE=1 : Loose checking (use wide bounds checks)
-  # _FORTIFY_SOURCE=2 : Additional lightweight run-time checks
+  # _FORTIFY_SOURCE=2 : Tight checking (use narrow bounds checks)
-  set_compiler_property(PROPERTY security_fortify_compile_time _FORTIFY_SOURCE=1)
+  # GCC always does compile-time bounds checking for string/mem functions, so
+  # there's no additional value to set here
+  set_compiler_property(PROPERTY security_fortify_compile_time)
   set_compiler_property(PROPERTY security_fortify_run_time _FORTIFY_SOURCE=2)
 endif()