diff --git a/CMakeLists.txt b/CMakeLists.txt
index e7b3eeacb1b19e22438d2aea3616636d7b7e3501..54c69b7953297da01f77d7ff2c2c0838f33f7321 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -70,28 +70,12 @@ include(cmake/atomic.cmake)
include(cmake/profile.cmake)
include(cmake/module.cmake)
include(cmake/thread.cmake)
+include(cmake/hardening.cmake)
-# Fuzzers are compiled without PIC support,
-# LuaJIT in FreeBSD doesn't work with PIC (gh-7640),
-# ligomp.a for AArch64 CentOS is compiled without PIC support.
-if (ENABLE_FUZZER OR TARGET_OS_FREEBSD OR ${CMAKE_SYSTEM_PROCESSOR} MATCHES "aarch64")
- set(ENABLE_HARDENING_DEFAULT FALSE)
-else()
- set(ENABLE_HARDENING_DEFAULT TRUE)
-endif()
-option(ENABLE_HARDENING "Enable compiler options that harden against memory corruption attacks" ${ENABLE_HARDENING_DEFAULT})
-set(HARDENING_FLAGS " ")
-set(HARDENING_LDFLAGS " ")
-if (ENABLE_HARDENING)
- set(HARDENING_FLAGS "-Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC")
- if (NOT TARGET_OS_DARWIN)
- set(HARDENING_LDFLAGS "-pie -z relro -z now")
- endif()
- add_compile_flags("C;CXX" ${HARDENING_FLAGS})
- set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
- set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
- set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${HARDENING_LDFLAGS}")
-endif()
+add_compile_flags("C;CXX" ${HARDENING_FLAGS})
+set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
+set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
+set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${HARDENING_LDFLAGS}")
set(CMAKE_REQUIRED_DEFINITIONS "-D_GNU_SOURCE")
diff --git a/cmake/hardening.cmake b/cmake/hardening.cmake
new file mode 100644
index 0000000000000000000000000000000000000000..1ef30a618b965ea4662ac1e5d1a01a85791ae7ad
--- /dev/null
+++ b/cmake/hardening.cmake
@@ -0,0 +1,17 @@
+# Depends on os.cmake and profile.cmake modules.
+# Uses `ENABLE_FUZZER` option and `TARGET_OS_FREEBSD` variable.
+
+# LuaJIT in FreeBSD doesn't work with PIC (gh-7640),
+# ligomp.a for AArch64 CentOS is compiled without PIC support.
+if (ENABLE_FUZZER OR TARGET_OS_FREEBSD OR ${CMAKE_SYSTEM_PROCESSOR} MATCHES "aarch64")
+ set(ENABLE_HARDENING_DEFAULT FALSE)
+else()
+ set(ENABLE_HARDENING_DEFAULT TRUE)
+endif()
+option(ENABLE_HARDENING "Enable compiler options that harden against memory corruption attacks" ${ENABLE_HARDENING_DEFAULT})
+if (ENABLE_HARDENING)
+ set(HARDENING_FLAGS "-Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC")
+ if (NOT TARGET_OS_DARWIN)
+ set(HARDENING_LDFLAGS "-pie -z relro -z now")
+ endif()
+endif()
diff --git a/static-build/CMakeLists.txt b/static-build/CMakeLists.txt
index 4b8654a96ba1e8d0c065352c431a94d4cc80104f..05dcce921a6824e30883fa29474b3ca2df67e9db 100644
--- a/static-build/CMakeLists.txt
+++ b/static-build/CMakeLists.txt
@@ -7,6 +7,8 @@ cmake_minimum_required(VERSION 3.1)
# linux machine).
project(tarantool-static C CXX)
+include(CheckLibraryExists)
+include(CheckCSourceCompiles)
include(FindPackageMessage)
include(ExternalProject)
set(LIBICU_VERSION release-71-1/icu4c-71_1)
@@ -24,6 +26,8 @@ set(READLINE_HASH 7e6c1f16aee3244a69aba6e438295ca3)
set(BACKUP_STORAGE https://distrib.hb.bizmrg.com)
include(../cmake/os.cmake)
+include(../cmake/profile.cmake)
+include(../cmake/hardening.cmake)
# Pass -isysroot=<SDK_PATH> option on Mac OS to a preprocessor and a C
# compiler to find header files installed with an SDK.
@@ -46,23 +50,9 @@ if (APPLE)
set(DEPENDENCY_CPPFLAGS "${CMAKE_C_SYSROOT_FLAG} ${CMAKE_OSX_SYSROOT}")
endif()
-# LuaJIT in FreeBSD doesn't work with PIC (gh-7640),
-# ligomp.a for AArch64 CentOS is compiled without PIC support.
-if (TARGET_OS_FREEBSD OR ${CMAKE_SYSTEM_PROCESSOR} MATCHES "aarch64")
- set(ENABLE_HARDENING_DEFAULT FALSE)
-else()
- set(ENABLE_HARDENING_DEFAULT TRUE)
-endif()
-option(ENABLE_HARDENING "Enable compiler options that harden against memory corruption attacks" ${ENABLE_HARDENING_DEFAULT})
-if (ENABLE_HARDENING)
- set(HARDENING_FLAGS "-Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC")
- if (NOT TARGET_OS_DARWIN)
- set(HARDENING_LDFLAGS "-pie -z relro -z now")
- endif()
- set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
- set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
- set(DEPENDENCY_LDFLAGS "${DEPENDENCY_LDFLAGS} ${HARDENING_LDFLAGS}")
-endif()
+set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
+set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
+set(DEPENDENCY_LDFLAGS "${DEPENDENCY_LDFLAGS} ${HARDENING_LDFLAGS}")
# Install all libraries required by tarantool at current build dir