Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on hardened building? No, the current toolchain implements the equivalent of CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro" automatically through GCC's built-in spec and using the specfiles to disable them which is a more proper solution. For older hardened-gcc users the best approach is switch to the hardened profile and then upgrade following the steps on the "How do I switch to the hardened profile?"