Merge pull request #1593 from tkatila/build-flag-changes

mythi · web-flow · commit dab899a615f1 · 2023-11-09T11:40:06.000+02:00
build: use stricter build flags
diff --git a/build/docker/intel-deviceplugin-operator.Dockerfile b/build/docker/intel-deviceplugin-operator.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_deviceplugin_operator
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-dlb-plugin.Dockerfile b/build/docker/intel-dlb-plugin.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_dlb_device_plugin
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-dsa-plugin.Dockerfile b/build/docker/intel-dsa-plugin.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_dsa_device_plugin
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-fpga-admissionwebhook.Dockerfile b/build/docker/intel-fpga-admissionwebhook.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_fpga_admissionwebhook
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-fpga-initcontainer.Dockerfile b/build/docker/intel-fpga-initcontainer.Dockerfile
@@ -38,14 +38,17 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG CRI_HOOK=intel-fpga-crihook
 ARG CMD=fpga_crihook
 ARG EP=/usr/local/fpga-sw/$CRI_HOOK
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
@@ -56,7 +59,7 @@ ARG CMD=fpga_tool
 ARG EP=/usr/local/fpga-sw/$CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-fpga-plugin.Dockerfile b/build/docker/intel-fpga-plugin.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_fpga_device_plugin
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-gpu-fakedev.Dockerfile b/build/docker/intel-gpu-fakedev.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_gpu_fakedev
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-gpu-initcontainer.Dockerfile b/build/docker/intel-gpu-initcontainer.Dockerfile
@@ -38,15 +38,18 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/gpu-sw/intel-gpu-nfdhook
 ARG CMD=gpu_nfdhook
 ARG NFD_HOOK=intel-gpu-nfdhook
 ARG SRC_DIR=/usr/local/bin/gpu-sw
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-gpu-plugin.Dockerfile b/build/docker/intel-gpu-plugin.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_gpu_device_plugin
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-iaa-plugin.Dockerfile b/build/docker/intel-iaa-plugin.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_iaa_device_plugin
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-qat-plugin-kerneldrv.Dockerfile b/build/docker/intel-qat-plugin-kerneldrv.Dockerfile
@@ -38,7 +38,10 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_sgx_device_plugin
 ARG CMD=qat_plugin
@@ -47,8 +50,8 @@ COPY . .
 ARG QAT_DRIVER_RELEASE="qat1.7.l.4.14.0-00031"
 ARG QAT_DRIVER_SHA256="a68dfaea4308e0bb5f350b7528f1a076a0c6ba3ec577d60d99dc42c49307b76e"
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-RUN mkdir -p /usr/src/qat && cd /usr/src/qat && wget -q https://downloadmirror.intel.com/30178/eng/$QAT_DRIVER_RELEASE.tar.gz     && echo "$QAT_DRIVER_SHA256 $QAT_DRIVER_RELEASE.tar.gz" | sha256sum -c -     && tar xf *.tar.gz     && cd /usr/src/qat/quickassist/utilities/adf_ctl     && make KERNEL_SOURCE_DIR=/usr/src/qat/quickassist/qat     && install -D adf_ctl /install_root/usr/local/bin/adf_ctl
-RUN (cd cmd/$CMD && GO111MODULE=${GO111MODULE} CGO_ENABLED=1 go install -tags kerneldrv)
+RUN mkdir -p /usr/src/qat && cd /usr/src/qat && wget -q https://downloadmirror.intel.com/30178/eng/$QAT_DRIVER_RELEASE.tar.gz     && echo "$QAT_DRIVER_SHA256 $QAT_DRIVER_RELEASE.tar.gz" | sha256sum -c -     && tar xf *.tar.gz     && cd /usr/src/qat/quickassist/utilities/adf_ctl     && LDFLAGS= make KERNEL_SOURCE_DIR=/usr/src/qat/quickassist/qat     && install -D adf_ctl /install_root/usr/local/bin/adf_ctl
+RUN (cd cmd/$CMD && GOFLAGS=${GOFLAGS} GO111MODULE=${GO111MODULE} CGO_ENABLED=1 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}" -tags kerneldrv)
 RUN chmod a+x /go/bin/$CMD && install -D /go/bin/$CMD /install_root/usr/local/bin/intel_qat_device_plugin
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
diff --git a/build/docker/intel-qat-plugin.Dockerfile b/build/docker/intel-qat-plugin.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_qat_device_plugin
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-sgx-admissionwebhook.Dockerfile b/build/docker/intel-sgx-admissionwebhook.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_sgx_admissionwebhook
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-sgx-initcontainer.Dockerfile b/build/docker/intel-sgx-initcontainer.Dockerfile
@@ -38,15 +38,18 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/sgx-sw/intel-sgx-epchook
 ARG CMD=sgx_epchook
 ARG NFD_HOOK=intel-sgx-epchook
 ARG SRC_DIR=/usr/local/bin/sgx-sw
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-sgx-plugin.Dockerfile b/build/docker/intel-sgx-plugin.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_sgx_device_plugin
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/intel-xpumanager-sidecar.Dockerfile b/build/docker/intel-xpumanager-sidecar.Dockerfile
@@ -39,13 +39,16 @@ ARG GOLANG_BASE=golang:1.21-bookworm
 FROM ${GOLANG_BASE} as builder
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
 ARG EP=/usr/local/bin/intel_xpumanager_sidecar
 ARG CMD
 WORKDIR ${DIR}
 COPY . .
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") && install -D /go/bin/${CMD} /install_root${EP}
 RUN install -D ${DIR}/LICENSE /install_root/licenses/intel-device-plugins-for-kubernetes/LICENSE \
     && if [ ! -d "licenses/$CMD" ] ; then \
     GO111MODULE=on go run github.com/google/go-licenses@${GOLICENSES_VERSION} save "./cmd/$CMD" \
diff --git a/build/docker/lib/default_args.docker b/build/docker/lib/default_args.docker
@@ -1,4 +1,7 @@
 ARG DIR=/intel-device-plugins-for-kubernetes
 ARG GO111MODULE=on
-ARG BUILDFLAGS="-ldflags=-w -s"
+ARG LDFLAGS="-ldflags=all=-w -s"
+ARG GOFLAGS=-trimpath
+ARG GCFLAGS="-gcflags=all=-spectre=all -N -l"
+ARG ASMFLAGS="-asmflags=all=-spectre=all"
 ARG GOLICENSES_VERSION
diff --git a/build/docker/lib/default_build.docker b/build/docker/lib/default_build.docker
@@ -1,7 +1,7 @@
 WORKDIR ${DIR}
 COPY . .
 
-RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} CGO_ENABLED=0 go install "${BUILDFLAGS}") \
+RUN (cd cmd/${CMD}; GO111MODULE=${GO111MODULE} GOFLAGS=${GOFLAGS} CGO_ENABLED=0 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}") \
     && install -D /go/bin/${CMD} /install_root${EP}
 
 #include "default_licenses.docker"
diff --git a/build/docker/templates/intel-qat-plugin-kerneldrv.Dockerfile.in b/build/docker/templates/intel-qat-plugin-kerneldrv.Dockerfile.in
@@ -22,9 +22,9 @@ RUN mkdir -p /usr/src/qat \
     && echo "$QAT_DRIVER_SHA256 $QAT_DRIVER_RELEASE.tar.gz" | sha256sum -c - \
     && tar xf *.tar.gz \
     && cd /usr/src/qat/quickassist/utilities/adf_ctl \
-    && make KERNEL_SOURCE_DIR=/usr/src/qat/quickassist/qat \
+    && LDFLAGS= make KERNEL_SOURCE_DIR=/usr/src/qat/quickassist/qat \
     && install -D adf_ctl /install_root/usr/local/bin/adf_ctl
-RUN (cd cmd/$CMD && GO111MODULE=${GO111MODULE} CGO_ENABLED=1 go install -tags kerneldrv)
+RUN (cd cmd/$CMD && GOFLAGS=${GOFLAGS} GO111MODULE=${GO111MODULE} CGO_ENABLED=1 go install "${GCFLAGS}" "${ASMFLAGS}" "${LDFLAGS}" -tags kerneldrv)
 RUN chmod a+x /go/bin/$CMD \
     && install -D /go/bin/$CMD /install_root/usr/local/bin/intel_qat_device_plugin
 
