diff --git a/add-PIE-and-BIND_NOW-for-some-binaries.patch b/add-PIE-and-BIND_NOW-for-some-binaries.patch
new file mode 100644
index 0000000000000000000000000000000000000000..13cc83a3966aac6dcf8a6ec8fe59e2bcc5b99370
--- /dev/null
+++ b/add-PIE-and-BIND_NOW-for-some-binaries.patch
@@ -0,0 +1,54 @@
+From 6d629a4f5387834211d61b6a332246ff4ef6d3cb Mon Sep 17 00:00:00 2001
+From: sunguoshuai <sunguoshuai@huawei.com>
+Date: Sat, 20 Mar 2021 17:38:08 +0800
+Subject: [PATCH] add PIE and BIND_NOW for some binaries
+
+---
+ Config.mk          | 3 ++-
+ tb_polgen/Makefile | 2 +-
+ utils/Makefile     | 2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Config.mk b/Config.mk
+index a47147a..06b346c 100644
+--- a/Config.mk
++++ b/Config.mk
+@@ -74,7 +74,8 @@ TARGET_ARCH  ?= $(shell uname -m | sed -e s/i.86/x86_32/ -e s/i86pc/x86_32/)
+ CFLAGS += $(CFLAGS_WARN) -fno-strict-aliasing -std=gnu99
+ # due to bug in gcc v4.2,3,?
+ CFLAGS += $(call cc-option,$(CC),-Wno-array-bounds,)
+-
++LDFLAGS += -Wl,-z,now,-z,relro,-z,noexecstack -fPIE
++CFLAGS += -fPIE
+ 
+ ifeq ($(debug),y)
+ CFLAGS += -g -DDEBUG
+diff --git a/tb_polgen/Makefile b/tb_polgen/Makefile
+index 742244d..5dcade1 100644
+--- a/tb_polgen/Makefile
++++ b/tb_polgen/Makefile
+@@ -10,7 +10,7 @@
+ ROOTDIR ?= $(CURDIR)/..
+ 
+ include $(ROOTDIR)/Config.mk
+-
++CFLAGS += -fstack-protector-strong
+ 
+ TARGET = tb_polgen
+ 
+diff --git a/utils/Makefile b/utils/Makefile
+index 177f28b..75a7f75 100644
+--- a/utils/Makefile
++++ b/utils/Makefile
+@@ -13,7 +13,7 @@ include $(ROOTDIR)/Config.mk
+ 
+ TARGETS := txt-stat parse_err acminfo
+ 
+-CFLAGS += -D_LARGEFILE64_SOURCE
++CFLAGS += -D_LARGEFILE64_SOURCE -fstack-protector-strong
+ LIBS += $(ROOTDIR)/safestringlib/libsafestring.a
+ 
+ #
+-- 
+2.30.0
+
diff --git a/tboot.spec b/tboot.spec
index 753a0b267ce3c2978dbb501c4bef9d959904a167..a6bb64a0b47164b3dc424a05d585106b872603a3 100644
--- a/tboot.spec
+++ b/tboot.spec
@@ -1,12 +1,13 @@
 Name:           tboot
 Summary:        A module to perform a measured and verified launch
 Version:        1.9.12
-Release:        3
+Release:        4
 Epoch:          1
 License:        BSD
 
 URL:            http://sourceforge.net/projects/tboot/
 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
+Patch0:         add-PIE-and-BIND_NOW-for-some-binaries.patch
 
 BuildRequires:  gcc trousers-devel openssl-devel
 
@@ -41,6 +42,9 @@ and verified launch of an OS kernel/VMM
 %{_mandir}/man8/*.gz
 
 %changelog
+* Wed Sep 8 2021 wangchen<wangchen137@huawei.com> - 1:1.9.12-4
+- add some compile options
+
 * Tue Jul 28 2020 chxssg<chxssg@qq.com> - 1:1.9.12-1
 - update to 1.9.12