diff --git a/src/aes.h b/src/aes.h
index b37b4d781..1f9050fa3 100644
--- a/src/aes.h
+++ b/src/aes.h
@@ -17,6 +17,7 @@
 
 #include "top.h"
 
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include <mbedtls/aes.h>
 
 #include "resource.h"
@@ -45,16 +46,16 @@ class AesContext : public SimpleResource {
 };
 
 /*
-  AES-CBC context class. 
+  AES-CBC context class.
   In addition to the base AES context,
-  this cipher type also needs an initialization 
+  this cipher type also needs an initialization
   vector.
 */
 class AesCbcContext : public AesContext {
  public:
   TAG(AesCbcContext);
   AesCbcContext(SimpleResourceGroup* group, const Blob* key, const uint8* iv, bool encrypt);
-  
+
   uint8 iv_[AES_BLOCK_SIZE];
 };
 
diff --git a/src/entropy_mixer.h b/src/entropy_mixer.h
index 79dcd9537..8f7de11db 100644
--- a/src/entropy_mixer.h
+++ b/src/entropy_mixer.h
@@ -15,6 +15,7 @@
 
 #pragma once
 
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include <mbedtls/error.h>
 #include <mbedtls/entropy.h>
 
diff --git a/src/primitive.h b/src/primitive.h
index 0d36c22a4..9590deb65 100644
--- a/src/primitive.h
+++ b/src/primitive.h
@@ -15,6 +15,7 @@
 
 #pragma once
 
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include <mbedtls/aes.h>
 
 #include "top.h"
diff --git a/src/primitive_crypto.cc b/src/primitive_crypto.cc
index 3f8d895cd..c0b9806d1 100644
--- a/src/primitive_crypto.cc
+++ b/src/primitive_crypto.cc
@@ -21,6 +21,7 @@
 #define CONFIG_TOIT_CRYPTO_EXTRA 1
 #endif
 
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include "mbedtls/gcm.h"
 #include "mbedtls/chachapoly.h"
 
diff --git a/src/resources/tls.h b/src/resources/tls.h
index 63618ef51..7c679eb5a 100644
--- a/src/resources/tls.h
+++ b/src/resources/tls.h
@@ -15,6 +15,7 @@
 
 #pragma once
 
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/debug.h>
 #include <mbedtls/entropy.h>
diff --git a/src/resources/x509.h b/src/resources/x509.h
index ee578361b..989132f36 100644
--- a/src/resources/x509.h
+++ b/src/resources/x509.h
@@ -15,6 +15,7 @@
 
 #pragma once
 
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include <mbedtls/x509_crt.h>
 
 #include "../heap.h"
diff --git a/src/sha.h b/src/sha.h
index 4004ef5d4..3bd5af7de 100644
--- a/src/sha.h
+++ b/src/sha.h
@@ -15,6 +15,7 @@
 
 #pragma once
 
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include <mbedtls/sha256.h>
 #include <mbedtls/sha512.h>
 #if MBEDTLS_VERSION_MAJOR >= 3
diff --git a/src/snapshot_bundle.cc b/src/snapshot_bundle.cc
index 30063d21c..9c9e7baec 100644
--- a/src/snapshot_bundle.cc
+++ b/src/snapshot_bundle.cc
@@ -15,6 +15,7 @@
 
 #include "top.h"
 #include "uuid.h"
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include <mbedtls/sha256.h>
 #if MBEDTLS_VERSION_MAJOR >= 3
 // Bring back the _ret names for sha functions.
diff --git a/toolchains/arm.cmake b/toolchains/arm.cmake
index a59117953..a33c754a5 100644
--- a/toolchains/arm.cmake
+++ b/toolchains/arm.cmake
@@ -75,3 +75,5 @@ set(CMAKE_CXX_FLAGS_DEBUG "-Og -ggdb3 -rdynamic -fdiagnostics-color $ENV{LOCAL_C
 set(CMAKE_CXX_FLAGS_RELEASE "-Os $ENV{LOCAL_CXXFLAGS}" CACHE STRING "c++ Release flags")
 set(CMAKE_CXX_FLAGS_ASAN "-O1 -fsanitize=address -fno-omit-frame-pointer -g" CACHE STRING "c++ Asan flags")
 set(CMAKE_CXX_FLAGS_PROF "-Os -DPROF -pg" CACHE STRING "c++ Prof flags")
+
+set(CMAKE_EXE_LINKER_FLAGS_RELEASE "$ENV{LOCAL_LDFLAGS}" CACHE STRING "Linker flags for release builds")
diff --git a/toolchains/host.cmake b/toolchains/host.cmake
index 745abe40c..b88aeecdb 100644
--- a/toolchains/host.cmake
+++ b/toolchains/host.cmake
@@ -17,6 +17,15 @@ set(TOIT_SYSTEM_NAME "${CMAKE_SYSTEM_NAME}")
 
 set(CMAKE_C_FLAGS_DEBUG "-O1 -g $ENV{LOCAL_CFLAGS}" CACHE STRING "c Debug flags")
 set(CMAKE_CXX_FLAGS_DEBUG "-O1 -ggdb3 -fdiagnostics-color $ENV{LOCAL_CXXFLAGS}" CACHE STRING "c++ Debug flags")
+set(CMAKE_C_FLAGS_RELEASE "-Os $ENV{LOCAL_CFLAGS}" CACHE STRING "c Release flags")
 set(CMAKE_CXX_FLAGS_RELEASE "-Os $ENV{LOCAL_CXXFLAGS}" CACHE STRING "c++ Release flags")
+set(CMAKE_EXE_LINKER_FLAGS_RELEASE "$ENV{LOCAL_LDFLAGS}" CACHE STRING "Linker flags for release builds")
+
+# If it's not windows add '-fo'
+if (NOT WIN32)
+  set(CMAKE_C_FLAGS_RELEASE "-flto=auto ${CMAKE_C_FLAGS}")
+  set(CMAKE_CXX_FLAGS_RELEASE "-flto=auto ${CMAKE_CXX_FLAGS}")
+  set(CMAKE_EXE_LINKER_FLAGS_RELEASE "-flto ${CMAKE_EXE_LINKER_FLAGS}")
+endif()
 
 enable_testing()