diff options
author | Cedric DOURLENT <cedric.dourlent@softathome.com> | 2024-01-12 09:23:46 +0100 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2024-01-19 21:27:14 +0100 |
commit | 869f8b21e755e752e6e0bbec1750810751c54b72 (patch) | |
tree | 24a153f38ecbbbb206512c43821e4ae34edb6e51 | |
parent | cc022082e97de93ca40b212e0f163a0e04c77608 (diff) | |
download | openwrt-869f8b21e755e752e6e0bbec1750810751c54b72.tar.gz openwrt-869f8b21e755e752e6e0bbec1750810751c54b72.tar.bz2 openwrt-869f8b21e755e752e6e0bbec1750810751c54b72.zip |
build: add option for building with stack-protector-all
The GCC option -fstack-protector-all is a security feature used to protect against stack-smashing attacks.
This option enhances the stack-smashing protection provided by -fstack-protector-strong.
-fstack-protector-all option applies stack protection to all functions, regardless of their characteristics.
While this offers the most comprehensive protection against stack-smashing attacks, it can significantly impact
the performance of the program because every function call includes additional checks for stack integrity.
This option can incur a performance penalty because of the extra checks added to every function call,
but it significantly enhances security, making it harder for attackers to exploit buffer overflows to execute arbitrary code.
It's particularly useful in scenarios where security is paramount and performance trade-offs are acceptable.
Signed-off-by: Cedric DOURLENT <cedric.dourlent@softathome.com>
-rw-r--r-- | config/Config-build.in | 2 | ||||
-rw-r--r-- | include/hardening.mk | 5 |
2 files changed, 7 insertions, 0 deletions
diff --git a/config/Config-build.in b/config/Config-build.in index ebfce8add4..24c2bcf130 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -293,6 +293,8 @@ menu "Global build settings" bool "Regular" config PKG_CC_STACKPROTECTOR_STRONG bool "Strong" + config PKG_CC_STACKPROTECTOR_ALL + bool "All" endchoice choice diff --git a/include/hardening.mk b/include/hardening.mk index 6acd862f5c..4a8874261b 100644 --- a/include/hardening.mk +++ b/include/hardening.mk @@ -36,6 +36,11 @@ ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG TARGET_CFLAGS += -fstack-protector-strong endif endif +ifdef CONFIG_PKG_CC_STACKPROTECTOR_ALL + ifeq ($(strip $(PKG_SSP)),1) + TARGET_CFLAGS += -fstack-protector-all + endif +endif ifdef CONFIG_PKG_FORTIFY_SOURCE_1 ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1) TARGET_CFLAGS += -D_FORTIFY_SOURCE=1 |