aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorJulien Dusser <julien.dusser@free.fr>2018-01-08 23:47:06 +0100
committerHauke Mehrtens <hauke@hauke-m.de>2018-01-27 16:46:45 +0100
commitdf0bd42fdeb76c9bc51b816c3df699db123c0024 (patch)
tree1057e289580397c014b2c9c4460057e9e7ac8367 /config
parentca7e8627dbbbcae0d1bfacea51d9b564617195de (diff)
downloadupstream-df0bd42fdeb76c9bc51b816c3df699db123c0024.tar.gz
upstream-df0bd42fdeb76c9bc51b816c3df699db123c0024.tar.bz2
upstream-df0bd42fdeb76c9bc51b816c3df699db123c0024.zip
build: add hardened builds with PIE (ASLR) support
Introduce a configuration option to build a "hardened" OpenWrt with ASLR PIE support. Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR) by building Position Independent Executables (PIE). This new option protects against "return-to-text" attacks. Busybox need a special care, link is done with ld, not gcc, leading to unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE. If other failing packages were found, PKG_ASLR_PIE:=0 should be added to their Makefiles. Original Work by: Yongkui Han <yonhan@cisco.com> Signed-off-by: Julien Dusser <julien.dusser@free.fr>
Diffstat (limited to 'config')
-rw-r--r--config/Config-build.in16
1 files changed, 16 insertions, 0 deletions
diff --git a/config/Config-build.in b/config/Config-build.in
index 7ec7653a9a..660da1c47f 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -184,6 +184,22 @@ menu "Global build settings"
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
Makefile.
+ config PKG_ASLR_PIE
+ bool
+ prompt "User space ASLR PIE compilation"
+ select BUSYBOX_DEFAULT_PIE
+ default n
+ help
+ Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
+ This enables package build as Position Independent Executables (PIE)
+ to protect against "return-to-text" attacks. This belongs to the
+ feature of Address Space Layout Randomisation (ASLR), which is
+ implemented by the kernel and the ELF loader by randomising the
+ location of memory allocations. This makes memory addresses harder
+ to predict when an attacker is attempting a memory-corruption exploit.
+ You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
+ Makefile.
+
choice
prompt "User space Stack-Smashing Protection"
depends on USE_MUSL