aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorJohn Crispin <blogic@openwrt.org>2015-01-17 14:31:30 +0000
committerJohn Crispin <blogic@openwrt.org>2015-01-17 14:31:30 +0000
commitf7d8dc37026c10907f5c626444ec25598fa2ba05 (patch)
tree0c452dab7c8c558619ded2285a7e804a6ce4b1d7 /include
parentfc1b97243345202d7be48b908f21b3bb984f206d (diff)
downloadupstream-f7d8dc37026c10907f5c626444ec25598fa2ba05.tar.gz
upstream-f7d8dc37026c10907f5c626444ec25598fa2ba05.tar.bz2
upstream-f7d8dc37026c10907f5c626444ec25598fa2ba05.zip
Support for building an hardened OpenWRT
Introduce configuration options to build an "hardened" OpenWRT. Options to enable Stack-Smashing Protection, FORTIFY_SOURCE and RELRO have been introduced. uClibc makefile now automatically detects if SSP support is necessary. hostapd makefile has been fixed to use "^" as sed separator since using a comma was problematic when using "-Wl,-z,now" and the like in TARGET_CFLAGS. Currently enabling SSP on user space depends on enabling SSP kernel side, this is due to the fact that TARGET_CFLAGS are used to build kernel modules (at least). Suggestions on how to avoid this are welcome. Using "select" instead of "depends on" doesn't seem to work with choice entries. Tested with a lantiq (WBMR) router, GCC 4.8, uClibc and a subset of the available packages. Needs to be tested with GCC 4.9 and the remaining packages. PIE not currently included. Signed-off-by: Alessandro Di Federico <ale+owrt@clearmind.me> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@44005 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'include')
-rw-r--r--include/package.mk36
1 files changed, 36 insertions, 0 deletions
diff --git a/include/package.mk b/include/package.mk
index a1b90da38a..2c34a5850c 100644
--- a/include/package.mk
+++ b/include/package.mk
@@ -15,6 +15,12 @@ PKG_MD5SUM ?= unknown
PKG_BUILD_PARALLEL ?=
PKG_USE_MIPS16 ?= 1
PKG_CHECK_FORMAT_SECURITY ?= 1
+PKG_CC_STACKPROTECTOR_REGULAR ?= 1
+PKG_CC_STACKPROTECTOR_STRONG ?= 1
+PKG_FORTIFY_SOURCE_1 ?= 1
+PKG_FORTIFY_SOURCE_2 ?= 1
+PKG_RELRO_PARTIAL ?= 1
+PKG_RELRO_FULL ?= 1
ifneq ($(CONFIG_PKG_BUILD_USE_JOBSERVER),)
MAKE_J:=$(if $(MAKE_JOBSERVER),$(MAKE_JOBSERVER) -j)
@@ -39,6 +45,36 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
TARGET_CFLAGS += -Wformat -Werror=format-security
endif
endif
+ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
+ ifeq ($(strip $(PKG_CC_STACKPROTECTOR_REGULAR)),1)
+ TARGET_CFLAGS += -fstack-protector
+ endif
+endif
+ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
+ ifeq ($(strip $(PKG_CC_STACKPROTECTOR_STRONG)),1)
+ TARGET_CFLAGS += -fstack-protector-strong
+ endif
+endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_1
+ ifeq ($(strip $(PKG_FORTIFY_SOURCE_1)),1)
+ TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
+ endif
+endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_2
+ ifeq ($(strip $(PKG_FORTIFY_SOURCE_2)),1)
+ TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
+ endif
+endif
+ifdef CONFIG_PKG_RELRO_PARTIAL
+ ifeq ($(strip $(PKG_RELRO_PARTIAL)),1)
+ TARGET_CFLAGS += -Wl,-z,relro
+ endif
+endif
+ifdef CONFIG_PKG_RELRO_FULL
+ ifeq ($(strip $(PKG_RELRO_FULL)),1)
+ TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
+ endif
+endif
include $(INCLUDE_DIR)/prereq.mk
include $(INCLUDE_DIR)/host.mk