diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/Config-build.in | 88 |
1 files changed, 79 insertions, 9 deletions
diff --git a/config/Config-build.in b/config/Config-build.in index 89cf964a8e..280f71923b 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -97,15 +97,6 @@ menu "Global build settings" If you are unsure, select N. - config PKG_CHECK_FORMAT_SECURITY - bool - prompt "Enable gcc format-security" - default n - help - Add -Wformat -Werror=format-security to the CFLAGS. You can disable - this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package - Makefile. - config PKG_BUILD_USE_JOBSERVER bool prompt "Use top-level make jobserver for packages" @@ -216,4 +207,83 @@ menu "Global build settings" bool "libstdc++" endchoice + comment "Hardening build options" + + config PKG_CHECK_FORMAT_SECURITY + bool + prompt "Enable gcc format-security" + default n + help + Add -Wformat -Werror=format-security to the CFLAGS. You can disable + this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package + Makefile. + + choice + prompt "User space Stack-Smashing Protection" + default PKG_CC_STACKPROTECTOR_NONE + help + Enable GCC Stack Smashing Protection (SSP) for userspace applications + config PKG_CC_STACKPROTECTOR_NONE + bool "None" + config PKG_CC_STACKPROTECTOR_REGULAR + bool "Regular" + select SSP_SUPPORT + depends on KERNEL_CC_STACKPROTECTOR_REGULAR + config PKG_CC_STACKPROTECTOR_STRONG + bool "Strong" + select SSP_SUPPORT + depends on GCC_VERSION_4_9_LINARO + depends on KERNEL_CC_STACKPROTECTOR_STRONG + endchoice + + choice + prompt "Kernel space Stack-Smashing Protection" + default KERNEL_CC_STACKPROTECTOR_NONE + help + Enable GCC Stack-Smashing Protection (SSP) for the kernel + config KERNEL_CC_STACKPROTECTOR_NONE + bool "None" + config KERNEL_CC_STACKPROTECTOR_REGULAR + bool "Regular" + config KERNEL_CC_STACKPROTECTOR_STRONG + depends on GCC_VERSION_4_9_LINARO + bool "Strong" + endchoice + + choice + prompt "Enable buffer-overflows detction (FORTIFY_SOURCE)" + help + Enable the _FORTIFY_SOURCE macro which introduces additional + checks to detect buffer-overflows in the following standard library + functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, + strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, + gets. "Conservative" (_FORTIFY_SOURCE set to 1) only introduces + checks that sholdn't change the behavior of conforming programs, + while "aggressive" (_FORTIFY_SOURCES set to 2) some more checking is + added, but some conforming programs might fail. + config PKG_FORTIFY_SOURCE_NONE + bool "None" + config PKG_FORTIFY_SOURCE_1 + bool "Conservative" + config PKG_FORTIFY_SOURCE_2 + bool "Aggressive" + endchoice + + choice + prompt "Enable RELRO protection" + help + Enable a link-time protection know as RELRO (Relocation Read Only) + which helps to protect from certain type of exploitation techniques + altering the content of some ELF sections. "Partial" RELRO makes the + .dynamic section not writeable after initialization, introducing + almost no performance penalty, while "full" RELRO also marks the GOT + as read-only at the cost of initializing all of it at startup. + config PKG_RELRO_NONE + bool "None" + config PKG_RELRO_PARTIAL + bool "Partial" + config PKG_RELRO_FULL + bool "Full" + endchoice + endmenu |