From df0bd42fdeb76c9bc51b816c3df699db123c0024 Mon Sep 17 00:00:00 2001 From: Julien Dusser Date: Mon, 8 Jan 2018 23:47:06 +0100 Subject: build: add hardened builds with PIE (ASLR) support Introduce a configuration option to build a "hardened" OpenWrt with ASLR PIE support. Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR) by building Position Independent Executables (PIE). This new option protects against "return-to-text" attacks. Busybox need a special care, link is done with ld, not gcc, leading to unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE. If other failing packages were found, PKG_ASLR_PIE:=0 should be added to their Makefiles. Original Work by: Yongkui Han Signed-off-by: Julien Dusser --- config/Config-build.in | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'config/Config-build.in') diff --git a/config/Config-build.in b/config/Config-build.in index 7ec7653a9a..660da1c47f 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -184,6 +184,22 @@ menu "Global build settings" this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package Makefile. + config PKG_ASLR_PIE + bool + prompt "User space ASLR PIE compilation" + select BUSYBOX_DEFAULT_PIE + default n + help + Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS. + This enables package build as Position Independent Executables (PIE) + to protect against "return-to-text" attacks. This belongs to the + feature of Address Space Layout Randomisation (ASLR), which is + implemented by the kernel and the ELF loader by randomising the + location of memory allocations. This makes memory addresses harder + to predict when an attacker is attempting a memory-corruption exploit. + You can disable this per package by adding PKG_ASLR_PIE:=0 in the package + Makefile. + choice prompt "User space Stack-Smashing Protection" depends on USE_MUSL -- cgit v1.2.3