aboutsummaryrefslogtreecommitdiffstats
path: root/include/hardening.mk
Commit message (Collapse)AuthorAgeFilesLines
* buildsystem: Make PIE ASLR option tristateHauke Mehrtens2020-01-131-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | This tristate choose allows to select to build only some applications with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE is activated for the, which is a huge increase. Network exposed applications like dnsmasq should then be build with PIE enabled, but some applications which are normally not parsing data from the network do not have it activated. The regular option should give a good trade off between extra flash and RAM memory usage and security. This changes the default from building no applications with PIE to build some specifically marked applications with PIE enabled. This option is only activated for targets with bigger flash and RAM to not consume extra memory on the very small targets. On SDK builds the Regular option should always be selected, because some tiny targets share the applications with big targets and only the images for the tiny targets should contain the none PIE applications, but the images for the normal targets should use PIE. The shared packages should always use PIE when it should be normally activated. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* build: fix ASLR for LTO packagesJulien Dusser2018-07-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Fix building packages with LTO when CONFIG_PKG_ASLR_PIE is enabled. Despite comment of PR lto/80838, it seems that GCC needs -fPIC on linker command line, even if all objects are -fPIC. This may change as PR lto/80838 is merged into 8.1 compile-tested: ar71xx, ath79 Fix commits: 6dac92a42e052f89971762173daabb7fd84742ef 8c11133c9de632dca69c8464f911d8e2716effe2 07940acc341ee9bb2887359f193625e48f36207e e7397eef69a20fc630148d0e597523e139d21c0c ef16a394d2b24a363b50b5b4720cb23fe156c9da ef96d1e34a990871c912938c336f51a510b1e32f 47b42137ce1e931ae5871952b1f98438396f5e07 73fc67b61480a3430d31de33478a1c0c2c364b9c 154c0c4006daf41e2cbb6c8b7ad5557f83dfea3e 804c51e1e661819c5a7532e66fb8a12166eef9a9 Signed-off-by: Julien Dusser <julien.dusser@free.fr>
* build: ASLR hardening use $(FPIC)Kevin Darbyshire-Bryant2018-07-031-1/+1
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* build: add hardened builds with PIE (ASLR) supportJulien Dusser2018-01-271-0/+7
| | | | | | | | | | | | | | | | | | Introduce a configuration option to build a "hardened" OpenWrt with ASLR PIE support. Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR) by building Position Independent Executables (PIE). This new option protects against "return-to-text" attacks. Busybox need a special care, link is done with ld, not gcc, leading to unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE. If other failing packages were found, PKG_ASLR_PIE:=0 should be added to their Makefiles. Original Work by: Yongkui Han <yonhan@cisco.com> Signed-off-by: Julien Dusser <julien.dusser@free.fr>
* hardening: make override variables more intuitiveSteven Barth2015-06-241-12/+9
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46119
* gcc/musl: rework SSP-supportSteven Barth2015-06-221-2/+0
| | | | | | | | | | | Make musl provide libssp_nonshared.a and make GCC link it unconditionally if musl is used. This should be a no-op if SSP is disabled and seems to be the only reliable way of dealing with SSP over all packages due to the mess that is linkerflags handling in packages. Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46108
* buildroot: move hardening options into separate fileSteven Barth2015-06-201-0/+55
Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46070