[Buildroot] [PATCH v4 02/13] security hardening: add RELFO, FORTIFY options
Peter Korsgaard
peter at korsgaard.com
Sun Jan 28 14:20:38 UTC 2018
>>>>> "Matt" == Matt Weber <matthew.weber at rockwellcollins.com> writes:
> This enables a user to build a complete system using these
> options. It is important to note that not all packages will
> build correctly to start with.
> Modeled after OpenWRT approach
> https://github.com/openwrt/openwrt/blob/master/config/Config-build.in#L176
> A good testing tool to check a target's elf files for compliance
> to an array of hardening techniques can be found here:
> https://github.com/slimm609/checksec.sh
> Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
> --
> Changes
> v1 -> v2
> - Cosmetic caps on titles
> v2 -> v3
> - Consolidated the way flags were set using CPPFLAGS (Arnout)
> - Removed fortran flag as not relevant for this feature (Arnout)
> - Added BR2_TOOLCHAIN_USES_GLIBC and optimization level dependency
> v3 -> v4
> [Nicolas C
> - Used BR2_OPTIMIZE_0 as Config.in dependency
> for Fortify instead of using a warning at
> make time.
> - Enable -> Disable for the None options I
> mislabeled as enabling (relro/fortify).
> +config BR2_FORTIFY_SOURCE_1
> + bool "Conservative"
> + help
> + This option sets _FORTIFY_SOURCE set to 1 and only introduces
This sounds odd. Dropped the 2nd 'set' and rewrapped (here and for _SOURCE_2).
> +comment "Fortify Source needs a GLIBC toolchain and some level of optimization"
> + depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0)
We elsewhere don't write glibc in CAPITALS. 'Some level of optimization'
sounds a bit odd to me, so I reworded it to 'and optimization'.
Committed with that fixed, thanks!
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list