[uClibc-cvs] CVS uClibc/extra/Configs

CVS User solar solar at codepoet.org
Tue Feb 8 17:44:46 UTC 2005 

Update of /var/cvs/uClibc/extra/Configs
In directory nail:/tmp/cvs-serv17955/extra/Configs

Modified Files:
	Config.in 
Log Message:
- ssp updates 2/NN today

--- /var/cvs/uClibc/extra/Configs/Config.in	2005/01/16 09:46:57	1.69
+++ /var/cvs/uClibc/extra/Configs/Config.in	2005/02/08 17:44:46	1.70
@@ -1110,24 +1110,41 @@
 		functions must be written as position independent code (PIC).
 
 config UCLIBC_HAS_SSP
-	bool "Support for propolice stack protection"
+	bool "Support for propolice smashing stack protector"
 	depends on UCLIBC_SECURITY
 	default n
 	help
-	  Adds propolice protection to libc (__guard and __stack_smash_handler).
-	  More about it on <http://www.research.ibm.com/trl/projects/security/ssp> .
-	  To be able to use it, you'll also need a propolice patched gcc,
-	  supporting the -fstack-protector[-all] options. It is a specially patched
-	  gcc version, where __guard and __stack_smash_handler are removed from libgcc.
+	  Add propolice smashing stack protector to the library.
+	  This requires a patched version of GCC, supporting the
+	  -fstack-protector[-all] options, with the __guard and
+	  __stack_smash_handler functions removed from libgcc. These functions
+	  are added to libc instead.
+	  More information at:
+	  http://www.research.ibm.com/trl/projects/security/ssp/
 	  Most people will answer N.
 
 config SSP_QUICK_CANARY
-	bool "Simple propolice canary w/o accessing /dev/*random"
+	bool "Use simple guard values without accessing /dev/urandom"
 	depends on UCLIBC_HAS_SSP
 	default n
 	help
-	  Propolice uses a simplified version of the canary, without accessing
-	  /dev/*random.
+	  Use gettimeofday(2) to define the __guard without accessing
+	  /dev/urandom.
+	  WARNING: This makes smashing stack protector vulnerable to timing
+		attacks.
+	  Most people will answer N.
+
+config SSP_USE_ERANDOM
+	bool "Use erandom for setting guard values"
+	depends on UCLIBC_HAS_SSP && !SSP_QUICK_CANARY
+	default n
+	help
+	  Use erandom to define the __guard. If erandom fails at runtime then
+	  /dev/urandom will be used. The erandom interface is available from
+	  sysctl and /dev/erandom. The sysctl interface will work threw chroot.
+	  Erandom uses no kernel entropy. This requires a modified kernel.
+	  More information at:
+	  http://frandom.sourceforge.net/.
 	  Most people will answer N.
 
 choice
@@ -1160,7 +1177,6 @@
 
 config UCLIBC_BUILD_SSP
 	bool "Build uClibc with propolice protection"
-	depends on UCLIBC_SECURITY
 	depends on UCLIBC_HAS_SSP
 	default n
 	help

More information about the uClibc-cvs mailing list