[uClibc-cvs] CVS uClibc/extra/Configs
CVS User solar
solar at codepoet.org
Tue Feb 8 17:44:46 UTC 2005
Update of /var/cvs/uClibc/extra/Configs
In directory nail:/tmp/cvs-serv17955/extra/Configs
Modified Files:
Config.in
Log Message:
- ssp updates 2/NN today
--- /var/cvs/uClibc/extra/Configs/Config.in 2005/01/16 09:46:57 1.69
+++ /var/cvs/uClibc/extra/Configs/Config.in 2005/02/08 17:44:46 1.70
@@ -1110,24 +1110,41 @@
functions must be written as position independent code (PIC).
config UCLIBC_HAS_SSP
- bool "Support for propolice stack protection"
+ bool "Support for propolice smashing stack protector"
depends on UCLIBC_SECURITY
default n
help
- Adds propolice protection to libc (__guard and __stack_smash_handler).
- More about it on <http://www.research.ibm.com/trl/projects/security/ssp> .
- To be able to use it, you'll also need a propolice patched gcc,
- supporting the -fstack-protector[-all] options. It is a specially patched
- gcc version, where __guard and __stack_smash_handler are removed from libgcc.
+ Add propolice smashing stack protector to the library.
+ This requires a patched version of GCC, supporting the
+ -fstack-protector[-all] options, with the __guard and
+ __stack_smash_handler functions removed from libgcc. These functions
+ are added to libc instead.
+ More information at:
+ http://www.research.ibm.com/trl/projects/security/ssp/
Most people will answer N.
config SSP_QUICK_CANARY
- bool "Simple propolice canary w/o accessing /dev/*random"
+ bool "Use simple guard values without accessing /dev/urandom"
depends on UCLIBC_HAS_SSP
default n
help
- Propolice uses a simplified version of the canary, without accessing
- /dev/*random.
+ Use gettimeofday(2) to define the __guard without accessing
+ /dev/urandom.
+ WARNING: This makes smashing stack protector vulnerable to timing
+ attacks.
+ Most people will answer N.
+
+config SSP_USE_ERANDOM
+ bool "Use erandom for setting guard values"
+ depends on UCLIBC_HAS_SSP && !SSP_QUICK_CANARY
+ default n
+ help
+ Use erandom to define the __guard. If erandom fails at runtime then
+ /dev/urandom will be used. The erandom interface is available from
+ sysctl and /dev/erandom. The sysctl interface will work threw chroot.
+ Erandom uses no kernel entropy. This requires a modified kernel.
+ More information at:
+ http://frandom.sourceforge.net/.
Most people will answer N.
choice
@@ -1160,7 +1177,6 @@
config UCLIBC_BUILD_SSP
bool "Build uClibc with propolice protection"
- depends on UCLIBC_SECURITY
depends on UCLIBC_HAS_SSP
default n
help
More information about the uClibc-cvs
mailing list