build: add hardened builds with PIE (ASLR) support

Introduce a configuration option to build a "hardened" OpenWrt with
ASLR PIE support.

Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
by building Position Independent Executables (PIE). This new option protects
against "return-to-text" attacks.

Busybox need a special care, link is done with ld, not gcc, leading to
unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE.

If other failing packages were found, PKG_ASLR_PIE:=0 should be added to
their Makefiles.

Original Work by: Yongkui Han <yonhan@cisco.com>
Signed-off-by: Julien Dusser <julien.dusser@free.fr>

1 files changed, 16 insertions, 0 deletions

diff --git a/config/Config-build.in b/config/Config-build.in
index 7ec7653..660da1c 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -184,6 +184,22 @@ menu "Global build settings"
 		  this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
 		  Makefile.
 
+	config PKG_ASLR_PIE
+		bool
+		prompt "User space ASLR PIE compilation"
+		select BUSYBOX_DEFAULT_PIE
+		default n
+		help
+		  Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
+		  This enables package build as Position Independent Executables (PIE)
+		  to protect against "return-to-text" attacks. This belongs to the
+		  feature of Address Space Layout Randomisation (ASLR), which is
+		  implemented by the kernel and the ELF loader by randomising the
+		  location of memory allocations. This makes memory addresses harder
+		  to predict when an attacker is attempting a memory-corruption exploit.
+		  You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
+		  Makefile.
+
 	choice
 		prompt "User space Stack-Smashing Protection"
 		depends on USE_MUSL