summaryrefslogtreecommitdiff
path: root/include/hardening.mk
diff options
context:
space:
mode:
authorJulien Dusser <julien.dusser@free.fr>2018-01-08 23:47:06 +0100
committerHauke Mehrtens <hauke@hauke-m.de>2018-01-27 16:46:45 +0100
commitdf0bd42fdeb76c9bc51b816c3df699db123c0024 (patch)
tree1057e289580397c014b2c9c4460057e9e7ac8367 /include/hardening.mk
parentca7e8627dbbbcae0d1bfacea51d9b564617195de (diff)
downloadmtk-20170518-df0bd42fdeb76c9bc51b816c3df699db123c0024.zip
mtk-20170518-df0bd42fdeb76c9bc51b816c3df699db123c0024.tar.gz
mtk-20170518-df0bd42fdeb76c9bc51b816c3df699db123c0024.tar.bz2
build: add hardened builds with PIE (ASLR) support
Introduce a configuration option to build a "hardened" OpenWrt with ASLR PIE support. Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR) by building Position Independent Executables (PIE). This new option protects against "return-to-text" attacks. Busybox need a special care, link is done with ld, not gcc, leading to unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE. If other failing packages were found, PKG_ASLR_PIE:=0 should be added to their Makefiles. Original Work by: Yongkui Han <yonhan@cisco.com> Signed-off-by: Julien Dusser <julien.dusser@free.fr>
Diffstat (limited to 'include/hardening.mk')
-rw-r--r--include/hardening.mk7
1 files changed, 7 insertions, 0 deletions
diff --git a/include/hardening.mk b/include/hardening.mk
index c277081..06a6178 100644
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -6,6 +6,7 @@
#
PKG_CHECK_FORMAT_SECURITY ?= 1
+PKG_ASLR_PIE ?= 1
PKG_SSP ?= 1
PKG_FORTIFY_SOURCE ?= 1
PKG_RELRO ?= 1
@@ -15,6 +16,12 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
TARGET_CFLAGS += -Wformat -Werror=format-security
endif
endif
+ifdef CONFIG_PKG_ASLR_PIE
+ ifeq ($(strip $(PKG_ASLR_PIE)),1)
+ TARGET_CFLAGS += -fPIC
+ TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
+ endif
+endif
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
ifeq ($(strip $(PKG_SSP)),1)
TARGET_CFLAGS += -fstack-protector