This tristate choose allows to select to build only some applications
with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
is activated for the, which is a huge increase.
Network exposed applications like dnsmasq should then be build with PIE
enabled, but some applications which are normally not parsing data from
the network do not have it activated. The regular option should give a
good trade off between extra flash and RAM memory usage and security.
This changes the default from building no applications with PIE to build
some specifically marked applications with PIE enabled. This option is
only activated for targets with bigger flash and RAM to not consume
extra memory on the very small targets. On SDK builds the Regular option
should always be selected, because some tiny targets share the
applications with big targets and only the images for the tiny targets
should contain the none PIE applications, but the images for the normal
targets should use PIE. The shared packages should always use PIE when
it should be normally activated.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
Makefile.
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
Makefile.
- config PKG_ASLR_PIE
- bool
prompt "User space ASLR PIE compilation"
prompt "User space ASLR PIE compilation"
- select BUSYBOX_DEFAULT_PIE
- default n
+ default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
+ default PKG_ASLR_PIE_REGULAR
help
Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
This enables package build as Position Independent Executables (PIE)
help
Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
This enables package build as Position Independent Executables (PIE)
to predict when an attacker is attempting a memory-corruption exploit.
You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
Makefile.
to predict when an attacker is attempting a memory-corruption exploit.
You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
Makefile.
+ Be ware that ASLR increases the binary size.
+ config PKG_ASLR_PIE_NONE
+ bool "None"
+ help
+ PIE is deactivated for all applications
+ config PKG_ASLR_PIE_REGULAR
+ bool "Regular"
+ help
+ PIE is activated for some binaries, mostly network exposed applications
+ config PKG_ASLR_PIE_ALL
+ bool "All"
+ select BUSYBOX_DEFAULT_PIE
+ help
+ PIE is activated for all applications
+ endchoice
choice
prompt "User space Stack-Smashing Protection"
choice
prompt "User space Stack-Smashing Protection"
PKG_CHECK_FORMAT_SECURITY ?= 1
PKG_ASLR_PIE ?= 1
PKG_CHECK_FORMAT_SECURITY ?= 1
PKG_ASLR_PIE ?= 1
+PKG_ASLR_PIE_REGULAR ?= 0
PKG_SSP ?= 1
PKG_FORTIFY_SOURCE ?= 1
PKG_RELRO ?= 1
PKG_SSP ?= 1
PKG_FORTIFY_SOURCE ?= 1
PKG_RELRO ?= 1
TARGET_CFLAGS += -Wformat -Werror=format-security
endif
endif
TARGET_CFLAGS += -Wformat -Werror=format-security
endif
endif
-ifdef CONFIG_PKG_ASLR_PIE
+ifdef CONFIG_PKG_ASLR_PIE_ALL
ifeq ($(strip $(PKG_ASLR_PIE)),1)
TARGET_CFLAGS += $(FPIC)
TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
endif
endif
ifeq ($(strip $(PKG_ASLR_PIE)),1)
TARGET_CFLAGS += $(FPIC)
TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
endif
endif
+ifdef CONFIG_PKG_ASLR_PIE_REGULAR
+ ifeq ($(strip $(PKG_ASLR_PIE_REGULAR)),1)
+ TARGET_CFLAGS += $(FPIC)
+ TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
+ endif
+endif
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
ifeq ($(strip $(PKG_SSP)),1)
TARGET_CFLAGS += -fstack-protector
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
ifeq ($(strip $(PKG_SSP)),1)
TARGET_CFLAGS += -fstack-protector