Commit c5866be0 authored by Thomas Petazzoni's avatar Thomas Petazzoni Committed by Peter Korsgaard
Browse files

toolchain: refactor Stack Smashing Protection support 



This commit refactors how Stack Smashing Protection support is handled
in Buildroot:

 *) It turns the BR2_TOOLCHAIN_BUILDROOT_USE_SSP option into an option
    that only enables the SSP support in uClibc, when using the internal
    toolchain backend.

 *) It adds an hidden BR2_TOOLCHAIN_HAS_SSP option that gets enabled
    when the toolchain has SSP support. Here we have the usual dance:
    glibc/eglibc in internal/external backend always select this
    option, in the case of uClibc/internal, it gets selected when
    BR2_TOOLCHAIN_BUILDROOT_USE_SSP is enabled, in the case of
    uClibc/external, there is a new configuration option that the user
    must select (or not) depending on whether the toolchain has SSP
    support.

 *) It adds a new options BR2_ENABLE_SSP in the "Build options" menu,
    to enable the usage of SSP support, by adding
    -fstack-protector-all to the CFLAGS.

Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: default avatarPeter Korsgaard <jacmet@sunsite.dk>
parent 094fd1d0

Config.in

+17 −0
Original line number Diff line number Diff line
@@ -402,6 +402,23 @@ config BR2_OPTIMIZE_S 


endchoice



config BR2_ENABLE_SSP

	bool "build code with Stack Smashing Protection"

	depends on BR2_TOOLCHAIN_HAS_SSP

	help

	  Enable stack smashing protection support using GCCs

	  -fstack-protector-all option.



	  See http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt

          for details.



	  Note that this requires the toolchain to have SSP

	  support. This is always the case for glibc and eglibc

	  toolchain, but is optional in uClibc toolchains.



comment "enabling Stack Smashing Protection requires support in the toolchain"

	depends on !BR2_TOOLCHAIN_HAS_SSP



config BR2_PREFER_STATIC_LIB

	bool "prefer static libraries"

	help

package/Makefile.in

+1 −1
Original line number Diff line number Diff line
@@ -133,7 +133,7 @@ TARGET_CFLAGS += -msep-data 
TARGET_CXXFLAGS += -msep-data

endif



ifeq ($(BR2_TOOLCHAIN_BUILDROOT_USE_SSP),y)

ifeq ($(BR2_ENABLE_SSP),y)

TARGET_CFLAGS += -fstack-protector-all

TARGET_CXXFLAGS += -fstack-protector-all

endif

package/psmisc/psmisc.mk

+2 −2
Original line number Diff line number Diff line
@@ -10,8 +10,8 @@ PSMISC_LICENSE = GPLv2 
PSMISC_LICENSE_FILES = COPYING

PSMISC_DEPENDENCIES = ncurses $(if $(BR2_NEEDS_GETTEXT_IF_LOCALE),gettext)



ifneq ($(BR2_TOOLCHAIN_BUILDROOT_USE_SSP),y)

# Don't force -fstack-protector

ifeq ($(BR2_TOOLCHAIN_HAS_SSP),)

# Don't force -fstack-protector when SSP is not available in toolchain

PSMISC_CONF_OPT = --disable-harden-flags

endif

package/uclibc/Config.in

+10 −0
Original line number Diff line number Diff line
@@ -130,6 +130,16 @@ config BR2_PTHREAD_DEBUG 
	help

	  Build the thread library with debugging enabled.



config BR2_TOOLCHAIN_BUILDROOT_USE_SSP

	bool "Enable stack protection support"

	select BR2_TOOLCHAIN_HAS_SSP

	help

	  Enable stack smashing protection support using GCCs

	  -fstack-protector-all option in uClibc.



	  See http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt

	  for details.



config BR2_UCLIBC_INSTALL_UTILS

	bool "Compile and install uClibc utilities"

	depends on !BR2_bfin

toolchain/Config.in

+1 −0
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ config BR2_TOOLCHAIN_USES_GLIBC 
	select BR2_TOOLCHAIN_HAS_THREADS

	select BR2_TOOLCHAIN_HAS_THREADS_DEBUG

	select BR2_TOOLCHAIN_HAS_SHADOW_PASSWORDS

	select BR2_TOOLCHAIN_HAS_SSP

	select BR2_TOOLCHAIN_LIBC_NEEDS_THREE_STAGE_BUILD



config BR2_TOOLCHAIN_USES_UCLIBC