include/hardening.mk

   1 #
   2 # Copyright (C) 2015 OpenWrt.org
   3 #
   4 # This is free software, licensed under the GNU General Public License v2.
   5 # See /LICENSE for more information.
   6 #
   7
   8 PKG_CHECK_FORMAT_SECURITY ?= 1
   9 PKG_ASLR_PIE ?= 1
  10 PKG_ASLR_PIE_REGULAR ?= 0
  11 PKG_SSP ?= 1
  12 PKG_FORTIFY_SOURCE ?= 1
  13 PKG_RELRO ?= 1
  14
  15 ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
  16   ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
  17     TARGET_CFLAGS += -Wformat -Werror=format-security
  18   endif
  19 endif
  20 ifdef CONFIG_PKG_ASLR_PIE_ALL
  21   ifeq ($(strip $(PKG_ASLR_PIE)),1)
  22     TARGET_CFLAGS += $(FPIC)
  23     TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
  24   endif
  25 endif
  26 ifdef CONFIG_PKG_ASLR_PIE_REGULAR
  27   ifeq ($(strip $(PKG_ASLR_PIE_REGULAR)),1)
  28     TARGET_CFLAGS += $(FPIC)
  29     TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
  30   endif
  31 endif
  32 ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
  33   ifeq ($(strip $(PKG_SSP)),1)
  34     TARGET_CFLAGS += -fstack-protector
  35   endif
  36 endif
  37 ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
  38   ifeq ($(strip $(PKG_SSP)),1)
  39     TARGET_CFLAGS += -fstack-protector-strong
  40   endif
  41 endif
  42 ifdef CONFIG_PKG_FORTIFY_SOURCE_1
  43   ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
  44     TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
  45   endif
  46 endif
  47 ifdef CONFIG_PKG_FORTIFY_SOURCE_2
  48   ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
  49     TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
  50   endif
  51 endif
  52 ifdef CONFIG_PKG_RELRO_PARTIAL
  53   ifeq ($(strip $(PKG_RELRO)),1)
  54     TARGET_CFLAGS += -Wl,-z,relro
  55     TARGET_LDFLAGS += -zrelro
  56   endif
  57 endif
  58 ifdef CONFIG_PKG_RELRO_FULL
  59   ifeq ($(strip $(PKG_RELRO)),1)
  60     TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
  61     TARGET_LDFLAGS += -znow -zrelro
  62   endif
  63 endif
  64