include/hardening.mk

   1 #
   2 # Copyright (C) 2015 OpenWrt.org
   3 #
   4 # This is free software, licensed under the GNU General Public License v2.
   5 # See /LICENSE for more information.
   6 #
   7
   8 PKG_CHECK_FORMAT_SECURITY ?= 1
   9 PKG_ASLR_PIE ?= 1
  10 PKG_SSP ?= 1
  11 PKG_FORTIFY_SOURCE ?= 1
  12 PKG_RELRO ?= 1
  13
  14 ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
  15   ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
  16     TARGET_CFLAGS += -Wformat -Werror=format-security
  17   endif
  18 endif
  19 ifdef CONFIG_PKG_ASLR_PIE
  20   ifeq ($(strip $(PKG_ASLR_PIE)),1)
  21     TARGET_CFLAGS += -fPIC
  22     TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
  23   endif
  24 endif
  25 ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
  26   ifeq ($(strip $(PKG_SSP)),1)
  27     TARGET_CFLAGS += -fstack-protector
  28   endif
  29 endif
  30 ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
  31   ifeq ($(strip $(PKG_SSP)),1)
  32     TARGET_CFLAGS += -fstack-protector-strong
  33   endif
  34 endif
  35 ifdef CONFIG_PKG_FORTIFY_SOURCE_1
  36   ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
  37     TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
  38   endif
  39 endif
  40 ifdef CONFIG_PKG_FORTIFY_SOURCE_2
  41   ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
  42     TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
  43   endif
  44 endif
  45 ifdef CONFIG_PKG_RELRO_PARTIAL
  46   ifeq ($(strip $(PKG_RELRO)),1)
  47     TARGET_CFLAGS += -Wl,-z,relro
  48     TARGET_LDFLAGS += -zrelro
  49   endif
  50 endif
  51 ifdef CONFIG_PKG_RELRO_FULL
  52   ifeq ($(strip $(PKG_RELRO)),1)
  53     TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
  54     TARGET_LDFLAGS += -znow -zrelro
  55   endif
  56 endif
  57