security: Add option for explicit stack canaries

Add option to enable stack canaries only when explicitely
declared. It adds a new function attribute, __stack_protect, that
can be used to enable stack protection in a function.

Signed-off-by: Flavio Ceolin <flavio.ceolin@gmail.com>
This commit is contained in:
Flavio Ceolin 2024-11-25 15:46:26 -08:00 committed by Benjamin Cabé
commit 0236f7c9aa
5 changed files with 18 additions and 1 deletions

View file

@ -177,6 +177,8 @@ if(CONFIG_STACK_CANARIES)
zephyr_compile_options($<TARGET_PROPERTY:compiler,security_canaries>)
elseif(CONFIG_STACK_CANARIES_STRONG)
zephyr_compile_options($<TARGET_PROPERTY:compiler,security_canaries_strong>)
elseif(CONFIG_STACK_CANARIES_EXPLICIT)
zephyr_compile_options($<TARGET_PROPERTY:compiler,security_canaries_explicit>)
endif()
# @Intent: Obtain compiler optimizations flags and store in variables

View file

@ -93,6 +93,7 @@ set_compiler_property(PROPERTY coverage)
# Security canaries flags.
set_compiler_property(PROPERTY security_canaries)
set_compiler_property(PROPERTY security_canaries_strong)
set_compiler_property(PROPERTY security_canaries_explicit)
set_compiler_property(PROPERTY security_fortify_compile_time)
set_compiler_property(PROPERTY security_fortify_run_time)

View file

@ -169,14 +169,17 @@ set_compiler_property(PROPERTY coverage -fprofile-arcs -ftest-coverage -fno-inli
# Security canaries.
set_compiler_property(PROPERTY security_canaries -fstack-protector-all)
set_compiler_property(PROPERTY security_canaries_strong -fstack-protector-strong)
set_compiler_property(PROPERTY security_canaries_explicit -fstack-protector-explicit)
# Only a valid option with GCC 7.x and above, so let's do check and set.
if(CONFIG_STACK_CANARIES_TLS)
check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=tls)
check_set_compiler_property(APPEND PROPERTY security_canaries_strong -mstack-protector-guard=tls)
check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=tls)
else()
check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=global)
check_set_compiler_property(APPEND PROPERTY security_canaries_global -mstack-protector-guard=global)
check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=global)
endif()

View file

@ -907,6 +907,16 @@ config STACK_CANARIES_STRONG
functions that have local array definitiion or have references to local
frame addresses.
config STACK_CANARIES_EXPLICIT
bool "Explicit protection"
depends on ENTROPY_GENERATOR || TEST_RANDOM_GENERATOR
depends on "${ZEPHYR_TOOLCHAIN_VARIANT}" = "zephyr"
select NEED_LIBC_MEM_PARTITION if !STACK_CANARIES_TLS
select REQUIRES_STACK_CANARIES
help
This option enables compiler stack canaries only in functions which have the
stack_protect attribute.
endchoice
if REQUIRES_STACK_CANARIES

View file

@ -10,7 +10,8 @@
*
* This module provides functions to support compiler stack protection
* using canaries. This feature is enabled with configuration
* CONFIG_STACK_CANARIES=y or CONFIG_STACK_CANARIES_STRONG=y.
* CONFIG_STACK_CANARIES=y or CONFIG_STACK_CANARIES_STRONG=y or
* CONFIG_STACK_CANARIES_EXPLICIT=y.
*
* When this feature is enabled, the compiler generated code refers to
* function __stack_chk_fail and global variable __stack_chk_guard.