security: Add option for explicit stack canaries
Add option to enable stack canaries only when explicitely declared. It adds a new function attribute, __stack_protect, that can be used to enable stack protection in a function. Signed-off-by: Flavio Ceolin <flavio.ceolin@gmail.com>
This commit is contained in:
parent
82ace41da4
commit
0236f7c9aa
5 changed files with 18 additions and 1 deletions
|
@ -177,6 +177,8 @@ if(CONFIG_STACK_CANARIES)
|
|||
zephyr_compile_options($<TARGET_PROPERTY:compiler,security_canaries>)
|
||||
elseif(CONFIG_STACK_CANARIES_STRONG)
|
||||
zephyr_compile_options($<TARGET_PROPERTY:compiler,security_canaries_strong>)
|
||||
elseif(CONFIG_STACK_CANARIES_EXPLICIT)
|
||||
zephyr_compile_options($<TARGET_PROPERTY:compiler,security_canaries_explicit>)
|
||||
endif()
|
||||
|
||||
# @Intent: Obtain compiler optimizations flags and store in variables
|
||||
|
|
|
@ -93,6 +93,7 @@ set_compiler_property(PROPERTY coverage)
|
|||
# Security canaries flags.
|
||||
set_compiler_property(PROPERTY security_canaries)
|
||||
set_compiler_property(PROPERTY security_canaries_strong)
|
||||
set_compiler_property(PROPERTY security_canaries_explicit)
|
||||
|
||||
set_compiler_property(PROPERTY security_fortify_compile_time)
|
||||
set_compiler_property(PROPERTY security_fortify_run_time)
|
||||
|
|
|
@ -169,14 +169,17 @@ set_compiler_property(PROPERTY coverage -fprofile-arcs -ftest-coverage -fno-inli
|
|||
# Security canaries.
|
||||
set_compiler_property(PROPERTY security_canaries -fstack-protector-all)
|
||||
set_compiler_property(PROPERTY security_canaries_strong -fstack-protector-strong)
|
||||
set_compiler_property(PROPERTY security_canaries_explicit -fstack-protector-explicit)
|
||||
|
||||
# Only a valid option with GCC 7.x and above, so let's do check and set.
|
||||
if(CONFIG_STACK_CANARIES_TLS)
|
||||
check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=tls)
|
||||
check_set_compiler_property(APPEND PROPERTY security_canaries_strong -mstack-protector-guard=tls)
|
||||
check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=tls)
|
||||
else()
|
||||
check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=global)
|
||||
check_set_compiler_property(APPEND PROPERTY security_canaries_global -mstack-protector-guard=global)
|
||||
check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=global)
|
||||
endif()
|
||||
|
||||
|
||||
|
|
|
@ -907,6 +907,16 @@ config STACK_CANARIES_STRONG
|
|||
functions that have local array definitiion or have references to local
|
||||
frame addresses.
|
||||
|
||||
config STACK_CANARIES_EXPLICIT
|
||||
bool "Explicit protection"
|
||||
depends on ENTROPY_GENERATOR || TEST_RANDOM_GENERATOR
|
||||
depends on "${ZEPHYR_TOOLCHAIN_VARIANT}" = "zephyr"
|
||||
select NEED_LIBC_MEM_PARTITION if !STACK_CANARIES_TLS
|
||||
select REQUIRES_STACK_CANARIES
|
||||
help
|
||||
This option enables compiler stack canaries only in functions which have the
|
||||
stack_protect attribute.
|
||||
|
||||
endchoice
|
||||
|
||||
if REQUIRES_STACK_CANARIES
|
||||
|
|
|
@ -10,7 +10,8 @@
|
|||
*
|
||||
* This module provides functions to support compiler stack protection
|
||||
* using canaries. This feature is enabled with configuration
|
||||
* CONFIG_STACK_CANARIES=y or CONFIG_STACK_CANARIES_STRONG=y.
|
||||
* CONFIG_STACK_CANARIES=y or CONFIG_STACK_CANARIES_STRONG=y or
|
||||
* CONFIG_STACK_CANARIES_EXPLICIT=y.
|
||||
*
|
||||
* When this feature is enabled, the compiler generated code refers to
|
||||
* function __stack_chk_fail and global variable __stack_chk_guard.
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue