diff --git a/CMakeLists.txt b/CMakeLists.txt index cf86d1ac8a5..6feef29ce34 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -177,6 +177,8 @@ if(CONFIG_STACK_CANARIES) zephyr_compile_options($) elseif(CONFIG_STACK_CANARIES_STRONG) zephyr_compile_options($) +elseif(CONFIG_STACK_CANARIES_EXPLICIT) + zephyr_compile_options($) endif() # @Intent: Obtain compiler optimizations flags and store in variables diff --git a/cmake/compiler/compiler_flags_template.cmake b/cmake/compiler/compiler_flags_template.cmake index f2d03b3d86a..e35660491c6 100644 --- a/cmake/compiler/compiler_flags_template.cmake +++ b/cmake/compiler/compiler_flags_template.cmake @@ -93,6 +93,7 @@ set_compiler_property(PROPERTY coverage) # Security canaries flags. set_compiler_property(PROPERTY security_canaries) set_compiler_property(PROPERTY security_canaries_strong) +set_compiler_property(PROPERTY security_canaries_explicit) set_compiler_property(PROPERTY security_fortify_compile_time) set_compiler_property(PROPERTY security_fortify_run_time) diff --git a/cmake/compiler/gcc/compiler_flags.cmake b/cmake/compiler/gcc/compiler_flags.cmake index 83d58e4896c..59ae986915b 100644 --- a/cmake/compiler/gcc/compiler_flags.cmake +++ b/cmake/compiler/gcc/compiler_flags.cmake @@ -169,14 +169,17 @@ set_compiler_property(PROPERTY coverage -fprofile-arcs -ftest-coverage -fno-inli # Security canaries. set_compiler_property(PROPERTY security_canaries -fstack-protector-all) set_compiler_property(PROPERTY security_canaries_strong -fstack-protector-strong) +set_compiler_property(PROPERTY security_canaries_explicit -fstack-protector-explicit) # Only a valid option with GCC 7.x and above, so let's do check and set. if(CONFIG_STACK_CANARIES_TLS) check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=tls) check_set_compiler_property(APPEND PROPERTY security_canaries_strong -mstack-protector-guard=tls) + check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=tls) else() check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=global) check_set_compiler_property(APPEND PROPERTY security_canaries_global -mstack-protector-guard=global) + check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=global) endif() diff --git a/kernel/Kconfig b/kernel/Kconfig index 407e091c35d..2c0cbfce085 100644 --- a/kernel/Kconfig +++ b/kernel/Kconfig @@ -907,6 +907,16 @@ config STACK_CANARIES_STRONG functions that have local array definitiion or have references to local frame addresses. +config STACK_CANARIES_EXPLICIT + bool "Explicit protection" + depends on ENTROPY_GENERATOR || TEST_RANDOM_GENERATOR + depends on "${ZEPHYR_TOOLCHAIN_VARIANT}" = "zephyr" + select NEED_LIBC_MEM_PARTITION if !STACK_CANARIES_TLS + select REQUIRES_STACK_CANARIES + help + This option enables compiler stack canaries only in functions which have the + stack_protect attribute. + endchoice if REQUIRES_STACK_CANARIES diff --git a/kernel/compiler_stack_protect.c b/kernel/compiler_stack_protect.c index 166f43e00b4..d48190c6c9e 100644 --- a/kernel/compiler_stack_protect.c +++ b/kernel/compiler_stack_protect.c @@ -10,7 +10,8 @@ * * This module provides functions to support compiler stack protection * using canaries. This feature is enabled with configuration - * CONFIG_STACK_CANARIES=y or CONFIG_STACK_CANARIES_STRONG=y. + * CONFIG_STACK_CANARIES=y or CONFIG_STACK_CANARIES_STRONG=y or + * CONFIG_STACK_CANARIES_EXPLICIT=y. * * When this feature is enabled, the compiler generated code refers to * function __stack_chk_fail and global variable __stack_chk_guard.