michaelh/zephyr
1
0
Fork 0
Code Releases Activity

security: Add default stack protection level

Browse source 
STACK_CANARIES was enabling canaries in all functions using the compiler
flag -fstack-protector-all. This became confuse with the addition of the
options STRONG and EXPLICIT.

This commit adds the missing option (default level) and disambiguous the
options mapping them close to the compiler flags.

Now we have the following options:

STACK_CANARIES            -> fstack-protector
STACK_CANARIES_STRONG     -> fstack-protector-strong
STACK_CANARIES_ALL        -> fstack-protector-all
STACK_CANARIES_EXPLICIT   -> fstack-protector-explicit

Note that from now on STACK_CANARIES_ALL is the symbol that adds canaries
for all functions.

Signed-off-by: Flavio Ceolin <flavio.ceolin@gmail.com>
This commit is contained in:
Flavio Ceolin 2024-12-13 08:58:17 -08:00 committed by Benjamin Cabé
commit 3e75c03cb2
6 changed files with 22 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
cmake/compiler/gcc/compiler_flags.cmake
View file

@ -167,18 +167,21 @@ set_property(TARGET compiler-cpp PROPERTY no_rtti "-fno-rtti")
set_compiler_property(PROPERTY coverage -fprofile-arcs -ftest-coverage -fno-inline)
# Security canaries.
set_compiler_property(PROPERTY security_canaries -fstack-protector-all)
set_compiler_property(PROPERTY security_canaries -fstack-protector)
set_compiler_property(PROPERTY security_canaries_strong -fstack-protector-strong)
set_compiler_property(PROPERTY security_canaries_all -fstack-protector-all)
set_compiler_property(PROPERTY security_canaries_explicit -fstack-protector-explicit)
# Only a valid option with GCC 7.x and above, so let's do check and set.
if(CONFIG_STACK_CANARIES_TLS)
check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=tls)
check_set_compiler_property(APPEND PROPERTY security_canaries_strong -mstack-protector-guard=tls)
check_set_compiler_property(APPEND PROPERTY security_canaries_all -mstack-protector-guard=tls)
check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=tls)
else()
check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=global)
check_set_compiler_property(APPEND PROPERTY security_canaries_global -mstack-protector-guard=global)
check_set_compiler_property(APPEND PROPERTY security_canaries_all -mstack-protector-guard=global)
check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=global)
endif()