diff options
| author | Matt Weber <matthew.weber@rockwellcollins.com> | 2018-01-23 22:09:40 -0600 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2018-01-28 11:54:54 +0100 |
| commit | d3732cf4a23c83dd6903f26c19bc9258ac227fec (patch) | |
| tree | 5dc51f737439e674b1d90527fb05d6a4c60233e8 /Config.in | |
| parent | 5e7e27a3a78af462398e3f9ca9218f3ea30e5eb0 (diff) | |
stack protector: moved option out of adv menu
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'Config.in')
| -rw-r--r-- | Config.in | 112 |
1 files changed, 57 insertions, 55 deletions
@@ -568,61 +568,6 @@ config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES endif choice - bool "build code with Stack Smashing Protection" - default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy - depends on BR2_TOOLCHAIN_HAS_SSP - help - Enable stack smashing protection support using GCC's - -fstack-protector option family. - - See - http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt - for details. - - Note that this requires the toolchain to have SSP support. - This is always the case for glibc and eglibc toolchain, but is - optional in uClibc toolchains. - -config BR2_SSP_NONE - bool "None" - help - Disable stack-smashing protection. - -config BR2_SSP_REGULAR - bool "-fstack-protector" - help - Emit extra code to check for buffer overflows, such as stack - smashing attacks. This is done by adding a guard variable to - functions with vulnerable objects. This includes functions - that call alloca, and functions with buffers larger than 8 - bytes. The guards are initialized when a function is entered - and then checked when the function exits. If a guard check - fails, an error message is printed and the program exits. - -config BR2_SSP_STRONG - bool "-fstack-protector-strong" - depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 - help - Like -fstack-protector but includes additional functions to be - protected - those that have local array definitions, or have - references to local frame addresses. - -comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9" - depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 - -config BR2_SSP_ALL - bool "-fstack-protector-all" - help - Like -fstack-protector except that all functions are - protected. This option might have a significant performance - impact on the compiled binaries. - -endchoice - -comment "Stack Smashing Protection needs a toolchain w/ SSP" - depends on !BR2_TOOLCHAIN_HAS_SSP - -choice bool "libraries" default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED @@ -732,6 +677,63 @@ config BR2_REPRODUCIBLE endmenu +comment "Security Hardening Options" + +choice + bool "Stack Smashing Protection" + default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy + depends on BR2_TOOLCHAIN_HAS_SSP + help + Enable stack smashing protection support using GCC's + -fstack-protector option family. + + See + http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt + for details. + + Note that this requires the toolchain to have SSP support. + This is always the case for glibc and eglibc toolchain, but is + optional in uClibc toolchains. + +config BR2_SSP_NONE + bool "None" + help + Disable stack-smashing protection. + +config BR2_SSP_REGULAR + bool "-fstack-protector" + help + Emit extra code to check for buffer overflows, such as stack + smashing attacks. This is done by adding a guard variable to + functions with vulnerable objects. This includes functions + that call alloca, and functions with buffers larger than 8 + bytes. The guards are initialized when a function is entered + and then checked when the function exits. If a guard check + fails, an error message is printed and the program exits. + +config BR2_SSP_STRONG + bool "-fstack-protector-strong" + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 + help + Like -fstack-protector but includes additional functions to be + protected - those that have local array definitions, or have + references to local frame addresses. + +comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9" + depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 + +config BR2_SSP_ALL + bool "-fstack-protector-all" + help + Like -fstack-protector except that all functions are + protected. This option might have a significant performance + impact on the compiled binaries. + +endchoice + +comment "Stack Smashing Protection needs a toolchain w/ SSP" + depends on !BR2_TOOLCHAIN_HAS_SSP + endmenu source "toolchain/Config.in" |