Re: Additional hardening options

Home Messages Hashtags Subgroups

Alexander Kanavin #55988 I guess you can submit a patch, and it can be taken for a spin on the autobuilder? Alex toggle quoted message Show quoted text On Wed, 26 Jan 2022 at 22:17, Paul Eggleton <bluelightning@...> wrote: On Wednesday, 26 January 2022 14:39:39 NZDT Paul Eggleton wrote: > Hi folks > > I've been looking into a couple of compiler flags for hardening that I think > we might want to consider enabling by default in security-flags.inc: > > > 1) -fstack-clash-protection > > This option was introduced to gcc 8.x and provides protection against the > stack clash vulnerability: > > https://securingsoftware.blogspot.com/2017/12/stack-clash-vulnerability.html > > It has been enabled in some Linux distributions already (e.g. Ubuntu, > Fedora). Another quirk of this - with dunfell, the buildepoxy SDK test fails on Ubuntu 18.04 with -fstack-clash-protection because the version of meson in dunfell uses the same LDFLAGS value for both host and target, and host gcc doesn't support that option. Not sure what to do other than just filtering out the option from LDFLAGS in the test. Cheers Paul
More All Messages By This Member

Join yocto@lists.yoctoproject.org to automatically receive all group messages.