Re: Additional hardening options


Khem Raj
 

On Wed, Jan 26, 2022 at 1:17 PM Paul Eggleton
<bluelightning@...> wrote:

On Wednesday, 26 January 2022 14:39:39 NZDT Paul Eggleton wrote:
Hi folks

I've been looking into a couple of compiler flags for hardening that I think
we might want to consider enabling by default in security-flags.inc:


1) -fstack-clash-protection

This option was introduced to gcc 8.x and provides protection against the
stack clash vulnerability:

https://securingsoftware.blogspot.com/2017/12/stack-clash-vulnerability.html

It has been enabled in some Linux distributions already (e.g. Ubuntu,
Fedora).
That is good testimony, it will be good to know how this option
impacts performance
and does it work across architectures and libc's supported in OE.


Another quirk of this - with dunfell, the buildepoxy SDK test fails on Ubuntu
18.04 with -fstack-clash-protection because the version of meson in dunfell
uses the same LDFLAGS value for both host and target, and host gcc doesn't
support that option. Not sure what to do other than just filtering out the
option from LDFLAGS in the test.

Cheers
Paul




Join yocto@lists.yoctoproject.org to automatically receive all group messages.