Re: Additional hardening options


Bernhard Rosenkränzer <bero@...>
 

Hi,

On Wed, Jan 26, 2022 at 02:39 AM, Paul Eggleton wrote:
I've been looking into a couple of compiler flags for hardening that I think we
might want to consider enabling by default in security-flags.inc:
1) -fstack-clash-protection
2) -z noexecstack (or alternative mitigations)
I've been looking into those flags (and a few more) a while back when picking compiler flags to use for Oniro.

-Wl,-z,-noexecstack is unproblematic, -fstack-clash-protection adds a bit of overhead, but it isn't all that bad (typically in the 2% range).

I've been able to build working systems with both flags enabled.

My full report is at
https://forum.ostc-eu.org/t/compiler-flags-to-be-used-for-all-scenarios-os/94

ttyl
bero

Join yocto@lists.yoctoproject.org to automatically receive all group messages.