hardening.mk 1.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657
  1. #
  2. # Copyright (C) 2015 OpenWrt.org
  3. #
  4. # This is free software, licensed under the GNU General Public License v2.
  5. # See /LICENSE for more information.
  6. #
  7. PKG_CHECK_FORMAT_SECURITY ?= 1
  8. PKG_ASLR_PIE ?= 1
  9. PKG_SSP ?= 1
  10. PKG_FORTIFY_SOURCE ?= 1
  11. PKG_RELRO ?= 1
  12. ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
  13. ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
  14. TARGET_CFLAGS += -Wformat -Werror=format-security
  15. endif
  16. endif
  17. ifdef CONFIG_PKG_ASLR_PIE
  18. ifeq ($(strip $(PKG_ASLR_PIE)),1)
  19. TARGET_CFLAGS += $(FPIC)
  20. TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
  21. endif
  22. endif
  23. ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
  24. ifeq ($(strip $(PKG_SSP)),1)
  25. TARGET_CFLAGS += -fstack-protector
  26. endif
  27. endif
  28. ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
  29. ifeq ($(strip $(PKG_SSP)),1)
  30. TARGET_CFLAGS += -fstack-protector-strong
  31. endif
  32. endif
  33. ifdef CONFIG_PKG_FORTIFY_SOURCE_1
  34. ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
  35. TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
  36. endif
  37. endif
  38. ifdef CONFIG_PKG_FORTIFY_SOURCE_2
  39. ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
  40. TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
  41. endif
  42. endif
  43. ifdef CONFIG_PKG_RELRO_PARTIAL
  44. ifeq ($(strip $(PKG_RELRO)),1)
  45. TARGET_CFLAGS += -Wl,-z,relro
  46. TARGET_LDFLAGS += -zrelro
  47. endif
  48. endif
  49. ifdef CONFIG_PKG_RELRO_FULL
  50. ifeq ($(strip $(PKG_RELRO)),1)
  51. TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
  52. TARGET_LDFLAGS += -znow -zrelro
  53. endif
  54. endif