All of lore.kernel.org
 help / color / mirror / Atom feed
From: Matt Weber <matthew.weber@rockwellcollins.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v4 01/13] stack protector: moved option out of adv menu
Date: Tue, 23 Jan 2018 22:09:40 -0600	[thread overview]
Message-ID: <1516766992-48428-1-git-send-email-matthew.weber@rockwellcollins.com> (raw)

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes
v1 -> v2
 - Broke out into an individual commit for the menu change (Arnout)

v2 -> v3
 - Moved back up to the menu instead of a submenu (Arnout)

v3 -> v4
 - None.
---
 Config.in | 112 ++++++++++++++++++++++++++++++++------------------------------
 1 file changed, 57 insertions(+), 55 deletions(-)

diff --git a/Config.in b/Config.in
index 62d67ce..e7e5c2d 100644
--- a/Config.in
+++ b/Config.in
@@ -568,61 +568,6 @@ config BR2_GOOGLE_BREAKPAD_INCLUDE_FILES
 endif
 
 choice
-	bool "build code with Stack Smashing Protection"
-	default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
-	depends on BR2_TOOLCHAIN_HAS_SSP
-	help
-	  Enable stack smashing protection support using GCC's
-	  -fstack-protector option family.
-
-	  See
-	  http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
-	  for details.
-
-	  Note that this requires the toolchain to have SSP support.
-	  This is always the case for glibc and eglibc toolchain, but is
-	  optional in uClibc toolchains.
-
-config BR2_SSP_NONE
-	bool "None"
-	help
-	  Disable stack-smashing protection.
-
-config BR2_SSP_REGULAR
-	bool "-fstack-protector"
-	help
-	  Emit extra code to check for buffer overflows, such as stack
-	  smashing attacks. This is done by adding a guard variable to
-	  functions with vulnerable objects. This includes functions
-	  that call alloca, and functions with buffers larger than 8
-	  bytes. The guards are initialized when a function is entered
-	  and then checked when the function exits. If a guard check
-	  fails, an error message is printed and the program exits.
-
-config BR2_SSP_STRONG
-	bool "-fstack-protector-strong"
-	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
-	help
-	  Like -fstack-protector but includes additional functions to be
-	  protected - those that have local array definitions, or have
-	  references to local frame addresses.
-
-comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9"
-	depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
-
-config BR2_SSP_ALL
-	bool "-fstack-protector-all"
-	help
-	  Like -fstack-protector except that all functions are
-	  protected. This option might have a significant performance
-	  impact on the compiled binaries.
-
-endchoice
-
-comment "Stack Smashing Protection needs a toolchain w/ SSP"
-	depends on !BR2_TOOLCHAIN_HAS_SSP
-
-choice
 	bool "libraries"
 	default BR2_SHARED_LIBS if BR2_BINFMT_SUPPORTS_SHARED
 	default BR2_STATIC_LIBS if !BR2_BINFMT_SUPPORTS_SHARED
@@ -732,6 +677,63 @@ config BR2_REPRODUCIBLE
 
 endmenu
 
+comment "Security Hardening Options"
+
+choice
+	bool "Stack Smashing Protection"
+	default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
+	depends on BR2_TOOLCHAIN_HAS_SSP
+	help
+	  Enable stack smashing protection support using GCC's
+	  -fstack-protector option family.
+
+	  See
+	  http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
+	  for details.
+
+	  Note that this requires the toolchain to have SSP support.
+	  This is always the case for glibc and eglibc toolchain, but is
+	  optional in uClibc toolchains.
+
+config BR2_SSP_NONE
+	bool "None"
+	help
+	  Disable stack-smashing protection.
+
+config BR2_SSP_REGULAR
+	bool "-fstack-protector"
+	help
+	  Emit extra code to check for buffer overflows, such as stack
+	  smashing attacks. This is done by adding a guard variable to
+	  functions with vulnerable objects. This includes functions
+	  that call alloca, and functions with buffers larger than 8
+	  bytes. The guards are initialized when a function is entered
+	  and then checked when the function exits. If a guard check
+	  fails, an error message is printed and the program exits.
+
+config BR2_SSP_STRONG
+	bool "-fstack-protector-strong"
+	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+	help
+	  Like -fstack-protector but includes additional functions to be
+	  protected - those that have local array definitions, or have
+	  references to local frame addresses.
+
+comment "Stack Smashing Protection strong needs a toolchain w/ gcc >= 4.9"
+	depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
+
+config BR2_SSP_ALL
+	bool "-fstack-protector-all"
+	help
+	  Like -fstack-protector except that all functions are
+	  protected. This option might have a significant performance
+	  impact on the compiled binaries.
+
+endchoice
+
+comment "Stack Smashing Protection needs a toolchain w/ SSP"
+	depends on !BR2_TOOLCHAIN_HAS_SSP
+
 endmenu
 
 source "toolchain/Config.in"
-- 
1.9.1

             reply	other threads:[~2018-01-24  4:09 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-24  4:09 Matt Weber [this message]
2018-01-24  4:09 ` [Buildroot] [PATCH v4 02/13] security hardening: add RELFO, FORTIFY options Matt Weber
2018-01-28 14:20   ` Peter Korsgaard
2018-02-04 21:56   ` Matthew Weber
2018-04-26 15:55   ` Johan Oudinet
2018-04-27 13:05     ` Matthew Weber
2018-05-02 13:10       ` Matthew Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 03/13] valgrind: correct linker flag seq Matt Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 04/13] ncurses: " Matt Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 05/13] boost: " Matt Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 06/13] busybox: patch to remove -pie from LDFLAGS Matt Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 07/13] libpcap: correct linker flag seq Matt Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 08/13] iptables: " Matt Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 09/13] zlib: correct linker flag sequence Matt Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 10/13] ustr: " Matt Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 11/13] tcl: " Matt Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 12/13] readline: " Matt Weber
2018-01-24  4:09 ` [Buildroot] [PATCH v4 13/13] libcap: corrected " Matt Weber
2018-01-28 14:17 ` [Buildroot] [PATCH v4 01/13] stack protector: moved option out of adv menu Peter Korsgaard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1516766992-48428-1-git-send-email-matthew.weber@rockwellcollins.com \
    --to=matthew.weber@rockwellcollins.com \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.