* [Buildroot] [PATCH v2, 1/1] Config.in: enable FORTIFY_SOURCE, PIC/PIE, RELRO, SSP by default
@ 2021-04-25 12:41 Fabrice Fontaine
2021-05-01 22:01 ` Yann E. MORIN
0 siblings, 1 reply; 3+ messages in thread
From: Fabrice Fontaine @ 2021-04-25 12:41 UTC (permalink / raw)
To: buildroot
Enhance security by enabling FORTIFY_SOURCE, PIC/PIE, RELRO and SSP by
default.
This could help making IoT more secure and fight against the assumption
that buildroot does not support binary hardening (see
https://cyber-itl.org/2019/08/26/iot-data-writeup.html)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
Changes v1 -> v2:
- Use RELRO_PARTIAL if toolchain does not support PIE
- Enable BR2_FORTIFY_SOURCE_2 by default
Config.in | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/Config.in b/Config.in
index e35a78fb71..db6d4f01b4 100644
--- a/Config.in
+++ b/Config.in
@@ -715,6 +715,7 @@ comment "Security Hardening Options"
config BR2_PIC_PIE
bool "Build code with PIC/PIE"
+ default y
depends on BR2_SHARED_LIBS
depends on BR2_TOOLCHAIN_SUPPORTS_PIE
help
@@ -727,7 +728,7 @@ comment "PIC/PIE needs a toolchain w/ PIE"
choice
bool "Stack Smashing Protection"
- default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
+ default BR2_SSP_ALL
depends on BR2_TOOLCHAIN_HAS_SSP
help
Enable stack smashing protection support using GCC's
@@ -789,6 +790,8 @@ comment "Stack Smashing Protection needs a toolchain w/ SSP"
choice
bool "RELRO Protection"
+ default BR2_RELRO_FULL if BR2_TOOLCHAIN_SUPPORTS_PIE
+ default BR2_RELRO_PARTIAL if !BR2_TOOLCHAIN_SUPPORTS_PIE
depends on BR2_SHARED_LIBS
help
Enable a link-time protection know as RELRO (RELocation Read
@@ -825,6 +828,7 @@ comment "RELocation Read Only (RELRO) needs shared libraries"
choice
bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
+ default BR2_FORTIFY_SOURCE_2
depends on BR2_TOOLCHAIN_USES_GLIBC
depends on !BR2_OPTIMIZE_0
help
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH v2, 1/1] Config.in: enable FORTIFY_SOURCE, PIC/PIE, RELRO, SSP by default
2021-04-25 12:41 [Buildroot] [PATCH v2, 1/1] Config.in: enable FORTIFY_SOURCE, PIC/PIE, RELRO, SSP by default Fabrice Fontaine
@ 2021-05-01 22:01 ` Yann E. MORIN
2021-05-03 15:35 ` Matthew Weber
0 siblings, 1 reply; 3+ messages in thread
From: Yann E. MORIN @ 2021-05-01 22:01 UTC (permalink / raw)
To: buildroot
Fabrice, All,
+Adam who poked me on IRC... ;-)
On 2021-04-25 14:41 +0200, Fabrice Fontaine spake thusly:
> Enhance security by enabling FORTIFY_SOURCE, PIC/PIE, RELRO and SSP by
> default.
>
> This could help making IoT more secure and fight against the assumption
> that buildroot does not support binary hardening (see
> https://cyber-itl.org/2019/08/26/iot-data-writeup.html)
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2:
> - Use RELRO_PARTIAL if toolchain does not support PIE
> - Enable BR2_FORTIFY_SOURCE_2 by default
>
> Config.in | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/Config.in b/Config.in
> index e35a78fb71..db6d4f01b4 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -715,6 +715,7 @@ comment "Security Hardening Options"
>
> config BR2_PIC_PIE
> bool "Build code with PIC/PIE"
> + default y
> depends on BR2_SHARED_LIBS
> depends on BR2_TOOLCHAIN_SUPPORTS_PIE
> help
> @@ -727,7 +728,7 @@ comment "PIC/PIE needs a toolchain w/ PIE"
>
> choice
> bool "Stack Smashing Protection"
> - default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
> + default BR2_SSP_ALL
> depends on BR2_TOOLCHAIN_HAS_SSP
> help
> Enable stack smashing protection support using GCC's
> @@ -789,6 +790,8 @@ comment "Stack Smashing Protection needs a toolchain w/ SSP"
>
> choice
> bool "RELRO Protection"
> + default BR2_RELRO_FULL if BR2_TOOLCHAIN_SUPPORTS_PIE
> + default BR2_RELRO_PARTIAL if !BR2_TOOLCHAIN_SUPPORTS_PIE
Not your fault, but this relro-full conflates two things: actual relro,
and bind-now. The two are supposedly orthogonal: it is possible to do
bind-now without relro (and obviously, the reverse).
Second nit: the second default entry does not need to have a condition:
kconfig will stop on the first default entry which condition is met, so
the second default entry would only apply if the first did not meet its
condition.
> depends on BR2_SHARED_LIBS
> help
> Enable a link-time protection know as RELRO (RELocation Read
> @@ -825,6 +828,7 @@ comment "RELocation Read Only (RELRO) needs shared libraries"
>
> choice
> bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
> + default BR2_FORTIFY_SOURCE_2
This one however is the most problematic: fortify level 2 changes the
behaviour of some glibc functions, so programs that were conforming may
start to fail with level 2.
Level 1, on the other hand, does not change any function behaviour, so
if we want to enable fortify by default, that would be level 1.
I'll sit on this patch yet a little bit, and barring better arguments,
I'll apply it, with fortify downgraded to level 1, before the end of the
WE.
Regards,
Yann E. MORIN.
> depends on BR2_TOOLCHAIN_USES_GLIBC
> depends on !BR2_OPTIMIZE_0
> help
> --
> 2.30.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH v2, 1/1] Config.in: enable FORTIFY_SOURCE, PIC/PIE, RELRO, SSP by default
2021-05-01 22:01 ` Yann E. MORIN
@ 2021-05-03 15:35 ` Matthew Weber
0 siblings, 0 replies; 3+ messages in thread
From: Matthew Weber @ 2021-05-03 15:35 UTC (permalink / raw)
To: buildroot
All,
On Sat, May 1, 2021 at 5:02 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> Fabrice, All,
>
> +Adam who poked me on IRC... ;-)
>
> On 2021-04-25 14:41 +0200, Fabrice Fontaine spake thusly:
> > Enhance security by enabling FORTIFY_SOURCE, PIC/PIE, RELRO and SSP by
> > default.
> >
> > This could help making IoT more secure and fight against the assumption
> > that buildroot does not support binary hardening (see
> > https://cyber-itl.org/2019/08/26/iot-data-writeup.html)
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > ---
> > Changes v1 -> v2:
> > - Use RELRO_PARTIAL if toolchain does not support PIE
> > - Enable BR2_FORTIFY_SOURCE_2 by default
> >
> > Config.in | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/Config.in b/Config.in
> > index e35a78fb71..db6d4f01b4 100644
> > --- a/Config.in
> > +++ b/Config.in
> > @@ -715,6 +715,7 @@ comment "Security Hardening Options"
> >
> > config BR2_PIC_PIE
> > bool "Build code with PIC/PIE"
> > + default y
> > depends on BR2_SHARED_LIBS
> > depends on BR2_TOOLCHAIN_SUPPORTS_PIE
> > help
> > @@ -727,7 +728,7 @@ comment "PIC/PIE needs a toolchain w/ PIE"
> >
> > choice
> > bool "Stack Smashing Protection"
> > - default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
> > + default BR2_SSP_ALL
> > depends on BR2_TOOLCHAIN_HAS_SSP
> > help
> > Enable stack smashing protection support using GCC's
> > @@ -789,6 +790,8 @@ comment "Stack Smashing Protection needs a toolchain w/ SSP"
> >
> > choice
> > bool "RELRO Protection"
> > + default BR2_RELRO_FULL if BR2_TOOLCHAIN_SUPPORTS_PIE
> > + default BR2_RELRO_PARTIAL if !BR2_TOOLCHAIN_SUPPORTS_PIE
>
> Not your fault, but this relro-full conflates two things: actual relro,
> and bind-now. The two are supposedly orthogonal: it is possible to do
> bind-now without relro (and obviously, the reverse).
>
> Second nit: the second default entry does not need to have a condition:
> kconfig will stop on the first default entry which condition is met, so
> the second default entry would only apply if the first did not meet its
> condition.
>
> > depends on BR2_SHARED_LIBS
> > help
> > Enable a link-time protection know as RELRO (RELocation Read
> > @@ -825,6 +828,7 @@ comment "RELocation Read Only (RELRO) needs shared libraries"
> >
> > choice
> > bool "Buffer-overflow Detection (FORTIFY_SOURCE)"
> > + default BR2_FORTIFY_SOURCE_2
>
> This one however is the most problematic: fortify level 2 changes the
> behaviour of some glibc functions, so programs that were conforming may
> start to fail with level 2.
>
> Level 1, on the other hand, does not change any function behaviour, so
> if we want to enable fortify by default, that would be level 1.
>
I second that fortify has to be 1 for the default case. The general
nature of this series will be really good to have as default as the
auto builders have worked out most of the bugs. Are there any
adjustments to the genrandconfig[1]?
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[1] https://github.com/buildroot/buildroot/blob/master/utils/genrandconfig#L375
through L389
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-03 15:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-25 12:41 [Buildroot] [PATCH v2, 1/1] Config.in: enable FORTIFY_SOURCE, PIC/PIE, RELRO, SSP by default Fabrice Fontaine
2021-05-01 22:01 ` Yann E. MORIN
2021-05-03 15:35 ` Matthew Weber
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.