In commit
7484c1c3b806 (toolchain/toolchain-wrapper: add BR2_RELRO_),
we added the PIC/PIE flags, but based on the RELRO_FULL condition.
It is however totally possible to do a PIC/PIE executable without
RELRO_FULL, as it is also valid to do a PIC/PIE build with RELRO_PARTIAL.
Add a new option that now governs the PIC/PIE flags.
Note: it is unknown if RELRO_FULL really needs PIC/PIE or not, so we
keep the current situation, where RELRO-FULL forces PIC/PIE compilation.
Decoupling can come later from an interested party.
Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
comment "Security Hardening Options"
+config BR2_PIC_PIE
+ bool "Build code with PIC/PIE"
+ depends on BR2_SHARED_LIBS
+ help
+ Generate Position-Independent Code (PIC) and link
+ Position-Independent Executables (PIE).
+
choice
bool "Stack Smashing Protection"
default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
config BR2_RELRO_FULL
bool "Full"
+ select BR2_PIC_PIE
help
This option includes the partial configuration, but also marks
the GOT as read-only at the cost of initialization time during
*cur++ = "-Wno-builtin-macro-redefined";
}
-#ifdef BR2_RELRO_FULL
+#ifdef BR2_PIC_PIE
/* Patterned after Fedora/Gentoo hardening approaches.
* https://fedoraproject.org/wiki/Changes/Harden_All_Packages
* https://wiki.gentoo.org/wiki/Hardened/Toolchain#Position_Independent_Executables_.28PIEs.29
TOOLCHAIN_WRAPPER_ARGS += -DBR_CCACHE_BASEDIR='"$(BASE_DIR)"'
endif
+ifeq ($(BR2_PIC_PIE),y)
+TOOLCHAIN_WRAPPER_ARGS += -DBR2_PIC_PIE
+endif
+
ifeq ($(BR2_RELRO_PARTIAL),y)
TOOLCHAIN_WRAPPER_ARGS += -DBR2_RELRO_PARTIAL
else ifeq ($(BR2_RELRO_FULL),y)
projects / buildroot.git / commitdiff