include/hardening.mk

   1 # SPDX-License-Identifier: GPL-2.0-only
   2 #
   3 # Copyright (C) 2015-2020 OpenWrt.org
   4
   5 PKG_CHECK_FORMAT_SECURITY ?= 1
   6 PKG_ASLR_PIE ?= 1
   7 PKG_ASLR_PIE_REGULAR ?= 0
   8 PKG_SSP ?= 1
   9 PKG_FORTIFY_SOURCE ?= 1
  10 PKG_RELRO ?= 1
  11
  12 ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
  13   ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
  14     TARGET_CFLAGS += -Wformat -Werror=format-security
  15   endif
  16 endif
  17 ifdef CONFIG_PKG_ASLR_PIE_ALL
  18   ifeq ($(strip $(PKG_ASLR_PIE)),1)
  19     TARGET_CFLAGS += $(FPIC)
  20     TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
  21   endif
  22 endif
  23 ifdef CONFIG_PKG_ASLR_PIE_REGULAR
  24   ifeq ($(strip $(PKG_ASLR_PIE_REGULAR)),1)
  25     TARGET_CFLAGS += $(FPIC)
  26     TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
  27   endif
  28 endif
  29 ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
  30   ifeq ($(strip $(PKG_SSP)),1)
  31     TARGET_CFLAGS += -fstack-protector
  32   endif
  33 endif
  34 ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
  35   ifeq ($(strip $(PKG_SSP)),1)
  36     TARGET_CFLAGS += -fstack-protector-strong
  37   endif
  38 endif
  39 ifdef CONFIG_PKG_CC_STACKPROTECTOR_ALL
  40   ifeq ($(strip $(PKG_SSP)),1)
  41     TARGET_CFLAGS += -fstack-protector-all
  42   endif
  43 endif
  44 ifdef CONFIG_PKG_FORTIFY_SOURCE_1
  45   ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
  46     TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
  47   endif
  48 endif
  49 ifdef CONFIG_PKG_FORTIFY_SOURCE_2
  50   ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
  51     TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
  52   endif
  53 endif
  54 ifdef CONFIG_PKG_RELRO_PARTIAL
  55   ifeq ($(strip $(PKG_RELRO)),1)
  56     TARGET_CFLAGS += -Wl,-z,relro
  57     TARGET_LDFLAGS += -zrelro
  58   endif
  59 endif
  60 ifdef CONFIG_PKG_RELRO_FULL
  61   ifeq ($(strip $(PKG_RELRO)),1)
  62     TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
  63     TARGET_LDFLAGS += -znow -zrelro
  64   endif
  65 endif
  66