On Fri, 2016-08-19 at 10:07 -0700, Khem Raj wrote: > > > > On Aug 19, 2016, at 8:34 AM, Joshua Lock <[email protected]> > > wrote: > > > > This tells the compiler to use a canary to protect any function > > which > > declares a character array of 4 or more bytes on its stack, rather > > than the default of 8 or more bytes. > > Thats fine, however, it slows down the code, strong option was a > compromise > otherwise we could just use fstack-protector-all
It's my understanding that the ssp-buffer-size parameter changes the size of buffer the base, fstack-protector, protections affect and that the performance impact is less significant than adding protections to all functions via stack-protector-all? FWIW, the related options in Fedora and Ubuntu: * Ubuntu: -fstack-protector --param=ssp-buffer-size=4 (default in hardened builds) * Fedora: -fstack-protector-strong --param=ssp-buffer-size=4 (default in all builds) Regards, Joshua > > > > > > Signed-off-by: Joshua Lock <[email protected]> > > --- > > meta/conf/distro/include/security_flags.inc | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/meta/conf/distro/include/security_flags.inc > > b/meta/conf/distro/include/security_flags.inc > > index 77fade6..691cea1 100644 > > --- a/meta/conf/distro/include/security_flags.inc > > +++ b/meta/conf/distro/include/security_flags.inc > > @@ -12,8 +12,8 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_B > > UILD','1','','-D_FORTIFY_SOURCE > > # Error on use of format strings that represent possible security > > problems > > SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security > > -Werror=format-security" > > > > -SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie > > ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > > -SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong > > ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > > +SECURITY_CFLAGS ?= "-fstack-protector-strong --param ssp-buffer- > > size=4 -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > > +SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong --param ssp- > > buffer-size=4 ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > > > > SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now" > > SECURITY_X_LDFLAGS ?= "-Wl,-z,relro" > > -- > > 2.7.4 > > > > -- > > _______________________________________________ > > Openembedded-core mailing list > > [email protected] > > http://lists.openembedded.org/mailman/listinfo/openembedded-core > -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
