On Sun, Oct 27, 2019 at 10:46 AM Hauke Mehrtens <[email protected]> wrote: > > This tristate choose allows to select to build only some applications > with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE > is activated for the, which is a huge increase. Some of the size increase can be mitigated with extra compile-time options:
TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed LTO sometimes causes problems but the others should be safe. PKG_ASLR_PIE applies $(FPIC) to both C and LDFLAGS. I've noticed that applying it only to the former increases the size but not as much as with both. No idea why. > > Network exposed applications like dnsmasq should then be build with PIE > enabled, but some applications which are normally not parsing data from > the network do not have it activated. The regular option should give a > good trade off between extra flash and RAM memory usage and security. > > This changes the default from building no applications with PIE to build > some specifically marked applications with PIE enabled. This option is > only activated for targets with bigger flash and RAM to not consume > extra memory on the very small targets. On SDK builds the Regular option > should always be selected, because some tiny targets share the > applications with big targets and only the images for the tiny targets > should contain the none PIE applications, but the images for the normal > targets should use PIE. The shared packages should always use PIE when > it should be normally activated. > > Signed-off-by: Hauke Mehrtens <[email protected]> > --- > > I hope this !SDK option works. I haven't fully tested this. > I want to make sure this is activated on the targets which are not > small, but not activate it in the tiny images. For extra installed > packages it should be activated. > > > config/Config-build.in | 22 ++++++++++++++++++---- > include/hardening.mk | 9 ++++++++- > 2 files changed, 26 insertions(+), 5 deletions(-) > > diff --git a/config/Config-build.in b/config/Config-build.in > index 872e5c12ab..aa05e34f56 100644 > --- a/config/Config-build.in > +++ b/config/Config-build.in > @@ -212,11 +212,10 @@ menu "Global build settings" > this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in > the package > Makefile. > > - config PKG_ASLR_PIE > - bool > + choice > prompt "User space ASLR PIE compilation" > - select BUSYBOX_DEFAULT_PIE > - default n > + default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || > LOW_MEMORY_FOOTPRINT) && !SDK) > + default PKG_ASLR_PIE_REGULAR > help > Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS. > This enables package build as Position Independent > Executables (PIE) > @@ -227,6 +226,21 @@ menu "Global build settings" > to predict when an attacker is attempting a > memory-corruption exploit. > You can disable this per package by adding PKG_ASLR_PIE:=0 > in the package > Makefile. > + Be ware that ASLR increases the binary size. > + config PKG_ASLR_PIE_NONE > + bool "None" > + help > + PIE is deactivated for all applications > + config PKG_ASLR_PIE_REGULAR > + bool "Regular" > + help > + PIE is activated for some binaries, mostly network > exposed applications > + config PKG_ASLR_PIE_ALL > + bool "All" > + select BUSYBOX_DEFAULT_PIE > + help > + PIE is activated for all applications > + endchoice > > choice > prompt "User space Stack-Smashing Protection" > diff --git a/include/hardening.mk b/include/hardening.mk > index 60f39428e8..4e49e6b1b9 100644 > --- a/include/hardening.mk > +++ b/include/hardening.mk > @@ -7,6 +7,7 @@ > > PKG_CHECK_FORMAT_SECURITY ?= 1 > PKG_ASLR_PIE ?= 1 > +PKG_ASLR_PIE_REGULAR ?= 0 > PKG_SSP ?= 1 > PKG_FORTIFY_SOURCE ?= 1 > PKG_RELRO ?= 1 > @@ -16,12 +17,18 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY > TARGET_CFLAGS += -Wformat -Werror=format-security > endif > endif > -ifdef CONFIG_PKG_ASLR_PIE > +ifdef CONFIG_PKG_ASLR_PIE_ALL > ifeq ($(strip $(PKG_ASLR_PIE)),1) > TARGET_CFLAGS += $(FPIC) > TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs > endif > endif > +ifdef CONFIG_PKG_ASLR_PIE_REGULAR > + ifeq ($(strip $(PKG_ASLR_PIE_REGULAR)),1) > + TARGET_CFLAGS += $(FPIC) > + TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs > + endif > +endif > ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR > ifeq ($(strip $(PKG_SSP)),1) > TARGET_CFLAGS += -fstack-protector > -- > 2.20.1 > > > _______________________________________________ > openwrt-devel mailing list > [email protected] > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
