buildsystem: Make PIE ASLR option tristate

This tristate choose allows to select to build only some applications with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE is activated for the, which is a huge increase. Network exposed applications like dnsmasq should then be build with PIE enabled, but some applications which are normally not parsing data from the network do not have it activated. The regular option should give a good trade off between extra flash and RAM memory usage and security. This changes the default from building no applications with PIE to build some specifically marked applications with PIE enabled. This option is only activated for targets with bigger flash and RAM to not consume extra memory on the very small targets. On SDK builds the Regular option should always be selected, because some tiny targets share the applications with big targets and only the images for the tiny targets should contain the none PIE applications, but the images for the normal targets should use PIE. The shared packages should always use PIE when it should be normally activated. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
5 years ago · 19cbac7d26
parent 3446702cdb
commit 19cbac7d26
2 changed files with 26 additions and 5 deletions
--- a/config/Config-build.in
+++ b/config/Config-build.in
@ -216,11 +216,10 @@ menu "Global build settings"
 		  this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
 		  Makefile.
-	config PKG_ASLR_PIE
+	choice
 		bool
 		prompt "User space ASLR PIE compilation"
-		select BUSYBOX_DEFAULT_PIE
+		default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
-		default n
+		default PKG_ASLR_PIE_REGULAR
 		help
 		  Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
 		  This enables package build as Position Independent Executables (PIE)
@ -231,6 +230,21 @@ menu "Global build settings"
 		  to predict when an attacker is attempting a memory-corruption exploit.
 		  You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
 		  Makefile.
 		  Be ware that ASLR increases the binary size.
 		config PKG_ASLR_PIE_NONE
 			bool "None"
 			help
 			  PIE is deactivated for all applications
 		config PKG_ASLR_PIE_REGULAR
 			bool "Regular"
 			help
 			  PIE is activated for some binaries, mostly network exposed applications
 		config PKG_ASLR_PIE_ALL
 			bool "All"
 			select BUSYBOX_DEFAULT_PIE
 			help
 			  PIE is activated for all applications
 	endchoice
 	choice
 		prompt "User space Stack-Smashing Protection"
--- a/include/hardening.mk
+++ b/include/hardening.mk
@ -7,6 +7,7 @@
 PKG_CHECK_FORMAT_SECURITY ?= 1
 PKG_ASLR_PIE ?= 1
 PKG_ASLR_PIE_REGULAR ?= 0
 PKG_SSP ?= 1
 PKG_FORTIFY_SOURCE ?= 1
 PKG_RELRO ?= 1
@ -16,12 +17,18 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
    TARGET_CFLAGS += -Wformat -Werror=format-security
  endif
 endif
-ifdef CONFIG_PKG_ASLR_PIE
+ifdef CONFIG_PKG_ASLR_PIE_ALL
  ifeq ($(strip $(PKG_ASLR_PIE)),1)
    TARGET_CFLAGS += $(FPIC)
    TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
  endif
 endif
 ifdef CONFIG_PKG_ASLR_PIE_REGULAR
  ifeq ($(strip $(PKG_ASLR_PIE_REGULAR)),1)
    TARGET_CFLAGS += $(FPIC)
    TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
  endif
 endif
 ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
  ifeq ($(strip $(PKG_SSP)),1)
    TARGET_CFLAGS += -fstack-protector