[Buildroot] [PATCH v4 02/13] security hardening: add RELFO, FORTIFY options

Johan Oudinet johan.oudinet at gmail.com
Thu Apr 26 15:55:17 UTC 2018


Hi Matt,

This is a late reply but we encounter a build failure in our system
due to changes in this patch, which I believe are wrong. See below.

On Wed, Jan 24, 2018 at 5:09 AM, Matt Weber
<matthew.weber at rockwellcollins.com> wrote:
> +
> +ifeq ($(BR2_SSP_REGULAR),y)
> +TARGET_CPPFLAGS += -fstack-protector
> +else ifeq ($(BR2_SSP_STRONG),y)
> +TARGET_CPPFLAGS += -fstack-protector-strong
> +else ifeq ($(BR2_SSP_ALL),y)
> +TARGET_CPPFLAGS += -fstack-protector-all
> +endif
...
>
> -ifeq ($(BR2_SSP_REGULAR),y)
> -TARGET_CFLAGS += -fstack-protector
> -TARGET_CXXFLAGS += -fstack-protector
> -TARGET_FCFLAGS += -fstack-protector
> -else ifeq ($(BR2_SSP_STRONG),y)
> -TARGET_CFLAGS += -fstack-protector-strong
> -TARGET_CXXFLAGS += -fstack-protector-strong
> -TARGET_FCFLAGS += -fstack-protector-strong
> -else ifeq ($(BR2_SSP_ALL),y)
> -TARGET_CFLAGS += -fstack-protector-all
> -TARGET_CXXFLAGS += -fstack-protector-all
> -TARGET_FCFLAGS += -fstack-protector-all
> -endif

I don't think -fstack-protector* flags belongs to the preprocessor flags.
Why did you move them from CFLAGS and CXXFLAGS? Your commit message
suggests this was an proposition from Arnout but I can't find his
email where he says that.

Best regards,
-- 
Johan


More information about the buildroot mailing list