[Buildroot] [PATCH v3, 1/1] Config.in: enable FORTIFY_SOURCE, PIC/PIE, RELRO, SSP by default
Romain Naour
romain.naour at gmail.com
Sat May 8 15:37:11 UTC 2021
Le 03/05/2021 à 22:41, Yann E. MORIN a écrit :
> Fabrice, All,
>
> On 2021-05-03 20:22 +0200, Fabrice Fontaine spake thusly:
>> Enhance security by enabling FORTIFY_SOURCE, PIC/PIE, RELRO and SSP by
>> default.
>>
>> This could help making IoT more secure and fight against the assumption
>> that buildroot does not support binary hardening (see
>> https://cyber-itl.org/2019/08/26/iot-data-writeup.html)
>>
>> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
>> ---
[...]
>> diff --git a/Config.in b/Config.in
>> index e35a78fb71..6d954e1e0f 100644
>> --- a/Config.in
>> +++ b/Config.in
>> @@ -715,6 +715,7 @@ comment "Security Hardening Options"
>>
>> config BR2_PIC_PIE
>> bool "Build code with PIC/PIE"
>> + default y
>> depends on BR2_SHARED_LIBS
>> depends on BR2_TOOLCHAIN_SUPPORTS_PIE
>> help
>> @@ -727,7 +728,7 @@ comment "PIC/PIE needs a toolchain w/ PIE"
>>
>> choice
>> bool "Stack Smashing Protection"
>> - default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
>> + default BR2_SSP_ALL
>
> While discussing this with Matt on IRC, we noticed that SSP-all can have
> quite a significant impact on performance, and that SSP-strong (when
> available) would be a better default (resorting to SSP-regular
> otherwise).
>
> Yes, this decreases the security level Buildroot wil use by default. But
> security is always to be balanced against performance, and this is always
> a tricky choice to make; I believe relaxing SSP was striking a good
> balance (especially since, today, most gcc versions should have
> SSP-strong available).
>
> Applied to master, thank you!
>
It seems that some defconfigs are failing to build with this option by default:
https://gitlab.com/kubu93/buildroot/-/pipelines/299584088
At least:
qemu_riscv32_virt_defconfig
https://gitlab.com/kubu93/buildroot/-/jobs/1247043359
qemu_s390x_defconfig
https://gitlab.com/kubu93/buildroot/-/jobs/1247043361
(I was testing the new qemu 6.0.0)
Best regards,
Romain
> Regards,
> Yann E. MORIN.
>
More information about the buildroot
mailing list