[PATCH v3 0/2] uadk/uadk_engine: add secure compilation option
*** BLURB HERE *** Qi Tao (1): uadk: add secure compilation option Makefile.am | 2 ++ configure.ac | 1 + 2 files changed, 3 insertions(+) Qi Tao (2): uadk_engine: add secure compilation option configure.ac | 1 + src/Makefile.am | 2 ++ 2 files changed, 3 insertions(+) -- 2.33.0
Add PIE, PIC, BIND_NOW, SP, NO Rpath/RunPath, FS, Ftrapv and Strip compilation option. PIC(-fPIC): Generate position-Independent-Code and andomly load dynamic libraries. PIE(-fPIE -pie): Generate location-independent executables,which reduces the probability of fixed address attacks and buffer overflow attacks. BIND_NOW(-Wl,-z,relro,-z,now): GOT table redirects all read-only,which defends against ret2plt attacks. SP(-fstack-protector-strong/all): Determine whether an overflow attack occurs. Strip(-Wl,-s): Deleting symbol tables defends against hacker attacks and reduces the file size. FS(-D_FORTIFY_SOURCE=2 -O2): Provides access checks for fixed-size buffers at compile time and at run time. Ftrapv(-ftrapv): Detects integer overflow. NO Rpath/RunPath(hardcode_into_libs=no): Eliminates dynamic library search paths, which defense against attacks by replacing dynamic libraries with the same name. Signed-off-by: Qi Tao <taoqi10@huawei.com> --- Makefile.am | 2 ++ configure.ac | 1 + 2 files changed, 3 insertions(+) diff --git a/Makefile.am b/Makefile.am index d81e8cc..fd84934 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,6 +1,8 @@ ACLOCAL_AMFLAGS = -I m4 -I./include AUTOMAKE_OPTIONS = foreign subdir-objects AM_CFLAGS=-Wall -Werror -fno-strict-aliasing -I$(top_srcdir)/include +AM_CFLAGS+=-fPIC -fPIE -pie -fstack-protector-strong -D_FORTIFY_SOURCE=2 \ + -O2 -ftrapv -Wl,-z,relro,-z,now -Wl,-s CLEANFILES = if WITH_LOG_FILE diff --git a/configure.ac b/configure.ac index 2692175..b198417 100644 --- a/configure.ac +++ b/configure.ac @@ -18,6 +18,7 @@ AM_PROG_AR AC_PROG_LIBTOOL AM_PROG_LIBTOOL LT_INIT +AC_SUBST([hardcode_into_libs], [no]) AM_PROG_CC_C_O AC_ARG_ENABLE([debug-log], -- 2.33.0
Add PIE, PIC, BIND_NOW, SP, NO Rpath/RunPath, FS, Ftrapv and Strip compilation options. PIC(-fPIC): Generate position-Independent-Code and andomly load dynamic libraries. PIE(-fPIE -pie): Generate location-independent executables,which reduces the probability of fixed address attacks and buffer overflow attacks. BIND_NOW(-Wl,-z,relro,-z,now): GOT table redirects all read-only,which defends against ret2plt attacks. SP(-fstack-protector-strong/all): Determine whether an overflow attack occurs. Strip(-Wl,-s): Deleting symbol tables defends against hacker attacks and reduces the file size. FS(-D_FORTIFY_SOURCE=2 -O2): Provides access checks for fixed-size buffers at compile time and at run time. Ftrapv(-ftrapv): Detects integer overflow. NO Rpath/RunPath(hardcode_into_libs=no): Eliminates dynamic library search paths, which defense against attacks by replacing dynamic libraries with the same name. Signed-off-by: Qi Tao <taoqi10@huawei.com> --- configure.ac | 1 + src/Makefile.am | 2 ++ 2 files changed, 3 insertions(+) diff --git a/configure.ac b/configure.ac index 6c5369e..99b85e9 100644 --- a/configure.ac +++ b/configure.ac @@ -7,6 +7,7 @@ AC_CONFIG_HEADERS([config.h]) AC_PROG_CC LT_INIT +AC_SUBST([hardcode_into_libs], [no]) AC_ARG_ENABLE(kae, AS_HELP_STRING([--enable-kae],[Enable kae support])) diff --git a/src/Makefile.am b/src/Makefile.am index c4b8aa9..e014052 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -18,6 +18,8 @@ uadk_engine_la_LIBADD=-ldl $(WD_LIBS) -lpthread uadk_engine_la_LDFLAGS=-module -version-number $(VERSION) uadk_engine_la_CFLAGS=$(WD_CFLAGS) $(libcrypto_CFLAGS) uadk_engine_la_CFLAGS+=-DCRYPTO +uadk_engine_la_CFLAGS+=-fPIC -fPIE -pie -fstack-protector-strong -D_FORTIFY_SOURCE=2 \ + -O2 -ftrapv -Wl,-z,relro,-z,now -Wl,-s AUTOMAKE_OPTIONS = subdir-objects -- 2.33.0
participants (1)
-
Qi Tao