[PATCH 0/3] add secure compilation option
*** BLURB HERE *** Qi Tao (3): uadk_engine: add secure compilation option README: add secure compilation option uadk: add secure compilation option uadk_engine/README.md | 4 ++++ uadk_engine/src/Makefile.am | 2 ++ uadk/Makefile.am | 2 ++ uadk/conf.sh | 2 ++ 4 files changed, 10 insertions(+) -- 2.33.0
Add PIE、PIC、BIND_NOW、SP、FS、Ftrapv and Strip compilation options. Signed-off-by: Qi Tao <taoqi10@huawei.com> --- src/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Makefile.am b/src/Makefile.am index c4b8aa9..5318d99 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -18,6 +18,8 @@ uadk_engine_la_LIBADD=-ldl $(WD_LIBS) -lpthread uadk_engine_la_LDFLAGS=-module -version-number $(VERSION) uadk_engine_la_CFLAGS=$(WD_CFLAGS) $(libcrypto_CFLAGS) uadk_engine_la_CFLAGS+=-DCRYPTO +uadk_engine_la_CFLAGS+=-fPIC -fPIE -pie -fstack-protector-strong -D_FORTIFY_SOURCE=2 \ +-O2 -ftrapv -Wl,-z,now -Wl,-s AUTOMAKE_OPTIONS = subdir-objects -- 2.33.0
Set the NO Rpath/RunPath compilation option by changing "hardcode_into_libs=yes" to "hardcode_into_libs=no" in libtool. Signed-off-by: Qi Tao <taoqi10@huawei.com> --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 378fc81..a2ee9a2 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,7 @@ Build and install UADK ./cleanup.sh ./autogen.sh ./configure + sed -i "s/hardcode_into_libs=yes/hardcode_into_libs=no/g" ./libtool make sudo make install ``` @@ -71,6 +72,7 @@ For openssl 1.1 cd uadk_engine autoreconf -i ./configure --libdir=/usr/local/lib/engines-1.1/ [--enable-kae] + sed -i "s/hardcode_into_libs=yes/hardcode_into_libs=no/g" ./libtool make sudo make install @@ -113,6 +115,7 @@ Install libraries to the temp folder $ cd uadk $ ./autogen.sh $ ./configure --prefix=/tmp/build + $ sed -i "s/hardcode_into_libs=yes/hardcode_into_libs=no/g" ./libtool $ make; make install $ pkg-config libwd --libs @@ -121,6 +124,7 @@ Install libraries to the temp folder $ cd uadk_engine $ autoreconf -i $ ./configure --prefix=/tmp/build + $ sed -i "s/hardcode_into_libs=yes/hardcode_into_libs=no/g" ./libtool $ make; make install // For openssl 1.1 -- 2.33.0
Add PIE、PIC、BIND_NOW、SP、NO Rpath/RunPath、FS、Ftrapv and Strip compilation option. Signed-off-by: Qi Tao <taoqi10@huawei.com> --- Makefile.am | 2 ++ conf.sh | 2 ++ 2 files changed, 4 insertions(+) diff --git a/Makefile.am b/Makefile.am index d81e8cc..0eea8b8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,6 +1,8 @@ ACLOCAL_AMFLAGS = -I m4 -I./include AUTOMAKE_OPTIONS = foreign subdir-objects AM_CFLAGS=-Wall -Werror -fno-strict-aliasing -I$(top_srcdir)/include +AM_CFLAGS += -fPIC -fPIE -pie -fstack-protector-strong -D_FORTIFY_SOURCE=2 \ +-O2 -ftrapv -Wl,-z,now -Wl,-s CLEANFILES = if WITH_LOG_FILE diff --git a/conf.sh b/conf.sh index 59af821..aaa4187 100755 --- a/conf.sh +++ b/conf.sh @@ -18,3 +18,5 @@ ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes ./configure \ --target aarch64-linux-gnu \ --includedir=/usr/local/include/uadk \ $COMPILE_TYPE + +sed -i "s/hardcode_into_libs=yes/hardcode_into_libs=no/g" ./libtool \ No newline at end of file -- 2.33.0
participants (1)
-
Qi Tao