build: add hardened builds with PIE (ASLR) support

Introduce a configuration option to build a "hardened" OpenWrt with
ASLR PIE support.

Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
by building Position Independent Executables (PIE). This new option protects
against "return-to-text" attacks.

Busybox need a special care, link is done with ld, not gcc, leading to
unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE.

If other failing packages were found, PKG_ASLR_PIE:=0 should be added to
their Makefiles.

Original Work by: Yongkui Han <yonhan@cisco.com>
Signed-off-by: Julien Dusser <julien.dusser@free.fr>
This commit is contained in:
Julien Dusser 2018-01-08 23:47:06 +01:00 committed by Hauke Mehrtens
parent ca7e8627db
commit df0bd42fde
4 changed files with 28 additions and 0 deletions

View file

@ -184,6 +184,22 @@ menu "Global build settings"
this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
Makefile. Makefile.
config PKG_ASLR_PIE
bool
prompt "User space ASLR PIE compilation"
select BUSYBOX_DEFAULT_PIE
default n
help
Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
This enables package build as Position Independent Executables (PIE)
to protect against "return-to-text" attacks. This belongs to the
feature of Address Space Layout Randomisation (ASLR), which is
implemented by the kernel and the ELF loader by randomising the
location of memory allocations. This makes memory addresses harder
to predict when an attacker is attempting a memory-corruption exploit.
You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
Makefile.
choice choice
prompt "User space Stack-Smashing Protection" prompt "User space Stack-Smashing Protection"
depends on USE_MUSL depends on USE_MUSL

View file

@ -0,0 +1,2 @@
*self_spec:
+ %{no-pie|static|r|shared:;:-pie}

View file

@ -6,6 +6,7 @@
# #
PKG_CHECK_FORMAT_SECURITY ?= 1 PKG_CHECK_FORMAT_SECURITY ?= 1
PKG_ASLR_PIE ?= 1
PKG_SSP ?= 1 PKG_SSP ?= 1
PKG_FORTIFY_SOURCE ?= 1 PKG_FORTIFY_SOURCE ?= 1
PKG_RELRO ?= 1 PKG_RELRO ?= 1
@ -15,6 +16,12 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
TARGET_CFLAGS += -Wformat -Werror=format-security TARGET_CFLAGS += -Wformat -Werror=format-security
endif endif
endif endif
ifdef CONFIG_PKG_ASLR_PIE
ifeq ($(strip $(PKG_ASLR_PIE)),1)
TARGET_CFLAGS += -fPIC
TARGET_LDFLAGS += -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
endif
endif
ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
ifeq ($(strip $(PKG_SSP)),1) ifeq ($(strip $(PKG_SSP)),1)
TARGET_CFLAGS += -fstack-protector TARGET_CFLAGS += -fstack-protector

View file

@ -22,6 +22,9 @@ PKG_BUILD_PARALLEL:=1
PKG_CHECK_FORMAT_SECURITY:=0 PKG_CHECK_FORMAT_SECURITY:=0
PKG_INSTALL:=1 PKG_INSTALL:=1
#Busybox use it's own PIE config flag and LDFLAGS are used with ld, not gcc.
PKG_ASLR_PIE:=0
PKG_LICENSE:=GPL-2.0 PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=LICENSE archival/libarchive/bz/LICENSE PKG_LICENSE_FILES:=LICENSE archival/libarchive/bz/LICENSE
PKG_CPE_ID:=cpe:/a:busybox:busybox PKG_CPE_ID:=cpe:/a:busybox:busybox