toolchain: add gcc configure default PIE and SSP

GCC supports starting version 5 --enable-default-ssp and starting version 6
--enable-default-pie.

It produces hardened binaries by default without dealing with package
compilation flags.

Signed-off-by: Julien Dusser <julien.dusser@free.fr>
This commit is contained in:
Julien Dusser 2018-01-07 17:41:35 +01:00 committed by Hauke Mehrtens
parent df0bd42fde
commit 55779569eb
2 changed files with 25 additions and 0 deletions

View file

@ -37,6 +37,21 @@ config EXTRA_GCC_CONFIG_OPTIONS
help
Any additional gcc options you may want to include....
config GCC_DEFAULT_PIE
bool
prompt "Build executable with PIE enabled by default" if TOOLCHAINOPTS
depends on !GCC_USE_VERSION_5
default n
help
Use gcc configure option --enable-default-pie to turn on -fPIE and -pie by default.
config GCC_DEFAULT_SSP
bool
prompt "Build executable with Stack-Smashing Protection enabled by default" if TOOLCHAINOPTS
default n
help
Use gcc configure option --enable-default-ssp to turn on -fstack-protector-strong by default.
config SSP_SUPPORT
bool
prompt "Enable Stack-Smashing Protection support" if TOOLCHAINOPTS

View file

@ -133,6 +133,16 @@ ifndef GCC_VERSION_4_8
GCC_CONFIGURE += --with-diagnostics-color=auto-if-env
endif
ifneq ($(CONFIG_GCC_DEFAULT_PIE),)
GCC_CONFIGURE+= \
--enable-default-pie
endif
ifneq ($(CONFIG_GCC_DEFAULT_SSP),)
GCC_CONFIGURE+= \
--enable-default-ssp
endif
ifneq ($(CONFIG_SSP_SUPPORT),)
GCC_CONFIGURE+= \
--enable-libssp