andrius
/
arm-trusted-firmware
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add support for default stack-protector flag 

The current stack-protector support is for none, "strong" or "all".
The default use of the flag enables the stack-protection to all
functions that declare a character array of eight bytes or more in
length on their stack.
This option can be tuned with the --param=ssp-buffer-size=N option.

Change-Id: I11ad9568187d58de1b962b8ae04edd1dc8578fb0
Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
This commit is contained in:
Louis Mayencourt 2019-03-26 16:59:26 +00:00
parent c3e4e0888d
commit fd7b287cbe
2 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/user-guide.rst
View File

@ -460,12 +460,12 @@ Common build options
architecture is AArch32. architecture is AArch32.
- ``ENABLE_STACK_PROTECTOR``: String option to enable the stack protection - ``ENABLE_STACK_PROTECTOR``: String option to enable the stack protection
checks in GCC. Allowed values are "all", "strong" and "0" (default). checks in GCC. Allowed values are "all", "strong", "default" and "none". The
"strong" is the recommended stack protection level if this feature is default value is set to "none". "strong" is the recommended stack protection
desired. 0 disables the stack protection. For all values other than 0, the level if this feature is desired. "none" disables the stack protection. For
``plat_get_stack_protector_canary()`` platform hook needs to be implemented. all values other than "none", the ``plat_get_stack_protector_canary()``
The value is passed as the last component of the option platform hook needs to be implemented. The value is passed as the last
``-fstack-protector-$ENABLE_STACK_PROTECTOR``. component of the option ``-fstack-protector-$ENABLE_STACK_PROTECTOR``.
- ``ERROR_DEPRECATED``: This option decides whether to treat the usage of - ``ERROR_DEPRECATED``: This option decides whether to treat the usage of
deprecated platform APIs, helper functions or drivers within Trusted deprecated platform APIs, helper functions or drivers within Trusted

19
lib/stack_protector/stack_protector.mk
View File

@ -1,5 +1,5 @@
# #
# Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. # Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved.
# #
# SPDX-License-Identifier: BSD-3-Clause # SPDX-License-Identifier: BSD-3-Clause
# #
@ -7,13 +7,20 @@
# Boolean macro to be used in C code # Boolean macro to be used in C code
STACK_PROTECTOR_ENABLED := 0 STACK_PROTECTOR_ENABLED := 0
ifneq (${ENABLE_STACK_PROTECTOR},0) ifeq (${ENABLE_STACK_PROTECTOR},0)
STACK_PROTECTOR_ENABLED := 1 ENABLE_STACK_PROTECTOR := none
BL_COMMON_SOURCES += lib/stack_protector/stack_protector.c \ endif
ifneq (${ENABLE_STACK_PROTECTOR},none)
STACK_PROTECTOR_ENABLED := 1
BL_COMMON_SOURCES += lib/stack_protector/stack_protector.c \
lib/stack_protector/${ARCH}/asm_stack_protector.S lib/stack_protector/${ARCH}/asm_stack_protector.S
TF_CFLAGS += -fstack-protector-${ENABLE_STACK_PROTECTOR} ifeq (${ENABLE_STACK_PROTECTOR},default)
TF_CFLAGS += -fstack-protector
else
TF_CFLAGS += -fstack-protector-${ENABLE_STACK_PROTECTOR}
endif
endif endif
$(eval $(call add_define,STACK_PROTECTOR_ENABLED)) $(eval $(call add_define,STACK_PROTECTOR_ENABLED))