All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Eggleton <bluelightning@bluelightning.org>
To: yocto@lists.yoctoproject.org
Cc: Paul Eggleton <bluelightning@bluelightning.org>
Subject: Re: [yocto] Additional hardening options
Date: Thu, 27 Jan 2022 10:16:54 +1300	[thread overview]
Message-ID: <8885103.CDJkKcVGEf@linc> (raw)
In-Reply-To: <16CDAE6528BAE915.24088@lists.yoctoproject.org>

On Wednesday, 26 January 2022 14:39:39 NZDT Paul Eggleton wrote:
> Hi folks
> 
> I've been looking into a couple of compiler flags for hardening that I think
> we might want to consider enabling by default in security-flags.inc:
> 
> 
> 1) -fstack-clash-protection
> 
> This option was introduced to gcc 8.x and provides protection against the
> stack clash vulnerability:
> 
> https://securingsoftware.blogspot.com/2017/12/stack-clash-vulnerability.html
> 
> It has been enabled in some Linux distributions already (e.g. Ubuntu,
> Fedora).

Another quirk of this - with dunfell, the buildepoxy SDK test fails on Ubuntu 
18.04 with -fstack-clash-protection because the version of meson in dunfell 
uses the same LDFLAGS value for both host and target, and host gcc doesn't 
support that option. Not sure what to do other than just filtering out the 
option from LDFLAGS in the test.

Cheers
Paul




       reply	other threads:[~2022-01-26 21:17 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <16CDAE6528BAE915.24088@lists.yoctoproject.org>
2022-01-26 21:16 ` Paul Eggleton [this message]
2022-01-26 21:31   ` [yocto] Additional hardening options Alexander Kanavin
2022-01-27  1:50   ` Khem Raj
2022-01-26  1:39 Paul Eggleton
2022-02-01  8:08 ` [yocto] " Richard Purdie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8885103.CDJkKcVGEf@linc \
    --to=bluelightning@bluelightning.org \
    --cc=yocto@lists.yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.