From fd7b287cbe9147ca9e07dd9f30c49c58bbdd92a8 Mon Sep 17 00:00:00 2001 From: Louis Mayencourt Date: Tue, 26 Mar 2019 16:59:26 +0000 Subject: Add support for default stack-protector flag The current stack-protector support is for none, "strong" or "all". The default use of the flag enables the stack-protection to all functions that declare a character array of eight bytes or more in length on their stack. This option can be tuned with the --param=ssp-buffer-size=N option. Change-Id: I11ad9568187d58de1b962b8ae04edd1dc8578fb0 Signed-off-by: Louis Mayencourt --- docs/user-guide.rst | 12 ++++++------ lib/stack_protector/stack_protector.mk | 19 +++++++++++++------ 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/docs/user-guide.rst b/docs/user-guide.rst index b9f08716a..01cf17a23 100644 --- a/docs/user-guide.rst +++ b/docs/user-guide.rst @@ -460,12 +460,12 @@ Common build options architecture is AArch32. - ``ENABLE_STACK_PROTECTOR``: String option to enable the stack protection - checks in GCC. Allowed values are "all", "strong" and "0" (default). - "strong" is the recommended stack protection level if this feature is - desired. 0 disables the stack protection. For all values other than 0, the - ``plat_get_stack_protector_canary()`` platform hook needs to be implemented. - The value is passed as the last component of the option - ``-fstack-protector-$ENABLE_STACK_PROTECTOR``. + checks in GCC. Allowed values are "all", "strong", "default" and "none". The + default value is set to "none". "strong" is the recommended stack protection + level if this feature is desired. "none" disables the stack protection. For + all values other than "none", the ``plat_get_stack_protector_canary()`` + platform hook needs to be implemented. The value is passed as the last + component of the option ``-fstack-protector-$ENABLE_STACK_PROTECTOR``. - ``ERROR_DEPRECATED``: This option decides whether to treat the usage of deprecated platform APIs, helper functions or drivers within Trusted diff --git a/lib/stack_protector/stack_protector.mk b/lib/stack_protector/stack_protector.mk index 0f0d90fb8..94e804be9 100644 --- a/lib/stack_protector/stack_protector.mk +++ b/lib/stack_protector/stack_protector.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -7,13 +7,20 @@ # Boolean macro to be used in C code STACK_PROTECTOR_ENABLED := 0 -ifneq (${ENABLE_STACK_PROTECTOR},0) -STACK_PROTECTOR_ENABLED := 1 -BL_COMMON_SOURCES += lib/stack_protector/stack_protector.c \ +ifeq (${ENABLE_STACK_PROTECTOR},0) + ENABLE_STACK_PROTECTOR := none +endif + +ifneq (${ENABLE_STACK_PROTECTOR},none) + STACK_PROTECTOR_ENABLED := 1 + BL_COMMON_SOURCES += lib/stack_protector/stack_protector.c \ lib/stack_protector/${ARCH}/asm_stack_protector.S -TF_CFLAGS += -fstack-protector-${ENABLE_STACK_PROTECTOR} + ifeq (${ENABLE_STACK_PROTECTOR},default) + TF_CFLAGS += -fstack-protector + else + TF_CFLAGS += -fstack-protector-${ENABLE_STACK_PROTECTOR} + endif endif $(eval $(call add_define,STACK_PROTECTOR_ENABLED)) - -- cgit v1.2.3 From 2a3c645b40ebb5149f6e043babccd95469867030 Mon Sep 17 00:00:00 2001 From: Louis Mayencourt Date: Wed, 17 Apr 2019 16:35:24 +0100 Subject: juno: Add security sources for tsp-juno Security sources are required if stack-protector is enabled. Change-Id: Ia0071f60cf03d48b200fd1facbe50bd9e2f8f282 Signed-off-by: Louis Mayencourt --- plat/arm/board/juno/tsp/tsp-juno.mk | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/plat/arm/board/juno/tsp/tsp-juno.mk b/plat/arm/board/juno/tsp/tsp-juno.mk index 52461cf8b..be75c4d76 100644 --- a/plat/arm/board/juno/tsp/tsp-juno.mk +++ b/plat/arm/board/juno/tsp/tsp-juno.mk @@ -1,11 +1,12 @@ # -# Copyright (c) 2014-2016, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2014-2019, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # BL32_SOURCES += plat/arm/board/juno/juno_topology.c \ plat/arm/css/common/css_topology.c \ - ${JUNO_GIC_SOURCES} + ${JUNO_GIC_SOURCES} \ + ${JUNO_SECURITY_SOURCES} include plat/arm/common/tsp/arm_tsp.mk -- cgit v1.2.3