71 lines
2.1 KiB
Diff
71 lines
2.1 KiB
Diff
|
From 638ee431907af6e9f4916e95a4f367e14499e819 Mon Sep 17 00:00:00 2001
|
|||
|
|
From: Qi Tao <taoqi10@huawei.com>
|
|||
|
|
Date: Thu, 18 Jan 2024 21:12:11 +0800
|
|||
|
|
Subject: [PATCH 3/3] uadk_engine: add secure compilation option
|
|||
|
|
MIME-Version: 1.0
|
|||
|
|
Content-Type: text/plain; charset=UTF-8
|
|||
|
|
Content-Transfer-Encoding: 8bit
|
|||
|
|
|
|||
|
|
Add PIE, PIC, BIND_NOW, SP, NO Rpath/RunPath, FS,
|
|||
|
|
Ftrapv and Strip compilation options.
|
|||
|
|
|
|||
|
|
PIC(-fPIC):
|
|||
|
|
Generate position-Independent-Code and andomly load
|
|||
|
|
dynamic libraries.
|
|||
|
|
PIE(-fPIE -pie):
|
|||
|
|
Generate location-independent executables,which
|
|||
|
|
reduces the probability of fixed address attacks
|
|||
|
|
and buffer overflow attacks.
|
|||
|
|
BIND_NOW(-Wl,-z,relro,-z,now):
|
|||
|
|
GOT table redirects all read-only,which defends
|
|||
|
|
against ret2plt attacks.
|
|||
|
|
SP(-fstack-protector-strong/all):
|
|||
|
|
Determine whether an overflow attack occurs.
|
|||
|
|
Strip(-Wl,-s):
|
|||
|
|
Deleting symbol tables defends against hacker
|
|||
|
|
attacks and reduces the file size.
|
|||
|
|
FS(-D_FORTIFY_SOURCE=2 -O2):
|
|||
|
|
Provides access checks for fixed-size buffers
|
|||
|
|
at compile time and at run time.
|
|||
|
|
Ftrapv(-ftrapv):
|
|||
|
|
Detects integer overflow.
|
|||
|
|
NO Rpath/RunPath(hardcode_into_libs=no):
|
|||
|
|
Eliminates dynamic library search paths,
|
|||
|
|
which defense against attacks by replacing
|
|||
|
|
dynamic libraries with the same name.
|
|||
|
|
|
|||
|
|
Signed-off-by: Qi Tao <taoqi10@huawei.com>
|
|||
|
|
---
|
|||
|
|
configure.ac | 1 +
|
|||
|
|
src/Makefile.am | 2 ++
|
|||
|
|
2 files changed, 3 insertions(+)
|
|||
|
|
|
|||
|
|
diff --git a/configure.ac b/configure.ac
|
|||
|
|
index 6c5369e..99b85e9 100644
|
|||
|
|
--- a/configure.ac
|
|||
|
|
+++ b/configure.ac
|
|||
|
|
@@ -7,6 +7,7 @@ AC_CONFIG_HEADERS([config.h])
|
|||
|
|
|
|||
|
|
AC_PROG_CC
|
|||
|
|
LT_INIT
|
|||
|
|
+AC_SUBST([hardcode_into_libs], [no])
|
|||
|
|
|
|||
|
|
AC_ARG_ENABLE(kae,
|
|||
|
|
AS_HELP_STRING([--enable-kae],[Enable kae support]))
|
|||
|
|
diff --git a/src/Makefile.am b/src/Makefile.am
|
|||
|
|
index c4b8aa9..e014052 100644
|
|||
|
|
--- a/src/Makefile.am
|
|||
|
|
+++ b/src/Makefile.am
|
|||
|
|
@@ -18,6 +18,8 @@ uadk_engine_la_LIBADD=-ldl $(WD_LIBS) -lpthread
|
|||
|
|
uadk_engine_la_LDFLAGS=-module -version-number $(VERSION)
|
|||
|
|
uadk_engine_la_CFLAGS=$(WD_CFLAGS) $(libcrypto_CFLAGS)
|
|||
|
|
uadk_engine_la_CFLAGS+=-DCRYPTO
|
|||
|
|
+uadk_engine_la_CFLAGS+=-fPIC -fPIE -pie -fstack-protector-strong -D_FORTIFY_SOURCE=2 \
|
|||
|
|
+ -O2 -ftrapv -Wl,-z,relro,-z,now -Wl,-s
|
|||
|
|
|
|||
|
|
AUTOMAKE_OPTIONS = subdir-objects
|
|||
|
|
|
|||
|
|
--
|
|||
|
|
2.25.1
|
|||
|
|
|