[OpenWrt-Devel] [PATCH 1/6] buildsystem: Make PIE ASLR option tristate

Rosen Penev rosenp at gmail.com
Sun Oct 27 15:05:24 EDT 2019 

On Sun, Oct 27, 2019 at 10:46 AM Hauke Mehrtens <hauke at hauke-m.de> wrote:
>
> This tristate choose allows to select to build only some applications
> with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
> is activated for the, which is a huge increase.
Some of the size increase can be mitigated with extra compile-time options:

TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto
TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed

LTO sometimes causes problems but the others should be safe.

PKG_ASLR_PIE applies $(FPIC) to both C and LDFLAGS. I've noticed that
applying it only to the former increases the size but not as much as
with both. No idea why.
>
> Network exposed applications like dnsmasq should then be build with PIE
> enabled, but some applications which are normally not parsing data from
> the network do not have it activated. The regular option should give a
> good trade off between extra flash and RAM memory usage and security.
>
> This changes the default from building no applications with PIE to build
> some specifically marked applications with PIE enabled. This option is
> only activated for targets with bigger flash and RAM to not consume
> extra memory on the very small targets. On SDK builds the Regular option
> should always be selected, because some tiny targets share the
> applications with big targets and only the images for the tiny targets
> should contain the none PIE applications, but the images for the normal
> targets should use PIE. The shared packages should always use PIE when
> it should be normally activated.
>
> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
> ---
>
> I hope this !SDK option works. I haven't fully tested this.
> I want to make sure this is activated on the targets which are not
> small, but not activate it in the tiny images. For extra installed
> packages it should be activated.
>
>
>  config/Config-build.in | 22 ++++++++++++++++++----
>  include/hardening.mk   |  9 ++++++++-
>  2 files changed, 26 insertions(+), 5 deletions(-)
>
> diff --git a/config/Config-build.in b/config/Config-build.in
> index 872e5c12ab..aa05e34f56 100644
> --- a/config/Config-build.in
> +++ b/config/Config-build.in
> @@ -212,11 +212,10 @@ menu "Global build settings"
>                   this per package by adding PKG_CHECK_FORMAT_SECURITY:=0 in the package
>                   Makefile.
>
> -       config PKG_ASLR_PIE
> -               bool
> +       choice
>                 prompt "User space ASLR PIE compilation"
> -               select BUSYBOX_DEFAULT_PIE
> -               default n
> +               default PKG_ASLR_PIE_NONE if ((SMALL_FLASH || LOW_MEMORY_FOOTPRINT) && !SDK)
> +               default PKG_ASLR_PIE_REGULAR
>                 help
>                   Add -fPIC to CFLAGS and -specs=hardened-build-ld to LDFLAGS.
>                   This enables package build as Position Independent Executables (PIE)
> @@ -227,6 +226,21 @@ menu "Global build settings"
>                   to predict when an attacker is attempting a memory-corruption exploit.
>                   You can disable this per package by adding PKG_ASLR_PIE:=0 in the package
>                   Makefile.
> +                 Be ware that ASLR increases the binary size.
> +               config PKG_ASLR_PIE_NONE
> +                       bool "None"
> +                       help
> +                         PIE is deactivated for all applications
> +               config PKG_ASLR_PIE_REGULAR
> +                       bool "Regular"
> +                       help
> +                         PIE is activated for some binaries, mostly network exposed applications
> +               config PKG_ASLR_PIE_ALL
> +                       bool "All"
> +                       select BUSYBOX_DEFAULT_PIE
> +                       help
> +                         PIE is activated for all applications
> +       endchoice
>
>         choice
>                 prompt "User space Stack-Smashing Protection"
> diff --git a/include/hardening.mk b/include/hardening.mk
> index 60f39428e8..4e49e6b1b9 100644
> --- a/include/hardening.mk
> +++ b/include/hardening.mk
> @@ -7,6 +7,7 @@
>
>  PKG_CHECK_FORMAT_SECURITY ?= 1
>  PKG_ASLR_PIE ?= 1
> +PKG_ASLR_PIE_REGULAR ?= 0
>  PKG_SSP ?= 1
>  PKG_FORTIFY_SOURCE ?= 1
>  PKG_RELRO ?= 1
> @@ -16,12 +17,18 @@ ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
>      TARGET_CFLAGS += -Wformat -Werror=format-security
>    endif
>  endif
> -ifdef CONFIG_PKG_ASLR_PIE
> +ifdef CONFIG_PKG_ASLR_PIE_ALL
>    ifeq ($(strip $(PKG_ASLR_PIE)),1)
>      TARGET_CFLAGS += $(FPIC)
>      TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
>    endif
>  endif
> +ifdef CONFIG_PKG_ASLR_PIE_REGULAR
> +  ifeq ($(strip $(PKG_ASLR_PIE_REGULAR)),1)
> +    TARGET_CFLAGS += $(FPIC)
> +    TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
> +  endif
> +endif
>  ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
>    ifeq ($(strip $(PKG_SSP)),1)
>      TARGET_CFLAGS += -fstack-protector
> --
> 2.20.1
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list