diff options
Diffstat (limited to 'Mk/Features')
| -rw-r--r-- | Mk/Features/bind_now.mk | 5 | ||||
| -rw-r--r-- | Mk/Features/fortify.mk | 18 | ||||
| -rw-r--r-- | Mk/Features/pie.mk | 9 | ||||
| -rw-r--r-- | Mk/Features/relro.mk | 5 | ||||
| -rw-r--r-- | Mk/Features/ssp.mk | 8 | ||||
| -rw-r--r-- | Mk/Features/stack_autoinit.mk | 23 | ||||
| -rw-r--r-- | Mk/Features/zeroregs.mk | 28 |
7 files changed, 96 insertions, 0 deletions
diff --git a/Mk/Features/bind_now.mk b/Mk/Features/bind_now.mk index 99361c487265..5f4b6abf3718 100644 --- a/Mk/Features/bind_now.mk +++ b/Mk/Features/bind_now.mk @@ -1,4 +1,9 @@ # BIND_NOW Support +# +# When generating an executable or shared library, mark it to tell the dynamic +# linker to resolve all symbols when the program is started, or when the shared +# library is loaded by dlopen, instead of deferring function call resolution to +# the point when the function is first called. .if !defined(_BIND_NOW_MK_INCLUDED) _BIND_NOW_MK_INCLUDED= yes diff --git a/Mk/Features/fortify.mk b/Mk/Features/fortify.mk new file mode 100644 index 000000000000..2e43ca98242f --- /dev/null +++ b/Mk/Features/fortify.mk @@ -0,0 +1,18 @@ +# This enables mitigations of common memory safety issues, such as buffer +# overflows, by adding checks to functions like memcpy, strcpy, sprintf, +# and others when the compiler can determine the size of the destination +# buffer at compile time. +# +# Depends opon the FORTIFY_SOURCE implementation in the basesystem. + +.if !defined(_FORTIFY_MK_INCLUDED) +_FORTIFY_MK_INCLUDED= yes +FORTIFY_Include_MAINTAINER= netchild@FreeBSD.org + +. if !defined(FORTIFY_UNSAFE) +FORTIFY_SOURCE?=2 +FORTIFY_CFLAGS?= -D_FORTIFY_SOURCE=${FORTIFY_SOURCE} +CFLAGS+= ${FORTIFY_CFLAGS} +CXXFLAGS+= ${FORTIFY_CFLAGS} +. endif +.endif diff --git a/Mk/Features/pie.mk b/Mk/Features/pie.mk index 06174b403c31..7ecefa9eb611 100644 --- a/Mk/Features/pie.mk +++ b/Mk/Features/pie.mk @@ -1,4 +1,13 @@ # PIE Support +# +# Produce a Position-Independent Executable (PIE) instead of a “normal” +# fixed‐address ELF. +# A PIE is an executable whose code sections are compiled and linked so that, +# at runtime, they can be loaded at any base address in memory. +# +# Because it can be loaded at unpredictable addresses, PIE enables full Address +# Space Layout Randomization (ASLR) for your main executable—making certain +# classes of memory‐corruption exploits much harder. .if !defined(_PIE_MK_INCLUDED) _PIE_MK_INCLUDED= yes diff --git a/Mk/Features/relro.mk b/Mk/Features/relro.mk index 6ceb68d5d668..8074ce09edd7 100644 --- a/Mk/Features/relro.mk +++ b/Mk/Features/relro.mk @@ -1,4 +1,9 @@ # RELRO Support +# +# Tells the linker to emit RELocation Read-Only (RELRO) protection for certain +# sections of your ELF file. In short, it makes parts of the binary read-only +# after relocations have been applied at program startup, helping to prevent +# GOT- and PLT-based overwrite attacks. .if !defined(_RELRO_MK_INCLUDED) _RELRO_MK_INCLUDED= yes diff --git a/Mk/Features/ssp.mk b/Mk/Features/ssp.mk index 4213e6d668a6..631104da9f6c 100644 --- a/Mk/Features/ssp.mk +++ b/Mk/Features/ssp.mk @@ -1,4 +1,12 @@ # SSP Support +# +# The -fstack-protector-strong flag enables “stack smashing” protection on a +# wider set of functions than the default -fstack-protector, but without the +# full performance cost of -fstack-protector-all. Under the hood it inserts a +# small “canary” value on the stack just before the saved return address; at +# function exit it checks that the canary hasn’t been overwritten by a buffer +# overflow. If it has been clobbered, the runtime aborts the program rather +# than returning into corrupted code. .if !defined(_SSP_MK_INCLUDED) _SSP_MK_INCLUDED= yes diff --git a/Mk/Features/stack_autoinit.mk b/Mk/Features/stack_autoinit.mk new file mode 100644 index 000000000000..4d79416dbcce --- /dev/null +++ b/Mk/Features/stack_autoinit.mk @@ -0,0 +1,23 @@ +# The STACK_AUTOINIT feature mimics the corresponding FreeBSD basesystem feature. +# +# This enables a compiler specific option to automatically initialize +# local (automatic) variables to prevent the use of uninitialized memory. +# +# Variables that can be used: +# +# WITH_STACK_AUTOINIT Enable for all ports. +# WITH_STACK_AUTOINIT_PORTS Enable for specified category/port-name +# STACK_AUTOINIT_TYPE Valid options: zero (default), pattern, unitialized +# + +.if !defined(_STACK_AUTOINIT_MK_INCLUDED) +_STACK_AUTOINIT_MK_INCLUDED= yes +STACK_AUTOINIT_Include_MAINTAINER= netchild@FreeBSD.org + +STACK_AUTOINIT_TYPE?= zero + +. if !defined(STATIC_AUTOINIT_UNSAFE) +CFLAGS+= -ftrivial-auto-var-init=${STACK_AUTOINIT_TYPE} +CXXFLAGS+= -ftrivial-auto-var-init=${STACK_AUTOINIT_TYPE} +. endif +.endif diff --git a/Mk/Features/zeroregs.mk b/Mk/Features/zeroregs.mk new file mode 100644 index 000000000000..2e21b16c5c66 --- /dev/null +++ b/Mk/Features/zeroregs.mk @@ -0,0 +1,28 @@ +# Zero call-used registers at function return to increase program +# security by either mitigating Return-Oriented Programming (ROP) +# attacks or preventing information leakage through registers. +# This depends upon support from the compiler for a given architecture. +# +# Variables that can be used: +# +# WITH_ZEROREGS Enable for all ports. +# WITH_ZEROREGS_PORTS Enable for specified category/port-name +# ZEROREGS_TYPE See +# https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-zero_005fcall_005fused_005fregs-function-attribute +# for options +# Default: used +# + +.if !defined(_ZEROREGS_MK_INCLUDED) +_ZEROREGS_MK_INCLUDED= yes +ZEROREGS_Include_MAINTAINER= netchild@FreeBSD.org + +ZEROREGS_TYPE?= used + +#. if !defined(ZEROREGS_UNSAFE) && !empty(${ARCH:Mriscv*}) && \ +# !empty(${ARCH:Mpower*}) && !empty(${ARCH:Marmv7*}) +CFLAGS+= -fzero-call-used-regs=${ZEROREGS_TYPE} +CXXFLAGS+= -fzero-call-used-regs=${ZEROREGS_TYPE} +#. endif +.endif + |