Message ID | 1537219312-59962-1-git-send-email-matthew.weber@rockwellcollins.com |
---|---|
Headers | show
Return-Path: <buildroot-bounces@busybox.net> X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=rockwellcollins.com Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42DfGB2bSkz9sCD for <incoming-buildroot@patchwork.ozlabs.org>; Tue, 18 Sep 2018 07:22:10 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 7C6DA2EB1D; Mon, 17 Sep 2018 21:22:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4m0EVa0AWtnN; Mon, 17 Sep 2018 21:22:01 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id A0E442E7BF; Mon, 17 Sep 2018 21:22:01 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 571E71C24C5 for <buildroot@lists.busybox.net>; Mon, 17 Sep 2018 21:21:56 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 5526888273 for <buildroot@lists.busybox.net>; Mon, 17 Sep 2018 21:21:56 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yh4npJ6N-2k2 for <buildroot@lists.busybox.net>; Mon, 17 Sep 2018 21:21:54 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ch3vs04.rockwellcollins.com (ch3vs04.rockwellcollins.com [205.175.226.52]) by hemlock.osuosl.org (Postfix) with ESMTPS id A38978823F for <buildroot@buildroot.org>; Mon, 17 Sep 2018 21:21:54 +0000 (UTC) Received: from ofwch3n02.rockwellcollins.com (HELO ciulimr02.rockwellcollins.com) ([205.175.226.14]) by ch3vs04.rockwellcollins.com with ESMTP; 17 Sep 2018 16:21:54 -0500 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by ciulimr02.rockwellcollins.com (Postfix) with ESMTP id D2DF52009C; Mon, 17 Sep 2018 16:21:53 -0500 (CDT) From: Matt Weber <matthew.weber@rockwellcollins.com> To: buildroot@buildroot.org Date: Mon, 17 Sep 2018 16:21:48 -0500 Message-Id: <1537219312-59962-1-git-send-email-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH v7 0/4] Hardening Wrapper Updates and Test X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.24 Precedence: list List-Id: Discussion and development of buildroot <buildroot.busybox.net> List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>, <mailto:buildroot-request@busybox.net?subject=unsubscribe> List-Archive: <http://lists.busybox.net/pipermail/buildroot/> List-Post: <mailto:buildroot@busybox.net> List-Help: <mailto:buildroot-request@busybox.net?subject=help> List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>, <mailto:buildroot-request@busybox.net?subject=subscribe> Cc: =?utf-8?q?Jan_Kundr=C3=A1t?= <jan.kundrat@cesnet.cz> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net> |
Series | Hardening Wrapper Updates and Test | expand |
This series looks to update the implementation and migration of hardening related options to the compiler wrapper. The series also provides runtime testing for RELRO/SSP/FORTIFY. Overall test of features ------------------------------------- support/testing/run-tests -k -o ~/runtime_test_tmp -d ~/dl_tmp \ tests.core.test_hardening.TestFortifyConserv \ tests.core.test_hardening.TestFortifyNone \ tests.core.test_hardening.TestRelro \ tests.core.test_hardening.TestRelroPartial \ tests.core.test_hardening.TestSspNone \ tests.core.test_hardening.TestSspStrong Changes -------------------------------------------------- v6 -> v7 - Fixed a last minute endif rebase bug in the v6 series v5 -> v6 - Moved all RELRO/PIE handling to GCC frontend wrapper. - Updated PIE disable conditions and added comments - Updated comments in code and on patches to make design choices clear v4 -> v5 - RELRO patch updated to handle link time -r represented also as -wl,r v3 -> v4 - RELRO/PIE patch updated to solely use the wrapper. I didn't understand how the specfiles where used and thought I needed to do something similar during the use of LD. That is not the case. GCC compile wrapper has been updated to handle CC and LD options required for this feature. Testing with verification using the checksec tool confirms the intended behavior is close to identical between the specfile approach and wrapper. Wrapper actually is just slightly better since the specfile relied on FLAGS being correctly used. v2 -> v3 - Realized the complexity of having a link wrapper application vs using a combo of link specfile and GCC wrapper. This patchset presents that hybrid approach and has updated comments on the patches implementing this concept to support the discussion. - Added additional detail to descriptions and test cases to this cover letter v1 -> v2 - There were issues when I started regression testing where packages where providing multiple pie/pic/shared args on a single call of gcc/ld. Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> CC: Jan Kundrát <jan.kundrat@cesnet.cz> CC: Stefan Sørensen <stefan.sorensen@spectralink.com> Matt Weber (4): toolchain/toolchain-wrapper: add BR2_RELRO_ toolchain/toolchain-wrapper: add BR2_SSP_* support BR2_FORTIFY*: toolchain wrapper limitation note support/testing/tests/core: SSP & hardening flags .gitlab-ci.yml | 6 ++ package/Makefile.in | 28 +++---- support/testing/tests/core/test_hardening.py | 110 +++++++++++++++++++++++++++ toolchain/toolchain-wrapper.c | 91 +++++++++++++++++++++- toolchain/toolchain-wrapper.mk | 14 ++++ 5 files changed, 228 insertions(+), 21 deletions(-) create mode 100644 support/testing/tests/core/test_hardening.py