From patchwork Tue Aug  1 03:49:14 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matt Weber <matthew.weber@rockwellcollins.com>
X-Patchwork-Id: 796080
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.136; helo=silver.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3xM2Pd2M2Zz9sN7
	for <incoming@patchwork.ozlabs.org>;
	Tue,  1 Aug 2017 13:49:23 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id D566430689;
	Tue,  1 Aug 2017 03:49:21 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id o6IWxYVXBl5b; Tue,  1 Aug 2017 03:49:21 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id C8E1530764;
	Tue,  1 Aug 2017 03:49:20 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id 7C3FB1BF8B4
	for <buildroot@lists.busybox.net>;
	Tue,  1 Aug 2017 03:49:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 77A4886D44
	for <buildroot@lists.busybox.net>;
	Tue,  1 Aug 2017 03:49:18 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id lsex4OctF7k8 for <buildroot@lists.busybox.net>;
	Tue,  1 Aug 2017 03:49:17 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from ch3vs02.rockwellcollins.com (ch3vs02.rockwellcollins.com
	[205.175.226.29])
	by whitealder.osuosl.org (Postfix) with ESMTPS id 7E41783B0C
	for <buildroot@buildroot.org>; Tue,  1 Aug 2017 03:49:17 +0000 (UTC)
Received: from ofwch3n02.rockwellcollins.com (HELO
	crulimr02.rockwellcollins.com) ([205.175.226.14])
	by ch3vs02.rockwellcollins.com with ESMTP; 31 Jul 2017 22:49:16 -0500
X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76])
	by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 0F71760111;
	Mon, 31 Jul 2017 22:49:16 -0500 (CDT)
From: Matt Weber <matthew.weber@rockwellcollins.com>
To: buildroot@buildroot.org
Date: Mon, 31 Jul 2017 22:49:14 -0500
Message-Id: 
 <1501559354-56821-1-git-send-email-matthew.weber@rockwellcollins.com>
X-Mailer: git-send-email 1.9.1
Subject: [Buildroot] [PATCH] RFC: security hardening [RELO & FORTIFY]
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

An adaptation of the OpenWRT Hardening options for RELO and Fortify
(https://patchwork.ozlabs.org/patch/427454/)

The enabling of these options can be verified by a post build
analysis of the elf file output using a tool like checksec.sh
(https://github.com/slimm609/checksec.sh).

Initial testing of these options were performed using a build of
the qemu_aarch64_virt_defconfig target.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
----

While testing this patch, I've noticed there are some hardening
items which could be improved in the Buildroot toolchain build
of (at least through my testing) the glibc variant.  I've started
looking at enabling libssp and working the dependency/overlap between
the standard library and GCC's approach.  The end goal I'm aiming
for is a comparable toolchain to linaro when it comes to default
hardening configuration.
---
 Config.in           | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 package/Makefile.in | 20 +++++++++++++++++++
 2 files changed, 77 insertions(+)

diff --git a/Config.in b/Config.in
index e395995..323220c 100644
--- a/Config.in
+++ b/Config.in
@@ -726,6 +726,63 @@ config BR2_REPRODUCIBLE
 	  This is labeled as an experimental feature, as not all
 	  packages behave properly to ensure reproducibility.
 
+comment "Security Hardening Options"
+
+choice
+	bool "RELRO protection"
+	help
+	  Enable a link-time protection know as RELRO (Relocation Read Only)
+	  which helps to protect from certain type of exploitation techniques
+	  altering the content of some ELF sections.
+
+config BR2_RELRO_NONE
+	bool "None"
+	help
+	  Disables Relocation link-time protections.
+
+config BR2_RELRO_PARTIAL
+	bool "Partial"
+	help
+	  This option makes the dynamic section not writeable after
+	  initialization (with almost no performance penalty).
+
+config BR2_RELRO_FULL
+	bool "Full"
+	help
+	  This option includes the partial configurtation, but also
+	  marks the GOT as read-only at the cost of initializing time
+	  during startup.
+
+endchoice
+
+choice
+	bool "Buffer-overflows detection (FORTIFY_SOURCE)"
+	help
+	  Enable the _FORTIFY_SOURCE macro which introduces additional
+	  checks to detect buffer-overflows in the following standard library
+	  functions: memcpy, mempcpy, memmove, memset, strcpy, stpcpy,
+	  strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf,
+	  gets.
+
+config BR2_FORTIFY_SOURCE_NONE
+	bool "None"
+	help
+	  Disables additional checks to detect buffer-overflows.
+
+config BR2_FORTIFY_SOURCE_1
+	bool "Conservative"
+	help
+	  This option sets _FORTIFY_SOURCE set to 1 and only introduces
+	  checks that sholdn't change the behavior of conforming programs,
+
+config BR2_FORTIFY_SOURCE_2
+	bool "Aggressive"
+	help
+	  This option sets _FORTIFY_SOURCES set to 2 and some more checking
+	  is added, but some conforming programs might fail.
+
+endchoice
+
 endmenu
 
 endmenu
diff --git a/package/Makefile.in b/package/Makefile.in
index a1a5316..68ba50c 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -181,6 +181,26 @@ TARGET_CXXFLAGS += -fstack-protector-all
 TARGET_FCFLAGS += -fstack-protector-all
 endif
 
+ifeq ($(BR2_RELRO_PARTIAL),y)
+TARGET_CFLAGS += -Wl,-z,relro
+TARGET_CXXFLAGS += -Wl,-z,relro
+TARGET_FCFLAGS += -Wl,-z,relro
+else ifeq ($(BR2_RELRO_FULL),y)
+TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
+TARGET_CXXFLAGS += -Wl,-z,now -Wl,-z,relro
+TARGET_FCFLAGS += -Wl,-z,now -Wl,-z,relro
+endif
+
+ifeq ($(BR2_FORTIFY_SOURCE_1),y)
+TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
+TARGET_CXXFLAGS += -D_FORTIFY_SOURCE=1
+TARGET_FCFLAGS += -D_FORTIFY_SOURCE=1
+else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
+TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
+TARGET_CXXFLAGS += -D_FORTIFY_SOURCE=2
+TARGET_FCFLAGS += -D_FORTIFY_SOURCE=2
+endif
+
 ifeq ($(BR2_TOOLCHAIN_BUILDROOT),y)
 TARGET_CROSS = $(HOST_DIR)/bin/$(GNU_TARGET_NAME)-
 else