blob: 291d5a834770af8cfdbe2a2e04736c1828ef4672 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
## SECTION=architecture_options
menu "hardening options "
choice
prompt "Stack Protector"
help
This is a mainline GCC feature, which adds safety checks against
stack overwrites. This renders many potential code injection
attacks into aborting situations. In the best case this turns
code injection vulnerabilities into denial of service or into
non-issues (depending on the application).
http://en.wikipedia.org/wiki/Stack-smashing_protection
config TARGET_HARDEN_STACK_NONE
bool
prompt "disabled "
config TARGET_HARDEN_STACK
bool
prompt "cc -fstack-protector "
config TARGET_HARDEN_STACK_STRONG
bool
prompt "cc -fstack-protector-strong"
config TARGET_HARDEN_STACK_ALL
bool
prompt "cc -fstack-protector-all "
endchoice
config TARGET_HARDEN_FORTIFY
bool
prompt "Enable glibc protections (cc -D_FORTIFY_SOURCE=2)"
help
During code generation the compiler knows a great deal of
information about buffer sizes (where possible), and attempts to
replace insecure unlimited length buffer function calls with
length-limited ones. This is especially useful for old, crufty
code.
config TARGET_HARDEN_RELRO
bool
prompt "Enable 'RELocation Read-Only' (ld -z relro)"
help
Several ELF sections need to be written to by the linker, but can
be turned read-only after starting. Most notably this prevents
GOT overwrites attacks.
config TARGET_HARDEN_BINDNOW
bool
prompt "Enable 'Bind Now' (ld -z now)"
help
Perform all dynamic bindings at start-up instead of on-demand.
This prevents PLT overwrite attacks.
config TARGET_HARDEN_PIE
bool
prompt "Enable 'Position Independent Executables' (-fPIE -pie)"
help
Position Independent Executable are needed for effective Address
Space Layout randomization.
http://en.wikipedia.org/wiki/ASLR
endmenu
|
