I don't think Michael was saying:
configure: --disable-libssp
build: -D_FORTIFY_SOURCE -O2 -fstack-protector
I think he was saying:
configure: --disable-libssp
build: -U_FORTIFY_SOURCE -O2 -fno-stack-protector
I just wanted to find out the effect these options have on: 1) the
toolchain build (gcc, glibc, mpc, mpfr, ppl/cloog, gmp etc); and 2) on
the kernel itself as I know how to use these when building the 'regular'
software programs. As I have rarely, up until now, have built a
toolchain (although I am always compiling my kernel from source and
applying a set of patches to it) I wasn't sure whether to switch "on"
and use these options.
As for the kernel; it can be build with stack protector. But like
(e)glibc, the kernel enables it internally.
So you build the kernel with: -U_FORTIFY_SOURCE -fno-stack-protector
and enable CONFIG_CC_STACKPROTECTOR=y
and -fstack-protector will be turned on in all the right places.
So, in summary:
toolchain & kernel: "-O2 -U_FORTIFY_SOURCE -fno-stack-protector" (with
the exception when building the kernel to include
CONFIG_CC_STACKPROTECTOR=y)
the rest of the software: "-O2 -D_FORTIFY_SOURCE -fstack-protector-all
-fexceptions --param=ssp-buffer-size=4 --enable-libssp"
Right?
