On Mon, Mar 21, 2011 at 3:52 PM, Michael Zintakis <michael.zintakis@xxxxxxxxxxxxxx> wrote: > >> I don't think Michael was saying: >> >> configure: --disable-libssp >> build: -D_FORTIFY_SOURCE -O2 -fstack-protector >> >> I think he was saying: >> >> configure: --disable-libssp >> build: -U_FORTIFY_SOURCE -O2 -fno-stack-protector >> > > I just wanted to find out the effect these options have on: 1) the toolchain > build (gcc, glibc, mpc, mpfr, ppl/cloog, gmp etc); and 2) on the kernel > itself as I know how to use these when building the 'regular' software > programs. As I have rarely, up until now, have built a toolchain (although I > am always compiling my kernel from source and applying a set of patches to > it) I wasn't sure whether to switch "on" and use these options. > >> As for the kernel; it can be build with stack protector. But like >> (e)glibc, the kernel enables it internally. >> >> So you build the kernel with: -U_FORTIFY_SOURCE -fno-stack-protector >> and enable CONFIG_CC_STACKPROTECTOR=y >> and -fstack-protector will be turned on in all the right places. >> > > So, in summary: > > toolchain & kernel: "-O2 -U_FORTIFY_SOURCE -fno-stack-protector" (with the > exception when building the kernel to include CONFIG_CC_STACKPROTECTOR=y) > the rest of the software: "-O2 -D_FORTIFY_SOURCE -fstack-protector-all > -fexceptions --param=ssp-buffer-size=4 --enable-libssp" > > Right? > > If the toolchain is built _with_ ssp enabled (--enable-libssp), then yes for the '& kernel' part. For the "rest of the software", YMMV. I'd suggest checking out others experiences with ssp: https://wiki.ubuntu.com/ProactiveSecurityRoadmap1 https://wiki.ubuntu.com/GccSsp http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
