So, in summary:
toolchain & kernel: "-O2 -U_FORTIFY_SOURCE -fno-stack-protector" (with the
exception when building the kernel to include CONFIG_CC_STACKPROTECTOR=y)
the rest of the software: "-O2 -D_FORTIFY_SOURCE -fstack-protector-all
-fexceptions --param=ssp-buffer-size=4 --enable-libssp"
Right?
If the toolchain is built _with_ ssp enabled (--enable-libssp), then
yes for the '& kernel' part.
Right, I am in a process of building a new version of my toolchain with
the new parameters and will see how it goes.
For the "rest of the software", YMMV. I'd suggest checking out others
experiences with ssp:
https://wiki.ubuntu.com/ProactiveSecurityRoadmap1
https://wiki.ubuntu.com/GccSsp
http://www.linuxfromscratch.org/hints/downloads/files/ssp.txt
Thanks for the links. I will play it safe first and try building it
without the above options activated. If everything is successful then
will try switching those on.
