firmware: Initial compiler built-in stack protector support

Add __stack_chk_fail() and __stack_chk_guard variable which are used by compiler built-in stack protector. This patch just try to support stack-protector so the value of the stack guard variable is simply fixed for now. It could be improved by deriving from a random number generator, such as Zkr extension or any platform-specific random number sources. Introduce three configurations for the stack protector: 1. CONFIG_STACK_PROTECTOR to enable the stack protector feature by providing "-fstack-protector" compiler flag 2. CONFIG_STACK_PROTECTOR_STRONG to provide "-fstack-protector-strong" 3. CONFIG_STACK_PROTECTOR_ALL to provide "-fstack-protector-all" Instead of fixing the compiler flag of stack-protector feature as "-fstack-protector", we derive it from the introduced Kconfig configurations. The compiler flag "stack-protector-cflags-y" is defined as Makefile "immediately expanded variables" with ":=". Thus, the stronger configuration of the stack protector can overwrite the preceding one. Signed-off-by: Alvin Chang <alvinga@andestech.com> Reviewed-by: Yu-Chien Peter Lin <peter.lin@sifive.com> Reviewed-by: Anup Patel <anup@brainfault.org> Link: https://lore.kernel.org/r/20250703151957.2545958-3-alvinga@andestech.com Signed-off-by: Anup Patel <anup@brainfault.org>
2025-07-03 23:19:57 +08:00
parent ea5abd1f5e
commit edfbc1285d
4 changed files with 72 additions and 0 deletions
--- a/firmware/objects.mk
+++ b/firmware/objects.mk
@@ -66,3 +66,12 @@ endif
 ifdef FW_OPTIONS
 firmware-genflags-y += -DFW_OPTIONS=$(FW_OPTIONS)
 endif
+
+ifeq ($(CONFIG_STACK_PROTECTOR),y)
+stack-protector-cflags-$(CONFIG_STACK_PROTECTOR) := -fstack-protector
+stack-protector-cflags-$(CONFIG_STACK_PROTECTOR_STRONG) := -fstack-protector-strong
+stack-protector-cflags-$(CONFIG_STACK_PROTECTOR_ALL) := -fstack-protector-all
+else
+stack-protector-cflags-y := -fno-stack-protector
+endif
+firmware-cflags-y += $(stack-protector-cflags-y)