git.cascardo.info Git - cascardo/linux.git/commit

author	Kees Cook <keescook@chromium.org>
	Fri, 19 Apr 2013 21:56:31 +0000 (14:56 -0700)
committer	ChromeBot <chrome-bot@google.com>
	Wed, 15 May 2013 23:16:25 +0000 (16:16 -0700)
commit	4f4d6898918725fdbfa36e9f74736667f6c5d688
tree	9b44326171c7076998cda45a91e4e57673991843	tree \| snapshot
parent	ab25983c9032807d33f510ff3e9f79bd636b6994	commit \| diff

CHROMIUM: security: use -fstack-protector-strong

Build the kernel with -fstack-protector-strong to gain the additional
checks without the performance hit of -fstack-protector-all. This grows
the uncompressed kernel image by less than 0.16% on x86:

-rwxr-xr-x 1 keescook portage 118219343 Apr 17 12:26 /build/link/var/cache/portage/sys-kernel/chromeos-kernel/vmlinux
-rwxr-xr-x 1 keescook portage 118407919 Apr 19 15:00 /build/link/var/cache/portage/sys-kernel/chromeos-kernel/vmlinux

ARM's compressed boot code now triggers stack protection, so a static
guard was added. Since it is only doing decompression and it's been
validated by the firmware, the exposure here is very small. Once it
switches to the full kernel, random stack protection is back to normal.

BUG=chromium:233757
TEST=link and daisy build & boot

Change-Id: I512fb6444463e12a8e04428b6203a00b460a79ae
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/48703
Reviewed-by: Will Drewry <wad@chromium.org>

arch/arm/Makefile		diff \| blob \| history
arch/arm/boot/compressed/misc.c		diff \| blob \| history
arch/x86/Makefile		diff \| blob \| history