toolchain: add gcc configure default PIE and SSP

GCC supports starting version 5 --enable-default-ssp and starting version 6
--enable-default-pie.

It produces hardened binaries by default without dealing with package
compilation flags.

Signed-off-by: Julien Dusser <julien.dusser@free.fr>

diff --git a/toolchain/gcc/Config.in b/toolchain/gcc/Config.in
index 06e9f487b9a6d3b1e302f9f85b156972196f57b5..0fe0ea2957c38b322d502f61b17925f9fb5e0bc2 100644 (file)
--- a/toolchain/gcc/Config.in
+++ b/toolchain/gcc/Config.in
@@ -37,6 +37,21 @@ config EXTRA_GCC_CONFIG_OPTIONS
        help
            Any additional gcc options you may want to include....
 
+config GCC_DEFAULT_PIE
+       bool
+       prompt "Build executable with PIE enabled by default" if TOOLCHAINOPTS
+       depends on !GCC_USE_VERSION_5
+       default n
+       help
+           Use gcc configure option --enable-default-pie to turn on -fPIE and -pie by default.
+
+config GCC_DEFAULT_SSP
+       bool
+       prompt "Build executable with Stack-Smashing Protection enabled by default" if TOOLCHAINOPTS
+       default n
+       help
+           Use gcc configure option --enable-default-ssp to turn on -fstack-protector-strong by default.
+
 config SSP_SUPPORT
        bool
        prompt "Enable Stack-Smashing Protection support" if TOOLCHAINOPTS

diff --git a/toolchain/gcc/common.mk b/toolchain/gcc/common.mk
index 7c4e773a0fbe8f5f6855fb2b214f1e13b89b2679..ece71ef0289c2824f63a3503849219fc87bef858 100644 (file)
--- a/toolchain/gcc/common.mk
+++ b/toolchain/gcc/common.mk
@@ -133,6 +133,16 @@ ifndef GCC_VERSION_4_8
   GCC_CONFIGURE += --with-diagnostics-color=auto-if-env
 endif
 
+ifneq ($(CONFIG_GCC_DEFAULT_PIE),)
+  GCC_CONFIGURE+= \
+               --enable-default-pie
+endif
+
+ifneq ($(CONFIG_GCC_DEFAULT_SSP),)
+  GCC_CONFIGURE+= \
+               --enable-default-ssp
+endif
+
 ifneq ($(CONFIG_SSP_SUPPORT),)
   GCC_CONFIGURE+= \
                --enable-libssp