Compiler Flags - fstack-protector-strong and pie

Abhiram
Posts: 22
Joined: Mon Apr 24, 2017 5:09 pm

Compiler Flags - fstack-protector-strong and pie

Postby Abhiram » Tue Sep 19, 2017 4:19 am

Hello all

I am trying to compile using some gcc security CFlags like fstack-protector-strong , -pie flags , added them manually at project.mk.
But getting dangerous relocation: dynamic relocation in read-only section. Can you help me out on how to enable these flags. Can it be enabled ?
CFLAGS += -fstack-protector-strong
CFLAGS += -O2 -D_FORTIFY_SOURCE=2
CFLAGS += -Wformat -Wformat-security
LDFLAGS ?=
-z relro -z now \
-z noexecstack \
-pie
Also would like to know on esp-idf can we have any option to compile bootloader and app + partition separately

thanks
abhiram

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Compiler Flags - fstack-protector-strong and pie

Postby ESP_Angus » Tue Sep 19, 2017 4:49 am

Hi Abrahim,

There are a few items here, so I'll address each one individually:

We've only just released a toolchain with support for -fstack-protector-strong in the last few days. We plan to integrate this into ESP-IDF as a configuration feature. It may work as-is now but you also may get some unusual behaviour, please keep us informed.

Passing "-Wformat -Wformat-security " to CFLAGS should work now, but you may get a lot of warnings from IDF's own code.

Passing "-D_FORTIFY_SOURCE" won't make any difference in the IDF codebase (this macro is not used anywhere).

Passing "-O2" should work but we recommend using the supported optimisations in menuconfig under Compiler Configuration (currently Debug=-Og and Release=-Os).

I don't think any of the LDFLAGS "-z norelro -z now -z noexecstack" make sense when linking a static executable for an environment with no ELF loader. These are probably the linker options causing the error you're seeing. Regarding noexecstack, IDF has totally separate memory spaces for data vs instruction memory so in a way this is the same as having NX pages.

Linking "-pie" for a Position Independent Executable also doesn't apply when building static linked executable.
Abhiram wrote: Also would like to know on esp-idf can we have any option to compile bootloader and app + partition separately
Yes, if you run "make help" then it will give you a summary of make targets including individual targets for each of these.

Who is online

Users browsing this forum: Google [Bot] and 75 guests