Initial commit

2025-06-24 14:35:53 +02:00
commit c06fb25d1f
9263 changed files with 1750214 additions and 0 deletions
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -0,0 +1,66 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2015-2020 OpenWrt.org
+
+PKG_CHECK_FORMAT_SECURITY ?= 1
+PKG_ASLR_PIE ?= 1
+PKG_ASLR_PIE_REGULAR ?= 0
+PKG_SSP ?= 1
+PKG_FORTIFY_SOURCE ?= 1
+PKG_RELRO ?= 1
+
+ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
+  ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
+    TARGET_CFLAGS += -Wformat -Werror=format-security
+  endif
+endif
+ifdef CONFIG_PKG_ASLR_PIE_ALL
+  ifeq ($(strip $(PKG_ASLR_PIE)),1)
+    TARGET_CFLAGS += $(FPIC)
+    TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
+  endif
+endif
+ifdef CONFIG_PKG_ASLR_PIE_REGULAR
+  ifeq ($(strip $(PKG_ASLR_PIE_REGULAR)),1)
+    TARGET_CFLAGS += $(FPIC)
+    TARGET_LDFLAGS += $(FPIC) -specs=$(INCLUDE_DIR)/hardened-ld-pie.specs
+  endif
+endif
+ifdef CONFIG_PKG_CC_STACKPROTECTOR_REGULAR
+  ifeq ($(strip $(PKG_SSP)),1)
+    TARGET_CFLAGS += -fstack-protector
+  endif
+endif
+ifdef CONFIG_PKG_CC_STACKPROTECTOR_STRONG
+  ifeq ($(strip $(PKG_SSP)),1)
+    TARGET_CFLAGS += -fstack-protector-strong
+  endif
+endif
+ifdef CONFIG_PKG_CC_STACKPROTECTOR_ALL
+  ifeq ($(strip $(PKG_SSP)),1)
+    TARGET_CFLAGS += -fstack-protector-all
+  endif
+endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_1
+  ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
+    TARGET_CFLAGS += -D_FORTIFY_SOURCE=1
+  endif
+endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_2
+  ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
+    TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
+  endif
+endif
+ifdef CONFIG_PKG_RELRO_PARTIAL
+  ifeq ($(strip $(PKG_RELRO)),1)
+    TARGET_CFLAGS += -Wl,-z,relro
+    TARGET_LDFLAGS += -zrelro
+  endif
+endif
+ifdef CONFIG_PKG_RELRO_FULL
+  ifeq ($(strip $(PKG_RELRO)),1)
+    TARGET_CFLAGS += -Wl,-z,now -Wl,-z,relro
+    TARGET_LDFLAGS += -znow -zrelro
+  endif
+endif
+