Codebase list firmware-tomu / 73aa2dc
Add more hardening flags. Louis-Philippe VĂ©ronneau 4 years ago
5 changed file(s) with 78 addition(s) and 2 deletion(s). Raw diff Collapse all Expand all
+3
-0
debian/README.source less more
33
44 1. It allows reprepro to fail, since this package is affected by a GCC
55 reproducibility bug (captures_build_path_via_assert).
6
7 2. It lets blhc ignore the '-fstack-protector-strong' flag, since it is not
8 supported by gcc-arm-none-eabi (for more details see Launchpad bug #1509756).
+65
-0
debian/patches/0003_Compiler_Hardening.patch less more
0 Add Hardening flags, based on what blhc (and the Debian wiki) recommends.
1 Index: firmware-tomu/booster/Makefile
2 ===================================================================
3 --- firmware-tomu.orig/booster/Makefile
4 +++ firmware-tomu/booster/Makefile
5 @@ -1,6 +1,7 @@
6 PACKAGE = booster
7 -ADD_CFLAGS =
8 -ADD_LFLAGS =
9 +ADD_CFLAGS = -O2 -Wformat -Werror=format-security
10 +ADD_CPPFLAGS = -D_FORTIFY_SOURCE=2
11 +ADD_LFLAGS = -Wl,-z,relro -Wl,-z,now
12
13 TRGT ?= arm-none-eabi-
14 CC = $(TRGT)gcc
15 @@ -10,7 +11,7 @@ OBJCOPY = $(TRGT)objcopy
16 LDSCRIPT = tomu.ld
17 DBG_CFLAGS = -ggdb -g -DDEBUG -Wall
18 DBG_LFLAGS = -ggdb -g -Wall
19 -CFLAGS = $(ADD_CFLAGS) \
20 +CFLAGS = $(ADD_CFLAGS) $(ADD_CPPFLAGS) \
21 -Wall -Wextra \
22 -mcpu=cortex-m0plus -mfloat-abi=soft -mthumb \
23 -ffunction-sections -fdata-sections -fno-common \
24 @@ -60,7 +61,7 @@ $(OBJ_DIR):
25 $(QUIET) mkdir $(OBJ_DIR)
26
27 $(COBJS) : $(OBJ_DIR)/%.o : %.c Makefile
28 - $(QUIET) echo " CC $< $(notdir $@)"
29 +# $(QUIET) echo " CC $< $(notdir $@)"
30 $(QUIET) $(CC) -c $< $(CFLAGS) -o $@ -MMD
31
32 $(OBJ_DIR)/%.o: %.cpp
33 Index: firmware-tomu/toboot/Makefile
34 ===================================================================
35 --- firmware-tomu.orig/toboot/Makefile
36 +++ firmware-tomu/toboot/Makefile
37 @@ -1,6 +1,7 @@
38 PACKAGE = toboot
39 -ADD_CFLAGS =
40 -ADD_LFLAGS =
41 +ADD_CFLAGS = -O2 -Wformat -Werror=format-security
42 +ADD_CPPFLAGS = -D_FORTIFY_SOURCE=2
43 +ADD_LFLAGS = -Wl,-z,relro -Wl,-z,now
44
45 GIT_VERSION := $(shell dpkg-parsechangelog -l ../debian/changelog -S Version)
46 TRGT ?= arm-none-eabi-
47 @@ -21,7 +22,7 @@ endif
48 LDSCRIPT = toboot-bl.ld
49 DBG_CFLAGS = -ggdb -g -DDEBUG -Wall
50 DBG_LFLAGS = -ggdb -g -Wall
51 -CFLAGS = $(ADD_CFLAGS) \
52 +CFLAGS = $(ADD_CFLAGS) $(ADD_CPPFLAGS) \
53 -DTOBOOT_APP_FLAGS=0x00006fb0 \
54 -Wall -Wextra \
55 -mcpu=cortex-m0plus -mfloat-abi=soft -mthumb \
56 @@ -82,7 +83,7 @@ $(OBJ_DIR):
57 $(QUIET) mkdir $(OBJ_DIR)
58
59 $(COBJS) : $(OBJ_DIR)/%.o : %.c Makefile
60 - $(QUIET) echo " CC $< $(notdir $@)"
61 +# $(QUIET) echo " CC $< $(notdir $@)"
62 $(QUIET) $(CC) -c $< $(CFLAGS) -o $@ -MMD
63
64 $(OBJ_DIR)/%.o: %.cpp
+1
-0
debian/patches/series less more
00 0001_Makefile_GIT_VERSION.patch
11 0002_Makefile_CLEAN.patch
2 0003_Compiler_Hardening.patch
+6
-2
debian/rules less more
00 #!/usr/bin/make -f
11
22 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
3
4 ifeq (,$(filter terse,$(DEB_BUILD_OPTIONS)))
5 export MAKE = make -j2 "INSTALL=install --strip-program=true" QUIET=
6 endif
37
48 CFLAGS:=$(shell dpkg-buildflags --get CFLAGS)
59 CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS)
913 dh $@
1014
1115 override_dh_auto_build:
12 dh_auto_build --sourcedirectory=toboot
13 dh_auto_build --sourcedirectory=booster
16 cd toboot && $(MAKE)
17 cd booster && $(MAKE)
1418 gcc $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) booster/make-booster.c -o booster/make-booster
1519 cd booster && ./make-booster ../toboot/toboot.bin toboot-booster.bin && cp toboot-booster.bin toboot-booster.dfu
1620 dfu-suffix --pid 0x70b1 --vid 0x1209 --add booster/toboot-booster.dfu
+3
-0
debian/salsa-ci.yml less more
22 - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
33 - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
44
5 variables:
6 SALSA_CI_BLHC_ARGS: '--ignore-flag -fstack-protector-strong'
7
58 reprotest:
69 allow_failure: true