John Crispin 491f3fc048 Support for building an hardened OpenWRT
Introduce configuration options to build an "hardened" OpenWRT.

Options to enable Stack-Smashing Protection, FORTIFY_SOURCE and RELRO
have been introduced.

uClibc makefile now automatically detects if SSP support is necessary.

hostapd makefile has been fixed to use "^" as sed separator since
using a comma was problematic when using "-Wl,-z,now" and the like in
TARGET_CFLAGS.

Currently enabling SSP on user space depends on enabling SSP kernel
side, this is due to the fact that TARGET_CFLAGS are used to build
kernel modules (at least). Suggestions on how to avoid this are welcome.
Using "select" instead of "depends on" doesn't seem to work with choice
entries.

Tested with a lantiq (WBMR) router, GCC 4.8, uClibc and a subset of
the available packages.
Needs to be tested with GCC 4.9 and the remaining packages.
PIE not currently included.

Signed-off-by: Alessandro Di Federico <ale+owrt@clearmind.me>

SVN-Revision: 44005
2015-01-17 14:31:30 +00:00

99 lines
3.6 KiB
Makefile

#
# Copyright (C) 2006-2012 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/target.mk
PKG_NAME:=uClibc
PKG_VERSION:=$(call qstrip,$(CONFIG_UCLIBC_VERSION))
PKG_SOURCE_URL:=http://www.uclibc.org/downloads
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
LIBC_SO_VERSION:=$(PKG_VERSION)
PATCH_DIR:=$(PATH_PREFIX)/patches-$(PKG_VERSION)
CONFIG_DIR:=$(PATH_PREFIX)/config-$(PKG_VERSION)
PKG_MD5SUM_0.9.33.2 = a338aaffc56f0f5040e6d9fa8a12eda1
PKG_MD5SUM=$(PKG_MD5SUM_$(PKG_VERSION))
HOST_BUILD_DIR:=$(BUILD_DIR_TOOLCHAIN)/$(PKG_NAME)-$(PKG_VERSION)
include $(INCLUDE_DIR)/toolchain-build.mk
UCLIBC_TARGET_ARCH:=$(shell echo $(ARCH) | sed -e s'/-.*//' \
-e 's/i.86/i386/' \
-e 's/sparc.*/sparc/' \
-e 's/arm.*/arm/g' \
-e 's/avr32.*/avr32/g' \
-e 's/m68k.*/m68k/' \
-e 's/ppc/powerpc/g' \
-e 's/v850.*/v850/g' \
-e 's/sh64/sh/' \
-e 's/sh[234].*/sh/' \
-e 's/mips.*/mips/' \
-e 's/mipsel.*/mips/' \
-e 's/cris.*/cris/' \
)
GEN_CONFIG=$(SCRIPT_DIR)/kconfig.pl -n \
$(if $(wildcard $(CONFIG_DIR)/common),'+' $(CONFIG_DIR)/common) \
$(if $(CONFIG_UCLIBC_ENABLE_DEBUG),$(if $(wildcard $(CONFIG_DIR)/debug),'+' $(CONFIG_DIR)/debug)) \
$(CONFIG_DIR)/$(ARCH)$(strip \
$(if $(wildcard $(CONFIG_DIR)/$(ARCH).$(BOARD)),.$(BOARD), \
$(if $(CONFIG_MIPS64_ABI),.$(subst ",,$(CONFIG_MIPS64_ABI)), \
$(if $(CONFIG_HAS_SPE_FPU),$(if $(wildcard $(CONFIG_DIR)/$(ARCH).e500),.e500)))))
CPU_CFLAGS = \
-funsigned-char -fno-builtin -fno-asm \
--std=gnu99 -ffunction-sections -fdata-sections \
-Wno-unused-but-set-variable \
$(TARGET_CFLAGS) -ggdb
UCLIBC_MAKE = PATH='$(TOOLCHAIN_DIR)/initial/bin:$(TARGET_PATH)' $(MAKE) $(HOST_JOBS) -C $(HOST_BUILD_DIR) \
$(TARGET_CONFIGURE_OPTS) \
DEVEL_PREFIX=/ \
RUNTIME_PREFIX=/ \
HOSTCC="$(HOSTCC)" \
CPU_CFLAGS="$(CPU_CFLAGS)" \
ARCH="$(CONFIG_ARCH)" \
LIBGCC="$(subst libgcc.a,libgcc_initial.a,$(shell $(TARGET_CC) -print-libgcc-file-name))" \
DOSTRIP=""
define Host/Prepare
$(call Host/Prepare/Default)
$(if $(strip $(QUILT)), \
cd $(HOST_BUILD_DIR); \
if $(QUILT_CMD) next >/dev/null 2>&1; then \
$(QUILT_CMD) push -a; \
fi
)
ln -snf $(PKG_NAME)-$(PKG_VERSION) $(BUILD_DIR_TOOLCHAIN)/$(PKG_NAME)
endef
define Host/Configure
$(GEN_CONFIG) > $(HOST_BUILD_DIR)/.config.new
$(SED) 's,^KERNEL_HEADERS=.*,KERNEL_HEADERS=\"$(BUILD_DIR_TOOLCHAIN)/linux-dev/include\",g' \
-e 's,^.*UCLIBC_HAS_FPU.*,UCLIBC_HAS_FPU=$(if $(CONFIG_SOFT_FLOAT),n,y),g' \
-e 's,^.*UCLIBC_HAS_SOFT_FLOAT.*,UCLIBC_HAS_SOFT_FLOAT=$(if $(CONFIG_SOFT_FLOAT),y,n),g' \
-e 's,^.*UCLIBC_HAS_SHADOW.*,UCLIBC_HAS_SHADOW=$(if $(CONFIG_SHADOW_PASSWORDS),y,n),g' \
-e 's,^.*UCLIBC_HAS_LOCALE.*,UCLIBC_HAS_LOCALE=$(if $(CONFIG_BUILD_NLS),y,n),g' \
-e 's,^.*UCLIBC_BUILD_ALL_LOCALE.*,UCLIBC_BUILD_ALL_LOCALE=$(if $(CONFIG_BUILD_NLS),y,n),g' \
-e 's,^.*UCLIBC_HAS_SSP.*,UCLIBC_HAS_SSP=$(if $(or $(CONFIG_PKG_CC_STACKPROTECTOR_REGULAR),$(CONFIG_PKG_CC_STACKPROTECTOR_STRONG)),y,n),g' \
$(HOST_BUILD_DIR)/.config.new
cmp -s $(HOST_BUILD_DIR)/.config.new $(HOST_BUILD_DIR)/.config.last || { \
cp $(HOST_BUILD_DIR)/.config.new $(HOST_BUILD_DIR)/.config && \
$(MAKE) -C $(HOST_BUILD_DIR) oldconfig KBUILD_HAVE_NLS= HOSTCFLAGS="-DKBUILD_NO_NLS" && \
$(MAKE) -C $(HOST_BUILD_DIR)/extra/config conf KBUILD_HAVE_NLS= HOSTCFLAGS="-DKBUILD_NO_NLS" && \
cp $(HOST_BUILD_DIR)/.config.new $(HOST_BUILD_DIR)/.config.last; \
}
endef
define Host/Clean
rm -rf \
$(HOST_BUILD_DIR) \
$(BUILD_DIR_TOOLCHAIN)/$(PKG_NAME) \
$(BUILD_DIR_TOOLCHAIN)/$(LIBC)-dev
endef