diff --git a/Kconfig b/Kconfig index d6eb138db1f..0dc5476a9bf 100644 --- a/Kconfig +++ b/Kconfig @@ -2469,6 +2469,46 @@ config STACK_CANARIES Enabling this option can result in a significant increase in footprint and an associated decrease in performance. +choice STACK_CANARIES_LEVEL + prompt "Stack Canaries Level Configuration" + default STACK_PROTECTOR_ALL + depends on STACK_CANARIES + ---help--- + Based on the configuration options, configure the stack Canaries Level. + +config STACK_PROTECTOR + bool "-fstack-protector" + ---help--- + Enable basic stack protection. + +config STACK_PROTECTOR_STRONG + bool "-fstack-protector-strong" + ---help--- + Using stronger stack protection mechanisms may involve more complex + security checks. + +config STACK_PROTECTOR_ALL + bool "-fstack-protector-all" + ---help--- + Enable stack protection for all functions, including those that are + typically not protected. + +config STACK_PROTECTOR_EXPLICIT + bool "-fstack-protector-explicit" + ---help--- + Enable stack protection only for functions explicitly marked as + requiring stack protection. + +endchoice # Stack Canaries Level Configuration + +config STACK_CANARIES_LEVEL + string + default "-fstack-protector" if STACK_PROTECTOR + default "-fstack-protector-strong" if STACK_PROTECTOR_STRONG + default "-fstack-protector-all" if STACK_PROTECTOR_ALL + default "-fstack-protector-explicit" if STACK_PROTECTOR_EXPLICIT + depends on STACK_CANARIES + config STACK_USAGE bool "Generate stack usage information" ---help--- diff --git a/arch/arm/src/cmake/armclang.cmake b/arch/arm/src/cmake/armclang.cmake index 026d6a82254..26b517c32bf 100644 --- a/arch/arm/src/cmake/armclang.cmake +++ b/arch/arm/src/cmake/armclang.cmake @@ -107,7 +107,7 @@ else() endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) endif() if(CONFIG_STACK_USAGE) diff --git a/arch/arm/src/cmake/clang.cmake b/arch/arm/src/cmake/clang.cmake index 55bddb33c75..714f81ddfde 100644 --- a/arch/arm/src/cmake/clang.cmake +++ b/arch/arm/src/cmake/clang.cmake @@ -111,7 +111,7 @@ else() endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) endif() if(CONFIG_STACK_USAGE) diff --git a/arch/arm/src/cmake/gcc.cmake b/arch/arm/src/cmake/gcc.cmake index fa253d24008..b11518bab32 100644 --- a/arch/arm/src/cmake/gcc.cmake +++ b/arch/arm/src/cmake/gcc.cmake @@ -126,7 +126,7 @@ else() endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) endif() if(CONFIG_STACK_USAGE) diff --git a/arch/arm/src/cmake/ghs.cmake b/arch/arm/src/cmake/ghs.cmake index ce4a907373a..cce0c5aeac5 100644 --- a/arch/arm/src/cmake/ghs.cmake +++ b/arch/arm/src/cmake/ghs.cmake @@ -79,7 +79,7 @@ else() endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) endif() if(CONFIG_STACK_USAGE) diff --git a/arch/arm/src/common/Toolchain.defs b/arch/arm/src/common/Toolchain.defs index 346caabe665..e0f0583c1e0 100644 --- a/arch/arm/src/common/Toolchain.defs +++ b/arch/arm/src/common/Toolchain.defs @@ -63,7 +63,7 @@ else endif ifeq ($(CONFIG_STACK_CANARIES),y) - ARCHOPTIMIZATION += -fstack-protector-all + ARCHOPTIMIZATION += $(patsubst "%",%,$(CONFIG_STACK_CANARIES_LEVEL)) endif ifeq ($(CONFIG_STACK_USAGE),y) diff --git a/arch/arm64/src/Toolchain.defs b/arch/arm64/src/Toolchain.defs index 511eef97d16..6d9a6cd0c18 100644 --- a/arch/arm64/src/Toolchain.defs +++ b/arch/arm64/src/Toolchain.defs @@ -81,7 +81,7 @@ else endif ifeq ($(CONFIG_STACK_CANARIES),y) - ARCHOPTIMIZATION += -fstack-protector-all + ARCHOPTIMIZATION += $(patsubst "%",%,$(CONFIG_STACK_CANARIES_LEVEL)) endif ifeq ($(CONFIG_STACK_USAGE),y) diff --git a/arch/arm64/src/cmake/clang.cmake b/arch/arm64/src/cmake/clang.cmake index 742a2602b90..3df88870882 100644 --- a/arch/arm64/src/cmake/clang.cmake +++ b/arch/arm64/src/cmake/clang.cmake @@ -57,7 +57,7 @@ else() endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) endif() if(CONFIG_STACK_USAGE) diff --git a/arch/arm64/src/cmake/gcc.cmake b/arch/arm64/src/cmake/gcc.cmake index 5e95bca2147..c3cb37bebce 100644 --- a/arch/arm64/src/cmake/gcc.cmake +++ b/arch/arm64/src/cmake/gcc.cmake @@ -83,7 +83,7 @@ else() endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) endif() if(CONFIG_STACK_USAGE) diff --git a/arch/risc-v/src/cmake/Toolchain.cmake b/arch/risc-v/src/cmake/Toolchain.cmake index bfec4261aab..e749424bd44 100644 --- a/arch/risc-v/src/cmake/Toolchain.cmake +++ b/arch/risc-v/src/cmake/Toolchain.cmake @@ -156,7 +156,7 @@ else() endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) endif() if(CONFIG_STACK_USAGE) diff --git a/arch/risc-v/src/common/Toolchain.defs b/arch/risc-v/src/common/Toolchain.defs index 5299bcea611..20cf02043b9 100644 --- a/arch/risc-v/src/common/Toolchain.defs +++ b/arch/risc-v/src/common/Toolchain.defs @@ -72,7 +72,7 @@ else endif ifeq ($(CONFIG_STACK_CANARIES),y) - ARCHOPTIMIZATION += -fstack-protector-all + ARCHOPTIMIZATION += $(patsubst "%",%,$(CONFIG_STACK_CANARIES_LEVEL)) endif ifeq ($(CONFIG_STACK_USAGE),y) diff --git a/arch/sim/src/cmake/Toolchain.cmake b/arch/sim/src/cmake/Toolchain.cmake index 7e295493a0c..fa1be1575b1 100644 --- a/arch/sim/src/cmake/Toolchain.cmake +++ b/arch/sim/src/cmake/Toolchain.cmake @@ -103,7 +103,7 @@ else() endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) endif() if(CONFIG_STACK_USAGE) diff --git a/arch/tricore/src/cmake/ToolchainGnuc.cmake b/arch/tricore/src/cmake/ToolchainGnuc.cmake index 1469817b367..2a33de28af5 100644 --- a/arch/tricore/src/cmake/ToolchainGnuc.cmake +++ b/arch/tricore/src/cmake/ToolchainGnuc.cmake @@ -83,7 +83,7 @@ else() endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) endif() if(CONFIG_COVERAGE_ALL) diff --git a/arch/tricore/src/common/ToolchainGnuc.defs b/arch/tricore/src/common/ToolchainGnuc.defs index 38dccfba57a..ea6c1bf7ff7 100644 --- a/arch/tricore/src/common/ToolchainGnuc.defs +++ b/arch/tricore/src/common/ToolchainGnuc.defs @@ -49,7 +49,7 @@ else endif ifeq ($(CONFIG_STACK_CANARIES),y) - ARCHOPTIMIZATION += -fstack-protector-all + ARCHOPTIMIZATION += $(patsubst "%",%,$(CONFIG_STACK_CANARIES_LEVEL)) endif ifeq ($(CONFIG_STACK_USAGE),y) diff --git a/arch/x86_64/src/cmake/Toolchain.cmake b/arch/x86_64/src/cmake/Toolchain.cmake index 08dae294493..66780c438c7 100644 --- a/arch/x86_64/src/cmake/Toolchain.cmake +++ b/arch/x86_64/src/cmake/Toolchain.cmake @@ -62,7 +62,7 @@ if(CONFIG_FRAME_POINTER) endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) else() add_compile_options(-fno-stack-protector) endif() diff --git a/arch/x86_64/src/common/Toolchain.defs b/arch/x86_64/src/common/Toolchain.defs index 2a10aec3f6e..54f83f05363 100644 --- a/arch/x86_64/src/common/Toolchain.defs +++ b/arch/x86_64/src/common/Toolchain.defs @@ -91,7 +91,7 @@ ifneq ($(CONFIG_CXX_STANDARD),) endif ifeq ($(CONFIG_STACK_CANARIES),y) - ARCHOPTIMIZATION += -fstack-protector-all + ARCHOPTIMIZATION += $(patsubst "%",%,$(CONFIG_STACK_CANARIES_LEVEL)) else ARCHOPTIMIZATION += -fno-stack-protector endif diff --git a/arch/xtensa/src/cmake/Toolchain.cmake b/arch/xtensa/src/cmake/Toolchain.cmake index 2df3519e718..79d33924334 100644 --- a/arch/xtensa/src/cmake/Toolchain.cmake +++ b/arch/xtensa/src/cmake/Toolchain.cmake @@ -146,7 +146,7 @@ else() endif() if(CONFIG_STACK_CANARIES) - add_compile_options(-fstack-protector-all) + add_compile_options(${CONFIG_STACK_CANARIES_LEVEL}) endif() if(CONFIG_STACK_USAGE) diff --git a/arch/xtensa/src/lx6/Toolchain.defs b/arch/xtensa/src/lx6/Toolchain.defs index f5e638f64af..a5156e2ddea 100644 --- a/arch/xtensa/src/lx6/Toolchain.defs +++ b/arch/xtensa/src/lx6/Toolchain.defs @@ -96,7 +96,7 @@ else endif ifeq ($(CONFIG_STACK_CANARIES),y) - ARCHOPTIMIZATION += -fstack-protector-all + ARCHOPTIMIZATION += $(patsubst "%",%,$(CONFIG_STACK_CANARIES_LEVEL)) endif ifeq ($(CONFIG_STACK_USAGE),y) diff --git a/arch/xtensa/src/lx7/Toolchain.defs b/arch/xtensa/src/lx7/Toolchain.defs index e088e932c0e..3d84a19b1b8 100644 --- a/arch/xtensa/src/lx7/Toolchain.defs +++ b/arch/xtensa/src/lx7/Toolchain.defs @@ -100,7 +100,7 @@ else endif ifeq ($(CONFIG_STACK_CANARIES),y) - ARCHOPTIMIZATION += -fstack-protector-all + ARCHOPTIMIZATION += $(patsubst "%",%,$(CONFIG_STACK_CANARIES_LEVEL)) endif ifeq ($(CONFIG_STACK_USAGE),y) diff --git a/boards/sim/sim/sim/scripts/Make.defs b/boards/sim/sim/sim/scripts/Make.defs index 427d256f2a6..44ee4094b2c 100644 --- a/boards/sim/sim/sim/scripts/Make.defs +++ b/boards/sim/sim/sim/scripts/Make.defs @@ -63,7 +63,7 @@ else endif ifeq ($(CONFIG_STACK_CANARIES),y) - ARCHOPTIMIZATION += -fstack-protector-all + ARCHOPTIMIZATION += $(patsubst "%",%,$(CONFIG_STACK_CANARIES_LEVEL)) endif ifeq ($(CONFIG_STACK_USAGE),y)