From a61b27b97f572a83ede765a0e779694865950cf2 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Tue, 23 Jun 2020 23:08:49 +0100
Subject: [efi] Enable stack protection where possible

Enable -fstack-protector for EFI builds, where binary size is less
critical than for BIOS builds.

The stack cookie must be constructed immediately on entry, which
prohibits the use of any viable entropy source.  Construct a cookie by
XORing together various mildly random quantities to produce a value
that will at least not be identical on each run.

On detecting a stack corruption, attempt to call Exit() with an
appropriate error.  If that fails, then lock up the machine since
there is no other safe action that can be taken.

The old conditional check for support of -fno-stack-protector is
omitted since this flag dates back to GCC 4.1.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/Makefile.efi | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/Makefile.efi')

diff --git a/src/Makefile.efi b/src/Makefile.efi
index 151b331..10f3fe7 100644
--- a/src/Makefile.efi
+++ b/src/Makefile.efi
@@ -1,5 +1,13 @@
 # -*- makefile -*- : Force emacs to use Makefile mode
 
+# Enable stack protection if available
+#
+SPG_TEST = $(CC) -fstack-protector-strong -mstack-protector-guard=global \
+		 -x c -c /dev/null -o /dev/null >/dev/null 2>&1
+SPG_FLAGS := $(shell $(SPG_TEST) && $(ECHO) '-fstack-protector-strong ' \
+					    '-mstack-protector-guard=global')
+CFLAGS += $(SPG_FLAGS)
+
 # The EFI linker script
 #
 LDSCRIPT	= scripts/efi.lds
-- 
cgit v1.1