• Douglas Raillard's avatar
    Add support for GCC stack protection · 51faada7
    Douglas Raillard authored
    
    
    Introduce new build option ENABLE_STACK_PROTECTOR. It enables
    compilation of all BL images with one of the GCC -fstack-protector-*
    options.
    
    A new platform function plat_get_stack_protector_canary() is introduced.
    It returns a value that is used to initialize the canary for stack
    corruption detection. Returning a random value will prevent an attacker
    from predicting the value and greatly increase the effectiveness of the
    protection.
    
    A message is printed at the ERROR level when a stack corruption is
    detected.
    
    To be effective, the global data must be stored at an address
    lower than the base of the stacks. Failure to do so would allow an
    attacker to overwrite the canary as part of an attack which would void
    the protection.
    
    FVP implementation of plat_get_stack_protector_canary is weak as
    there is no real source of entropy on the FVP. It therefore relies on a
    timer's value, which could be predictable.
    
    Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
    Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
    51faada7
porting-guide.md 99.1 KB