Hello all
I am trying to compile using some gcc security CFlags like fstack-protector-strong , -pie flags , added them manually at project.mk.
But getting dangerous relocation: dynamic relocation in read-only section. Can you help me out on how to enable these flags. Can it be enabled ?
CFLAGS += -fstack-protector-strong
CFLAGS += -O2 -D_FORTIFY_SOURCE=2
CFLAGS += -Wformat -Wformat-security
LDFLAGS ?=
-z relro -z now \
-z noexecstack \
-pie
Also would like to know on esp-idf can we have any option to compile bootloader and app + partition separately
thanks
abhiram
Compiler Flags - fstack-protector-strong and pie
Re: Compiler Flags - fstack-protector-strong and pie
Hi Abrahim,
There are a few items here, so I'll address each one individually:
We've only just released a toolchain with support for -fstack-protector-strong in the last few days. We plan to integrate this into ESP-IDF as a configuration feature. It may work as-is now but you also may get some unusual behaviour, please keep us informed.
Passing "-Wformat -Wformat-security " to CFLAGS should work now, but you may get a lot of warnings from IDF's own code.
Passing "-D_FORTIFY_SOURCE" won't make any difference in the IDF codebase (this macro is not used anywhere).
Passing "-O2" should work but we recommend using the supported optimisations in menuconfig under Compiler Configuration (currently Debug=-Og and Release=-Os).
I don't think any of the LDFLAGS "-z norelro -z now -z noexecstack" make sense when linking a static executable for an environment with no ELF loader. These are probably the linker options causing the error you're seeing. Regarding noexecstack, IDF has totally separate memory spaces for data vs instruction memory so in a way this is the same as having NX pages.
Linking "-pie" for a Position Independent Executable also doesn't apply when building static linked executable.
There are a few items here, so I'll address each one individually:
We've only just released a toolchain with support for -fstack-protector-strong in the last few days. We plan to integrate this into ESP-IDF as a configuration feature. It may work as-is now but you also may get some unusual behaviour, please keep us informed.
Passing "-Wformat -Wformat-security " to CFLAGS should work now, but you may get a lot of warnings from IDF's own code.
Passing "-D_FORTIFY_SOURCE" won't make any difference in the IDF codebase (this macro is not used anywhere).
Passing "-O2" should work but we recommend using the supported optimisations in menuconfig under Compiler Configuration (currently Debug=-Og and Release=-Os).
I don't think any of the LDFLAGS "-z norelro -z now -z noexecstack" make sense when linking a static executable for an environment with no ELF loader. These are probably the linker options causing the error you're seeing. Regarding noexecstack, IDF has totally separate memory spaces for data vs instruction memory so in a way this is the same as having NX pages.
Linking "-pie" for a Position Independent Executable also doesn't apply when building static linked executable.
Yes, if you run "make help" then it will give you a summary of make targets including individual targets for each of these.Abhiram wrote: Also would like to know on esp-idf can we have any option to compile bootloader and app + partition separately
Who is online
Users browsing this forum: No registered users and 79 guests