git: 7a489e95c51f - main - Mk/Features: Add features for fortify, zeroregs and stack autoinit.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 24 May 2025 18:21:30 UTC
The branch main has been updated by netchild:
URL: https://cgit.FreeBSD.org/ports/commit/?id=7a489e95c51f47f5e25a5613e375ec000618e52a
commit 7a489e95c51f47f5e25a5613e375ec000618e52a
Author: Alexander Leidinger <netchild@FreeBSD.org>
AuthorDate: 2025-05-24 18:17:24 +0000
Commit: Alexander Leidinger <netchild@FreeBSD.org>
CommitDate: 2025-05-24 18:21:13 +0000
Mk/Features: Add features for fortify, zeroregs and stack autoinit.
Those 3 features for ports go along with the cooresponding features from
the basesystem (some only availabe in -current).
The options you can put into make.conf for the ports collections are:
WITH_FORTIFY=yes
This enables mitigations of common memory safety issues, such as buffer
overflows, by adding checks to functions like memcpy, strcpy, sprintf,
and others when the compiler can determine the size of the destination
buffer at compile time.
WITH_STACK_AUTOINIT=yes
This enables a compiler specific option to automatically initialize
local (automatic) variables to prevent the use of uninitialized memory.
WITH_ZEROREGS=yes
Zero call-used registers at function return to increase program
security by either mitigating Return-Oriented Programming (ROP)
attacks or preventing information leakage through registers.
This depends upon support from the compiler for a given architecture.
This is disabled for python ports, currently there are issues.
Approved by: portmgr (mat)
PR: 284270
---
Mk/Features/fortify.mk | 18 ++++++++++++++++++
Mk/Features/stack_autoinit.mk | 23 +++++++++++++++++++++++
Mk/Features/zeroregs.mk | 28 ++++++++++++++++++++++++++++
Mk/Uses/python.mk | 2 ++
Mk/bsd.port.mk | 3 ++-
5 files changed, 73 insertions(+), 1 deletion(-)
diff --git a/Mk/Features/fortify.mk b/Mk/Features/fortify.mk
new file mode 100644
index 000000000000..2e43ca98242f
--- /dev/null
+++ b/Mk/Features/fortify.mk
@@ -0,0 +1,18 @@
+# This enables mitigations of common memory safety issues, such as buffer
+# overflows, by adding checks to functions like memcpy, strcpy, sprintf,
+# and others when the compiler can determine the size of the destination
+# buffer at compile time.
+#
+# Depends opon the FORTIFY_SOURCE implementation in the basesystem.
+
+.if !defined(_FORTIFY_MK_INCLUDED)
+_FORTIFY_MK_INCLUDED= yes
+FORTIFY_Include_MAINTAINER= netchild@FreeBSD.org
+
+. if !defined(FORTIFY_UNSAFE)
+FORTIFY_SOURCE?=2
+FORTIFY_CFLAGS?= -D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+CFLAGS+= ${FORTIFY_CFLAGS}
+CXXFLAGS+= ${FORTIFY_CFLAGS}
+. endif
+.endif
diff --git a/Mk/Features/stack_autoinit.mk b/Mk/Features/stack_autoinit.mk
new file mode 100644
index 000000000000..4d79416dbcce
--- /dev/null
+++ b/Mk/Features/stack_autoinit.mk
@@ -0,0 +1,23 @@
+# The STACK_AUTOINIT feature mimics the corresponding FreeBSD basesystem feature.
+#
+# This enables a compiler specific option to automatically initialize
+# local (automatic) variables to prevent the use of uninitialized memory.
+#
+# Variables that can be used:
+#
+# WITH_STACK_AUTOINIT Enable for all ports.
+# WITH_STACK_AUTOINIT_PORTS Enable for specified category/port-name
+# STACK_AUTOINIT_TYPE Valid options: zero (default), pattern, unitialized
+#
+
+.if !defined(_STACK_AUTOINIT_MK_INCLUDED)
+_STACK_AUTOINIT_MK_INCLUDED= yes
+STACK_AUTOINIT_Include_MAINTAINER= netchild@FreeBSD.org
+
+STACK_AUTOINIT_TYPE?= zero
+
+. if !defined(STATIC_AUTOINIT_UNSAFE)
+CFLAGS+= -ftrivial-auto-var-init=${STACK_AUTOINIT_TYPE}
+CXXFLAGS+= -ftrivial-auto-var-init=${STACK_AUTOINIT_TYPE}
+. endif
+.endif
diff --git a/Mk/Features/zeroregs.mk b/Mk/Features/zeroregs.mk
new file mode 100644
index 000000000000..2e21b16c5c66
--- /dev/null
+++ b/Mk/Features/zeroregs.mk
@@ -0,0 +1,28 @@
+# Zero call-used registers at function return to increase program
+# security by either mitigating Return-Oriented Programming (ROP)
+# attacks or preventing information leakage through registers.
+# This depends upon support from the compiler for a given architecture.
+#
+# Variables that can be used:
+#
+# WITH_ZEROREGS Enable for all ports.
+# WITH_ZEROREGS_PORTS Enable for specified category/port-name
+# ZEROREGS_TYPE See
+# https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-zero_005fcall_005fused_005fregs-function-attribute
+# for options
+# Default: used
+#
+
+.if !defined(_ZEROREGS_MK_INCLUDED)
+_ZEROREGS_MK_INCLUDED= yes
+ZEROREGS_Include_MAINTAINER= netchild@FreeBSD.org
+
+ZEROREGS_TYPE?= used
+
+#. if !defined(ZEROREGS_UNSAFE) && !empty(${ARCH:Mriscv*}) && \
+# !empty(${ARCH:Mpower*}) && !empty(${ARCH:Marmv7*})
+CFLAGS+= -fzero-call-used-regs=${ZEROREGS_TYPE}
+CXXFLAGS+= -fzero-call-used-regs=${ZEROREGS_TYPE}
+#. endif
+.endif
+
diff --git a/Mk/Uses/python.mk b/Mk/Uses/python.mk
index a26f984e3c11..aba9c48df38c 100644
--- a/Mk/Uses/python.mk
+++ b/Mk/Uses/python.mk
@@ -319,6 +319,8 @@
.if !defined(_INCLUDE_USES_PYTHON_MK)
_INCLUDE_USES_PYTHON_MK= yes
+ZEROREGS_UNSAFE= yes
+
# What Python version and what Python interpreters are currently supported?
# When adding a version, please keep the comment in
# Mk/bsd.default-versions.mk in sync.
diff --git a/Mk/bsd.port.mk b/Mk/bsd.port.mk
index 4596b773b6d3..1df8af1fd63b 100644
--- a/Mk/bsd.port.mk
+++ b/Mk/bsd.port.mk
@@ -1000,7 +1000,8 @@ LC_ALL= C
# These need to be absolute since we don't know how deep in the ports
# tree we are and thus can't go relative. They can, of course, be overridden
# by individual Makefiles or local system make configuration.
-_LIST_OF_WITH_FEATURES= bind_now debug debuginfo lto pie relro sanitize ssp testing
+_LIST_OF_WITH_FEATURES= bind_now debug debuginfo fortify lto pie relro \
+ sanitize ssp stack_autoinit testing zeroregs
_DEFAULT_WITH_FEATURES= ssp
PORTSDIR?= /usr/ports
LOCALBASE?= /usr/local