Build the kernel with -fstack-protector-strong to gain the additional
checks without the performance hit of -fstack-protector-all. This grows
the uncompressed kernel image by less than 0.16% on x86:
-rwxr-xr-x 1 keescook portage
118219343 Apr 17 12:26 /build/link/var/cache/portage/sys-kernel/chromeos-kernel/vmlinux
-rwxr-xr-x 1 keescook portage
118407919 Apr 19 15:00 /build/link/var/cache/portage/sys-kernel/chromeos-kernel/vmlinux
ARM's compressed boot code now triggers stack protection, so a static
guard was added. Since it is only doing decompression and it's been
validated by the firmware, the exposure here is very small. Once it
switches to the full kernel, random stack protection is back to normal.
BUG=chromium:233757
TEST=link and daisy build & boot
Change-Id: I512fb6444463e12a8e04428b6203a00b460a79ae
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/48703
Reviewed-by: Will Drewry <wad@chromium.org>
projects / cascardo / linux.git / commitdiff