From 749556ef12e029e311c4c433a94f9418c8b24e09 Mon Sep 17 00:00:00 2001 From: Tianhua Sun Date: Tue, 16 Jul 2019 10:32:47 +0800 Subject: [PATCH] hv: fix symbols not stripped from release binaries In release environment, binary files must be stripped in order to remove debugging code sections and symbol information that aid attackers in the process of disassembly and reverse engineering. Use '-s' linking option to remove symbol table and relocation information from release binaries. Tracked-On: #3427 Signed-off-by: Tianhua Sun Reviewed-by: Yonghua Huang --- devicemodel/Makefile | 3 +++ hypervisor/Makefile | 5 +++++ tools/acrn-manager/Makefile | 2 ++ 3 files changed, 10 insertions(+) diff --git a/devicemodel/Makefile b/devicemodel/Makefile index 9a95d44ac..f0db551de 100644 --- a/devicemodel/Makefile +++ b/devicemodel/Makefile @@ -51,8 +51,11 @@ endif ifeq ($(RELEASE),0) CFLAGS += -DDM_DEBUG +else +LDFLAGS += -s endif + LDFLAGS += -Wl,-z,noexecstack LDFLAGS += -Wl,-z,relro,-z,now LDFLAGS += -pie diff --git a/hypervisor/Makefile b/hypervisor/Makefile index 7d603991d..eed1f5904 100644 --- a/hypervisor/Makefile +++ b/hypervisor/Makefile @@ -18,6 +18,7 @@ BASEDIR := $(shell pwd) HV_OBJDIR ?= $(CURDIR)/build HV_FILE := acrn SUB_MAKEFILES := $(wildcard */Makefile) +RELEASE ?= 0 LIB_DEBUG = $(HV_OBJDIR)/debug/libdebug.a LIB_RELEASE = $(HV_OBJDIR)/release/librelease.a @@ -95,6 +96,10 @@ else LDFLAGS += -static endif +ifeq ($(RELEASE),y) +LDFLAGS += -s +endif + ARCH_CFLAGS += -gdwarf-2 ARCH_ASFLAGS += -gdwarf-2 -DASSEMBLER=1 ARCH_ARFLAGS += diff --git a/tools/acrn-manager/Makefile b/tools/acrn-manager/Makefile index fca8288d4..02337e9c3 100644 --- a/tools/acrn-manager/Makefile +++ b/tools/acrn-manager/Makefile @@ -41,6 +41,8 @@ endif ifeq ($(RELEASE),0) MANAGER_CFLAGS += -g -DMNGR_DEBUG +else +MANAGER_LDFLAGS += -s endif MANAGER_LDFLAGS := -Wl,-z,noexecstack