From 796ac5501610cdbfa45ed0649639f64ae71a12f1 Mon Sep 17 00:00:00 2001 From: Tianhua Sun Date: Tue, 16 Jul 2019 10:32:47 +0800 Subject: [PATCH] hv: fix symbols not stripped from release binaries In release environment, binary files must be stripped in order to remove debugging code sections and symbol information that aid attackers in the process of disassembly and reverse engineering. Use '-s' linking option to remove symbol table and relocation information from release binaries. Tracked-On: #3427 Signed-off-by: Tianhua Sun Reviewed-by: Yonghua Huang --- devicemodel/Makefile | 3 +++ hypervisor/Makefile | 5 +++++ tools/acrn-manager/Makefile | 2 ++ 3 files changed, 10 insertions(+) diff --git a/devicemodel/Makefile b/devicemodel/Makefile index 0c0ae4f3e..9486f46ae 100644 --- a/devicemodel/Makefile +++ b/devicemodel/Makefile @@ -51,8 +51,11 @@ endif ifeq ($(RELEASE),0) CFLAGS += -DDM_DEBUG +else +LDFLAGS += -s endif + LDFLAGS += -Wl,-z,noexecstack LDFLAGS += -Wl,-z,relro,-z,now LDFLAGS += -pie diff --git a/hypervisor/Makefile b/hypervisor/Makefile index 0e5d63169..b3b6240fd 100644 --- a/hypervisor/Makefile +++ b/hypervisor/Makefile @@ -19,6 +19,7 @@ HV_OBJDIR ?= $(CURDIR)/build HV_MODDIR ?= $(HV_OBJDIR)/modules HV_FILE := acrn SUB_MAKEFILES := $(wildcard */Makefile) +RELEASE ?= 0 LIB_MOD = $(HV_MODDIR)/lib_mod.a BOOT_MOD = $(HV_MODDIR)/boot_mod.a @@ -108,6 +109,10 @@ else LDFLAGS += -static endif +ifeq ($(RELEASE),y) +LDFLAGS += -s +endif + ARCH_CFLAGS += -gdwarf-2 ARCH_ASFLAGS += -gdwarf-2 -DASSEMBLER=1 ARCH_ARFLAGS += diff --git a/tools/acrn-manager/Makefile b/tools/acrn-manager/Makefile index 1eb15203e..acf7e0cfc 100644 --- a/tools/acrn-manager/Makefile +++ b/tools/acrn-manager/Makefile @@ -49,6 +49,8 @@ endif ifeq ($(RELEASE),0) MANAGER_CFLAGS += -g -DMNGR_DEBUG +else +MANAGER_LDFLAGS += -s endif MANAGER_LDFLAGS := -Wl,-z,noexecstack