security: Add default stack protection level

STACK_CANARIES was enabling canaries in all functions using the compiler
flag -fstack-protector-all. This became confuse with the addition of the
options STRONG and EXPLICIT.

This commit adds the missing option (default level) and disambiguous the
options mapping them close to the compiler flags.

Now we have the following options:

STACK_CANARIES            -> fstack-protector
STACK_CANARIES_STRONG     -> fstack-protector-strong
STACK_CANARIES_ALL        -> fstack-protector-all
STACK_CANARIES_EXPLICIT   -> fstack-protector-explicit

Note that from now on STACK_CANARIES_ALL is the symbol that adds canaries
for all functions.

Signed-off-by: Flavio Ceolin <flavio.ceolin@gmail.com>

Author: ceolin

CMakeLists.txt

@@ -177,6 +177,8 @@ if(CONFIG_STACK_CANARIES)
   zephyr_compile_options($<TARGET_PROPERTY:compiler,security_canaries>)
 elseif(CONFIG_STACK_CANARIES_STRONG)
   zephyr_compile_options($<TARGET_PROPERTY:compiler,security_canaries_strong>)
+elseif(CONFIG_STACK_CANARIES_ALL)
+  zephyr_compile_options($<TARGET_PROPERTY:compiler,security_canaries_all>)
 elseif(CONFIG_STACK_CANARIES_EXPLICIT)
   zephyr_compile_options($<TARGET_PROPERTY:compiler,security_canaries_explicit>)
 endif()

cmake/compiler/arcmwdt/compiler_flags.cmake

@@ -167,8 +167,9 @@ set_compiler_property(PROPERTY imacros -imacros)
 
 # Security canaries.
 #no support of -mstack-protector-guard=global"
-set_compiler_property(PROPERTY security_canaries -fstack-protector-all)
+set_compiler_property(PROPERTY security_canaries -fstack-protector)
 set_compiler_property(PROPERTY security_canaries_strong -fstack-protector-strong)
+set_compiler_property(PROPERTY security_canaries_all -fstack-protector-all)
 
 #no support of _FORTIFY_SOURCE"
 set_compiler_property(PROPERTY security_fortify_compile_time)

cmake/compiler/compiler_flags_template.cmake

@@ -93,6 +93,7 @@ set_compiler_property(PROPERTY coverage)
 # Security canaries flags.
 set_compiler_property(PROPERTY security_canaries)
 set_compiler_property(PROPERTY security_canaries_strong)
+set_compiler_property(PROPERTY security_canaries_all)
 set_compiler_property(PROPERTY security_canaries_explicit)
 
 set_compiler_property(PROPERTY security_fortify_compile_time)

cmake/compiler/gcc/compiler_flags.cmake

@@ -167,18 +167,21 @@ set_property(TARGET compiler-cpp PROPERTY no_rtti "-fno-rtti")
 set_compiler_property(PROPERTY coverage -fprofile-arcs -ftest-coverage -fno-inline)
 
 # Security canaries.
-set_compiler_property(PROPERTY security_canaries -fstack-protector-all)
+set_compiler_property(PROPERTY security_canaries -fstack-protector)
 set_compiler_property(PROPERTY security_canaries_strong -fstack-protector-strong)
+set_compiler_property(PROPERTY security_canaries_all -fstack-protector-all)
 set_compiler_property(PROPERTY security_canaries_explicit -fstack-protector-explicit)
 
 # Only a valid option with GCC 7.x and above, so let's do check and set.
 if(CONFIG_STACK_CANARIES_TLS)
   check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=tls)
   check_set_compiler_property(APPEND PROPERTY security_canaries_strong -mstack-protector-guard=tls)
+  check_set_compiler_property(APPEND PROPERTY security_canaries_all -mstack-protector-guard=tls)
   check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=tls)
 else()
   check_set_compiler_property(APPEND PROPERTY security_canaries -mstack-protector-guard=global)
   check_set_compiler_property(APPEND PROPERTY security_canaries_global -mstack-protector-guard=global)
+  check_set_compiler_property(APPEND PROPERTY security_canaries_all -mstack-protector-guard=global)
   check_set_compiler_property(APPEND PROPERTY security_canaries_explicit -mstack-protector-guard=global)
 endif()
 

kernel/Kconfig

@@ -890,12 +890,14 @@ choice
 	  will occur at build time.
 
 config STACK_CANARIES
-	bool "Maximum protection available"
+	bool "Default protection"
 	depends on ENTROPY_GENERATOR || TEST_RANDOM_GENERATOR
 	select NEED_LIBC_MEM_PARTITION if !STACK_CANARIES_TLS
 	select REQUIRES_STACK_CANARIES
 	help
-	  This option enables compiler stack canaries for all functions.
+	  This option enables compiler stack canaries in functions that have
+	  vulnerable objects. Generally this means function that call alloca or
+	  have buffers larger than 8 bytes.
 
 config STACK_CANARIES_STRONG
 	bool "Strong protection"
@@ -907,6 +909,14 @@ config STACK_CANARIES_STRONG
 	  functions that have local array definitiion or have references to local
 	  frame addresses.
 
+config STACK_CANARIES_ALL
+	bool "Maximum protection available"
+	depends on ENTROPY_GENERATOR || TEST_RANDOM_GENERATOR
+	select NEED_LIBC_MEM_PARTITION if !STACK_CANARIES_TLS
+	select REQUIRES_STACK_CANARIES
+	help
+	  This option enables compiler stack canaries for all functions.
+
 config STACK_CANARIES_EXPLICIT
 	bool "Explicit protection"
 	depends on ENTROPY_GENERATOR || TEST_RANDOM_GENERATOR

kernel/compiler_stack_protect.c

@@ -11,7 +11,7 @@
  * This module provides functions to support compiler stack protection
  * using canaries.  This feature is enabled with configuration
  * CONFIG_STACK_CANARIES=y or CONFIG_STACK_CANARIES_STRONG=y or
- * CONFIG_STACK_CANARIES_EXPLICIT=y.
+ * CONFIG_STACK_CANARIES_ALL=y or CONFIG_STACK_CANARIES_EXPLICIT=y.
  *
  * When this feature is enabled, the compiler generated code refers to
  * function __stack_chk_fail and global variable __stack_chk_guard.