From: Luca Boccassi Date: Mon, 2 Oct 2023 16:44:50 +0000 (+0100) Subject: doc: add compiler hardening details to UEFI SECURITY.md X-Git-Tag: v255-rc1~357 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1f75b649e7816518995d8afdbc5e5e0c83628b5e;p=thirdparty%2Fsystemd.git doc: add compiler hardening details to UEFI SECURITY.md --- diff --git a/src/boot/efi/SECURITY.md b/src/boot/efi/SECURITY.md index aa2b714624a..b5bec77dbb0 100644 --- a/src/boot/efi/SECURITY.md +++ b/src/boot/efi/SECURITY.md @@ -82,6 +82,21 @@ and manual confirmation will be asked before proceeding. When running as a virtu enrollment is fully automated, without user interaction, unless disabled via a configuration file in the ESP. The configuration file can also be used to disable enrollment completely. +## Compiler Hardening +The PE binaries are built with `-fstack-protector-strong`, and the stack canary is seeded with random data if +the UEFI RNG protocol is available. + +The binaries also are linked with `-z relro` and ship with native PE relocations, with the conversion from +ELF performed at build time, instead of containing ELF dynamic relocations, so the image loaded by +firmware/Shim requires fewer writable pages. + +The binaries are linked by default with full LTO support, so no code will be shipped unless it's reachable. + +Finally, the binaries ship with the `NX_COMPAT` bit set. + +The CI infrastructure also employs fuzz testing on various components, including string functions and the +BCD parser. + ## SBAT `systemd-boot` and `systemd-stub` are built with an `SBAT` section by default. There are build options to allow customizations of the metadata included in the section, that can be used by downstream distributors.