[efi] Enable stack protection where possible

Enable -fstack-protector for EFI builds, where binary size is less
critical than for BIOS builds.

The stack cookie must be constructed immediately on entry, which
prohibits the use of any viable entropy source.  Construct a cookie by
XORing together various mildly random quantities to produce a value
that will at least not be identical on each run.

On detecting a stack corruption, attempt to call Exit() with an
appropriate error.  If that fails, then lock up the machine since
there is no other safe action that can be taken.

The old conditional check for support of -fno-stack-protector is
omitted since this flag dates back to GCC 4.1.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

1 files changed, 7 insertions, 11 deletions

diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping
index 1dd147949..66d6dd449 100644
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
@@ -146,17 +146,6 @@ define NEWLINE
 
 endef
 
-# Some widespread patched versions of gcc include -fstack-protector by
-# default, even when -ffreestanding is specified.  We therefore need
-# to disable -fstack-protector if the compiler supports it.
-#
-ifeq ($(CCTYPE),gcc)
-SP_TEST = $(CC) -fno-stack-protector -x c -c /dev/null \
-		-o /dev/null >/dev/null 2>&1
-SP_FLAGS := $(shell $(SP_TEST) && $(ECHO) '-fno-stack-protector')
-WORKAROUND_CFLAGS += $(SP_FLAGS)
-endif
-
 # gcc 4.4 generates .eh_frame sections by default, which distort the
 # output of "size".  Inhibit this.
 #
@@ -415,6 +404,13 @@ ifdef BIN
 incdirs :
 	@$(ECHO) $(INCDIRS)
 
+# Inhibit -fstack-protector (which is implicitly enabled in some
+# patched gcc versions) unless explicitly mentioned in CFLAGS.
+#
+ifeq ($(findstring -fstack-protector,$(CFLAGS)),)
+CFLAGS		+= -fno-stack-protector
+endif
+
 # Common flags
 #
 CFLAGS		+= $(foreach INC,$(INCDIRS),-I$(INC))