[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2] warn if stack-protector not allowed

From: Nicholas Vinson
Subject: [PATCH v2] warn if stack-protector not allowed
Date: Wed, 6 Jul 2022 03:25:58 -0400

Introduce ERROR_PLATFORM_NOT_SUPPORT_SSP environment variable to treat
the '--enable-stack-protector is only supported on EFI platforms'
message as a warning instead of an error. If
ERROR_PLATFORM_NOT_SUPPORT_SSP is set to 'no' (case-insensitive), then
the message will be printed as a warning.  Otherwise, it prints as an
error. The default behavior is to print the message as an error.

For any wrapper build script that has some variation of:

    for p in SELECTED_GRUB_PLATFORMS; do    \
        configure --enable-stack-protector  \
            --with-platform${P} ... || die; \

GRUB will fail to build if SELECTED_GRUB_PLATFORMS contains a platform
that does not support SSP.

Such wrapper scripts need to work-around this issue by modifying the
above for-loop, so it conditionally passes '--enable-stack-protector' to
configure for the proper GRUB platform(s).

However, if the above example is modified to have to conditionally pass
in --enable-stack-protector, its behavior is effectively the same as the
proposed change. Additionally, The list of SSP supported platforms is
now in 2 places. One in the configure script and one in the build
wrapper script. If the second list is not properly maintained it could
mistakenly disable SSP for a platform that later gained support for it.

Signed-off-by: Nicholas Vinson <>
--- | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/ b/
index 57fb70945..a08f3285e 100644
--- a/
+++ b/
@@ -36,6 +36,10 @@ dnl description of the relationships between them.
+  [n | no | nO | N | No | NO], [ERROR_PLATFORM_NOT_SUPPORT_SSP=no],
 # We don't want -g -O2 by default in CFLAGS
 : ${CFLAGS=""}
@@ -1342,6 +1346,7 @@ AC_ARG_ENABLE([stack-protector],
                             [enable the stack protector]),
 if test "x$enable_stack_protector" = xno; then
   if test "x$ssp_possible" = xyes; then
     # Need that, because some distributions ship compilers that include
@@ -1349,7 +1354,12 @@ if test "x$enable_stack_protector" = xno; then
     TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
 elif test "x$platform" != xefi; then
-  AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms])
+  if test "$ERROR_PLATFORM_NOT_SUPPORT_SSP" = "yes"; then
+    AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms])
+  else
+    AC_MSG_WARN([--enable-stack-protector is only supported on EFI platforms])
+  fi
+  enable_stack_protector=no
 elif test "x$ssp_global_possible" != xyes; then
   AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't 
support -mstack-protector-guard=global)])

reply via email to

[Prev in Thread] Current Thread [Next in Thread]