1Security hardening 2================== 3 4This page contains guidance on what to check for additional security measures, 5including build options that can be modified to improve security or catch issues 6early in development. 7 8Build options 9------------- 10 11Several build options can be used to check for security issues. Refer to the 12:ref:`Build Options` for detailed information on these. 13 14- The ``BRANCH_PROTECTION`` build flag can be used to enable Pointer 15 Authentication and Branch Target Identification. 16 17- The ``ENABLE_STACK_PROTECTOR`` build flag can be used to identify buffer 18 overflows. 19 20- The ``W`` build flag can be used to enable a number of compiler warning 21 options to detect potentially incorrect code. 22 23 - W=0 (default value) 24 25 The ``Wunused`` with ``Wno-unused-parameter``, ``Wdisabled-optimization`` 26 and ``Wvla`` flags are enabled. 27 28 The ``Wunused-but-set-variable``, ``Wmaybe-uninitialized`` and 29 ``Wpacked-bitfield-compat`` are GCC specific flags that are also enabled. 30 31 - W=1 32 33 Adds ``Wextra``, ``Wmissing-format-attribute``, ``Wmissing-prototypes``, 34 ``Wold-style-definition`` and ``Wunused-const-variable``. 35 36 - W=2 37 38 Adds ``Waggregate-return``, ``Wcast-align``, ``Wnested-externs``, 39 ``Wshadow``, ``Wlogical-op``. 40 41 - W=3 42 43 Adds ``Wbad-function-cast``, ``Wcast-qual``, ``Wconversion``, ``Wpacked``, 44 ``Wpointer-arith``, ``Wredundant-decls`` and 45 ``Wswitch-default``. 46 47 Refer to the GCC or Clang documentation for more information on the individual 48 options: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html and 49 https://clang.llvm.org/docs/DiagnosticsReference.html. 50 51 NB: The ``Werror`` flag is enabled by default in TF-A and can be disabled by 52 setting the ``E`` build flag to 0. 53 54-------------- 55 56*Copyright (c) 2019, Arm Limited. All rights reserved.* 57