• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Security hardening
2==================
3
4This page contains guidance on what to check for additional security measures,
5including build options that can be modified to improve security or catch issues
6early in development.
7
8Build options
9-------------
10
11Several build options can be used to check for security issues. Refer to the
12:ref:`Build Options` for detailed information on these.
13
14- The ``BRANCH_PROTECTION`` build flag can be used to enable Pointer
15  Authentication and Branch Target Identification.
16
17- The ``ENABLE_STACK_PROTECTOR`` build flag can be used to identify buffer
18  overflows.
19
20- The ``W`` build flag can be used to enable a number of compiler warning
21  options to detect potentially incorrect code.
22
23  - W=0 (default value)
24
25    The ``Wunused`` with ``Wno-unused-parameter``, ``Wdisabled-optimization``
26    and ``Wvla`` flags are enabled.
27
28    The ``Wunused-but-set-variable``, ``Wmaybe-uninitialized`` and
29    ``Wpacked-bitfield-compat`` are GCC specific flags that are also enabled.
30
31  - W=1
32
33    Adds ``Wextra``, ``Wmissing-format-attribute``, ``Wmissing-prototypes``,
34    ``Wold-style-definition`` and ``Wunused-const-variable``.
35
36  - W=2
37
38    Adds ``Waggregate-return``, ``Wcast-align``, ``Wnested-externs``,
39    ``Wshadow``, ``Wlogical-op``.
40
41  - W=3
42
43    Adds ``Wbad-function-cast``, ``Wcast-qual``, ``Wconversion``, ``Wpacked``,
44    ``Wpointer-arith``, ``Wredundant-decls`` and
45    ``Wswitch-default``.
46
47  Refer to the GCC or Clang documentation for more information on the individual
48  options: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html and
49  https://clang.llvm.org/docs/DiagnosticsReference.html.
50
51  NB: The ``Werror`` flag is enabled by default in TF-A and can be disabled by
52  setting the ``E`` build flag to 0.
53
54--------------
55
56*Copyright (c) 2019, Arm Limited. All rights reserved.*
57