12e302371SAmbroise VincentSecurity hardening 22e302371SAmbroise Vincent================== 32e302371SAmbroise Vincent 42e302371SAmbroise VincentThis page contains guidance on what to check for additional security measures, 52e302371SAmbroise Vincentincluding build options that can be modified to improve security or catch issues 62e302371SAmbroise Vincentearly in development. 72e302371SAmbroise Vincent 82e302371SAmbroise VincentBuild options 92e302371SAmbroise Vincent------------- 102e302371SAmbroise Vincent 112e302371SAmbroise VincentSeveral build options can be used to check for security issues. Refer to the 12*43f35ef5SPaul Beesley:ref:`Build Options` for detailed information on these. 132e302371SAmbroise Vincent 142e302371SAmbroise Vincent- The ``BRANCH_PROTECTION`` build flag can be used to enable Pointer 152e302371SAmbroise Vincent Authentication and Branch Target Identification. 162e302371SAmbroise Vincent 172e302371SAmbroise Vincent- The ``ENABLE_STACK_PROTECTOR`` build flag can be used to identify buffer 182e302371SAmbroise Vincent overflows. 192e302371SAmbroise Vincent 202e302371SAmbroise Vincent- The ``W`` build flag can be used to enable a number of compiler warning 212e302371SAmbroise Vincent options to detect potentially incorrect code. 222e302371SAmbroise Vincent 232e302371SAmbroise Vincent - W=0 (default value) 242e302371SAmbroise Vincent 252e302371SAmbroise Vincent The ``Wunused`` with ``Wno-unused-parameter``, ``Wdisabled-optimization`` 262e302371SAmbroise Vincent and ``Wvla`` flags are enabled. 272e302371SAmbroise Vincent 282e302371SAmbroise Vincent The ``Wunused-but-set-variable``, ``Wmaybe-uninitialized`` and 292e302371SAmbroise Vincent ``Wpacked-bitfield-compat`` are GCC specific flags that are also enabled. 302e302371SAmbroise Vincent 312e302371SAmbroise Vincent - W=1 322e302371SAmbroise Vincent 332e302371SAmbroise Vincent Adds ``Wextra``, ``Wmissing-declarations``, ``Wmissing-format-attribute``, 342e302371SAmbroise Vincent ``Wmissing-prototypes``, ``Wold-style-definition`` and 352e302371SAmbroise Vincent ``Wunused-const-variable``. 362e302371SAmbroise Vincent 372e302371SAmbroise Vincent - W=2 382e302371SAmbroise Vincent 392e302371SAmbroise Vincent Adds ``Waggregate-return``, ``Wcast-align``, ``Wnested-externs``, 402e302371SAmbroise Vincent ``Wshadow``, ``Wlogical-op``, ``Wmissing-field-initializers`` and 412e302371SAmbroise Vincent ``Wsign-compare``. 422e302371SAmbroise Vincent 432e302371SAmbroise Vincent - W=3 442e302371SAmbroise Vincent 452e302371SAmbroise Vincent Adds ``Wbad-function-cast``, ``Wcast-qual``, ``Wconversion``, ``Wpacked``, 462e302371SAmbroise Vincent ``Wpadded``, ``Wpointer-arith``, ``Wredundant-decls`` and 472e302371SAmbroise Vincent ``Wswitch-default``. 482e302371SAmbroise Vincent 492e302371SAmbroise Vincent Refer to the GCC or Clang documentation for more information on the individual 502e302371SAmbroise Vincent options: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html and 512e302371SAmbroise Vincent https://clang.llvm.org/docs/DiagnosticsReference.html. 522e302371SAmbroise Vincent 532e302371SAmbroise Vincent NB: The ``Werror`` flag is enabled by default in TF-A and can be disabled by 542e302371SAmbroise Vincent setting the ``E`` build flag to 0. 552e302371SAmbroise Vincent 5634760951SPaul Beesley-------------- 572e302371SAmbroise Vincent 5834760951SPaul Beesley*Copyright (c) 2019, Arm Limited. All rights reserved.* 59