1Security hardening 2================== 3 4This page contains guidance on what to check for additional security measures, 5including build options that can be modified to improve security or catch issues 6early in development. 7 8Build options 9------------- 10 11Several build options can be used to check for security issues. Refer to the 12:ref:`Build Options` for detailed information on these. 13 14- The ``BRANCH_PROTECTION`` build flag can be used to enable Pointer 15 Authentication and Branch Target Identification. 16 17- The ``ENABLE_STACK_PROTECTOR`` build flag can be used to identify buffer 18 overflows. 19 20- The ``W`` build flag can be used to enable a number of compiler warning 21 options to detect potentially incorrect code. 22 23 - W=0 (default value) 24 25 The ``Wunused`` with ``Wno-unused-parameter``, ``Wdisabled-optimization`` 26 and ``Wvla`` flags are enabled. 27 28 The ``Wunused-but-set-variable``, ``Wmaybe-uninitialized`` and 29 ``Wpacked-bitfield-compat`` are GCC specific flags that are also enabled. 30 31 - W=1 32 33 Adds ``Wextra``, ``Wmissing-declarations``, ``Wmissing-format-attribute``, 34 ``Wmissing-prototypes``, ``Wold-style-definition`` and 35 ``Wunused-const-variable``. 36 37 - W=2 38 39 Adds ``Waggregate-return``, ``Wcast-align``, ``Wnested-externs``, 40 ``Wshadow``, ``Wlogical-op``. 41 42 - W=3 43 44 Adds ``Wbad-function-cast``, ``Wcast-qual``, ``Wconversion``, ``Wpacked``, 45 ``Wpadded``, ``Wpointer-arith``, ``Wredundant-decls`` and 46 ``Wswitch-default``. 47 48 Refer to the GCC or Clang documentation for more information on the individual 49 options: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html and 50 https://clang.llvm.org/docs/DiagnosticsReference.html. 51 52 NB: The ``Werror`` flag is enabled by default in TF-A and can be disabled by 53 setting the ``E`` build flag to 0. 54 55-------------- 56 57*Copyright (c) 2019, Arm Limited. All rights reserved.* 58