1 # Enable build defense flags.
2 # Performance may be affected.
4 # - https://www.owasp.org/index.php/C-Based_Toolchain_Hardening
5 # - https://wiki.debian.org/Hardening
6 # - https://wiki.gentoo.org/wiki/Hardened/Toolchain
7 # - https://docs.microsoft.com/en-us/cpp/build/reference/sdl-enable-additional-security-checks
10 set(OPENCV_LINKER_DEFENSES_FLAGS_COMMON "")
12 macro(ocv_add_defense_compiler_flag option)
13 ocv_check_flag_support(CXX "${option}" _varname "${ARGN}")
15 set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${option}")
18 ocv_check_flag_support(C "${option}" _varname "${ARGN}")
20 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${option}")
24 macro(ocv_add_defense_compiler_flag_release option)
25 ocv_check_flag_support(CXX "${option}" _varname "${ARGN}")
27 set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} ${option}")
30 ocv_check_flag_support(C "${option}" _varname "${ARGN}")
32 set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} ${option}")
39 ocv_add_defense_compiler_flag("/GS")
40 ocv_add_defense_compiler_flag("/DynamicBase")
41 ocv_add_defense_compiler_flag("/SafeSEH")
42 ocv_add_defense_compiler_flag("/sdl")
43 elseif(CMAKE_COMPILER_IS_GNUCXX)
44 if(CMAKE_CXX_COMPILER_VERSION VERSION_LESS "4.9")
45 ocv_add_defense_compiler_flag("-fstack-protector")
47 ocv_add_defense_compiler_flag("-fstack-protector-strong")
50 # These flags is added by general options: -Wformat -Wformat-security
51 if(NOT CMAKE_CXX_FLAGS MATCHES "-Wformat" OR NOT CMAKE_CXX_FLAGS MATCHES "format-security")
52 message(FATAL_ERROR "Defense flags: uncompatible options")
56 ocv_add_defense_compiler_flag_release("-D_FORTIFY_SOURCE=2")
57 if(NOT CMAKE_CXX_FLAGS_RELEASE MATCHES "-D_FORTIFY_SOURCE=2") # TODO Check this
58 ocv_add_defense_compiler_flag_release("-D_FORTIFY_SOURCE=1")
61 ocv_add_defense_compiler_flag_release("-D_FORTIFY_SOURCE=2")
64 set(OPENCV_LINKER_DEFENSES_FLAGS_COMMON "${OPENCV_LINKER_DEFENSES_FLAGS_COMMON} -z noexecstack -z relro -z now" )
69 set(CMAKE_POSITION_INDEPENDENT_CODE TRUE)
70 if(NOT CMAKE_CXX_FLAGS MATCHES "-fPIC")
71 ocv_add_defense_compiler_flag("-fPIC")
73 if(CMAKE_COMPILER_IS_GNUCXX)
74 set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fPIE -pie")
77 set( CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${OPENCV_LINKER_DEFENSES_FLAGS_COMMON}" )
78 set( CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${OPENCV_LINKER_DEFENSES_FLAGS_COMMON}" )
79 set( CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${OPENCV_LINKER_DEFENSES_FLAGS_COMMON}" )
81 if(CMAKE_COMPILER_IS_GNUCXX)
83 CMAKE_CXX_FLAGS CMAKE_CXX_FLAGS_RELEASE CMAKE_CXX_FLAGS_DEBUG
84 CMAKE_C_FLAGS CMAKE_C_FLAGS_RELEASE CMAKE_C_FLAGS_DEBUG)
85 string(REPLACE "-O3" "-O2" ${flags} "${${flags}}")