Add option to enable SSP (#141)

bugadani · web-flow · commit 09911c17f53d · 2025-03-07T09:29:12.000Z
* Add option to enable SSP

* Don't include empty set twice

* Respect the toolchain toml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Added option to enable Stack smashing protection (#141)
+
 ### Changed
 
 ### Fixed
diff --git a/README.md b/README.md
@@ -45,6 +45,7 @@ You can also directly download pre-compiled [release binaries] or use [`cargo-bi
 - `wifi`: Enables Wi-Fi via the `esp-wifi` crate; requires `alloc`.
 - `ble`: Enables BLE via the `esp-wifi` crate; requires `alloc`.
 - `embassy`: Adds `embassy` framework support.
+- `stack-smashing-protection`: Enables [stack smashing protection](https://doc.rust-lang.org/rustc/exploit-mitigations.html#stack-smashing-protection). Requires nightly Rust.
 - `probe-rs`: Replaces `espflash` with `probe-rs` and enables RTT-based options.
 - `flashing-probe-rs`: Contains options that require `probe-rs`:
   - `defmt`: Adds support for `defmt` printing. Uses `rtt-target` as the RTT implementation.
diff --git a/template/.cargo/config.toml b/template/.cargo/config.toml
@@ -27,6 +27,9 @@ rustflags = [
   # NOTE: May negatively impact performance of produced code
   "-C", "force-frame-pointers",
 #ENDIF
+#IF option("stack-smashing-protection")
+  "-Z", "stack-protector=all",
+#ENDIF
 ]
 
 #REPLACE riscv32imac-unknown-none-elf rust_target
diff --git a/template/rust-toolchain.toml b/template/rust-toolchain.toml
@@ -1,6 +1,10 @@
 [toolchain]
 #IF option("riscv")
+#IF option("stack-smashing-protection")
+#+channel    = "nightly"
+#ELSE
 channel    = "stable"
+#ENDIF
 components = ["rust-src"]
 #REPLACE riscv32imac-unknown-none-elf rust_target
 targets = ["riscv32imac-unknown-none-elf"]
diff --git a/template/template.yaml b/template/template.yaml
@@ -48,6 +48,11 @@ options:
     requires:
       - unstable-hal
 
+  - !Option
+    name: stack-smashing-protection
+    display_name: Enable stack smashing protection.
+    help: Requires nightly Rust.
+
   - !Option
     name: probe-rs
     display_name: Use probe-rs to flash and monitor instead of espflash.
diff --git a/xtask/src/main.rs b/xtask/src/main.rs
@@ -105,40 +105,38 @@ fn check(
         // Ensure that the generated project builds without errors:
         let output = Command::new("cargo")
             .args([if build { "build" } else { "check" }])
+            .env_remove("RUSTUP_TOOLCHAIN")
             .current_dir(project_path.join(PROJECT_NAME))
             .stdout(Stdio::inherit())
             .stderr(Stdio::inherit())
             .output()?;
         if !output.status.success() {
-            project_dir.close()?;
             bail!("Failed to execute cargo check subcommand")
         }
 
         // Run clippy against the generated project to check for lint errors:
         let output = Command::new("cargo")
             .args(["clippy", "--no-deps", "--", "-Dwarnings"])
+            .env_remove("RUSTUP_TOOLCHAIN")
             .current_dir(project_path.join(PROJECT_NAME))
             .stdout(Stdio::inherit())
             .stderr(Stdio::inherit())
             .output()?;
         if !output.status.success() {
-            project_dir.close()?;
             bail!("Failed to execute cargo clippy subcommand")
         }
 
         // Ensure that the generated project is correctly formatted:
         let output = Command::new("cargo")
             .args(["fmt", "--", "--check"])
+            .env_remove("RUSTUP_TOOLCHAIN")
             .current_dir(project_path.join(PROJECT_NAME))
             .stdout(Stdio::inherit())
             .stderr(Stdio::inherit())
             .output()?;
         if !output.status.success() {
-            project_dir.close()?;
             bail!("Failed to execute cargo fmt subcommand")
         }
-
-        project_dir.close()?;
     }
 
     Ok(())
@@ -226,7 +224,7 @@ fn options_for_chip(chip: Chip, all_combinations: bool) -> Result<Vec<Vec<String
     }
 
     // A list of each option, along with its dependencies
-    let mut available_options = vec![];
+    let mut available_options = vec![vec![]];
 
     for option in all_options {
         let option = find_option(&option, &template.options).unwrap();
@@ -247,7 +245,6 @@ fn options_for_chip(chip: Chip, all_combinations: bool) -> Result<Vec<Vec<String
     available_options.dedup();
 
     if !all_combinations {
-        available_options.push(vec![]);
         return Ok(available_options);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,9 @@ rustflags = [`
`27`	`27`	`# NOTE: May negatively impact performance of produced code`
`28`	`28`	`"-C", "force-frame-pointers",`
`29`	`29`	`#ENDIF`
	`30`	`+#IF option("stack-smashing-protection")`
	`31`	`+ "-Z", "stack-protector=all",`
	`32`	`+#ENDIF`
`30`	`33`	`]`
`31`	`34`
`32`	`35`	`#REPLACE riscv32imac-unknown-none-elf rust_target`