LedgerHQ · mbrousset-ledger · Mar 12, 2026 · Mar 13, 2026
diff --git a/Makefile.defines b/Makefile.defines
@@ -88,6 +88,10 @@ ifneq ($(ENABLE_SDK_WERROR),0)
     CFLAGS   += -Werror
 endif
 
+LDLIBS   += -Wl,--wrap=__stack_chk_fail, -Wl,--wrap=__stack_chk_init
+CFLAGS   += -fstack-protector-strong
+AFLAGS   += -fstack-protector-strong
+
 CFLAGS   += -fdata-sections -ffunction-sections -funsigned-char -fshort-enums -fstack-usage
 CFLAGS   += -mno-unaligned-access
 CFLAGS   += -fropi

diff --git a/src/stack_protector_init.S b/src/stack_protector_init.S
@@ -10,17 +10,22 @@
 .global __wrap___stack_chk_init
 .thumb_func
 __wrap___stack_chk_init:
+    // if r0 != 0, skip initialization and jump directly to main
+    // (don't overwrite parent canary during a libcall)
+    cmp r0, #0
+    bne 1f
+
     // save arguments passed to main
     push {r0-r3}
 
     // call cx_get_random_bytes(&__stack_chk_guard, sizeof(__stack_chk_guard));
     // we can't use the function cx_get_random_bytes because of PIC
     ldr r0, =SYSCALL_cx_get_random_bytes_ID
-    ldr r2, =__stack_chk_guard
+    mov r2, r9
     movs r3, #4
     push {r2-r3}
     mov r1, sp
-    svc 1
+    bl SVC_Call
     pop {r2-r3}
 
     // restore arguments

diff --git a/target/apex_m/script.ld b/target/apex_m/script.ld
@@ -48,7 +48,9 @@ SECTIONS
     _text = .;
     _nvram_start = .;
 
-    /* ensure main is always @ 0xC0D00000 */
+    /* ensure __stack_chk_init is always @ 0xC0D00000 */
+    KEEP(*(.boot.ssp_init))
+    /* ensure main directly follows __stack_chk_init */
     *(.boot*)
 
     /* place the other code and rodata defined BUT nvram variables that are displaced in a r/w area */
@@ -105,6 +107,9 @@ SECTIONS
     /**
      * Place RAM uninitialized variables
      */
+    __stack_chk_guard = .;
+    PROVIDE(__stack_chk_guard = .);
+    . += 4;
     _bss = .;
     *(.bss*)
     _ebss = .;
@@ -126,6 +131,12 @@ SECTIONS
 
   ASSERT( (_estack - _stack) >= STACK_MIN_SIZE, "stack section too small" )
 
+  /* The .init_array is initialized with functions with the constructor
+   * attribute. Discard this section since there's no loader. */
+  /DISCARD/ : {
+    *(.init_array)
+  }
+
   /****************************************************************/
   /* DEBUG                                                        */
   /****************************************************************/

diff --git a/target/apex_p/script.ld b/target/apex_p/script.ld
@@ -48,7 +48,9 @@ SECTIONS
     _text = .;
     _nvram_start = .;
 
-    /* ensure main is always @ 0xC0D00000 */
+    /* ensure __stack_chk_init is always @ 0xC0D00000 */
+    KEEP(*(.boot.ssp_init))
+    /* ensure main directly follows __stack_chk_init */
     *(.boot*)
 
     /* place the other code and rodata defined BUT nvram variables that are displaced in a r/w area */
@@ -105,6 +107,9 @@ SECTIONS
     /**
      * Place RAM uninitialized variables
      */
+    __stack_chk_guard = .;
+    PROVIDE(__stack_chk_guard = .);
+    . += 4;
     _bss = .;
     *(.bss*)
     _ebss = .;
@@ -126,6 +131,12 @@ SECTIONS
 
   ASSERT( (_estack - _stack) >= STACK_MIN_SIZE, "stack section too small" )
 
+  /* The .init_array is initialized with functions with the constructor
+   * attribute. Discard this section since there's no loader. */
+  /DISCARD/ : {
+    *(.init_array)
+  }
+
   /****************************************************************/
   /* DEBUG                                                        */
   /****************************************************************/

diff --git a/target/flex/script.ld b/target/flex/script.ld
@@ -48,7 +48,9 @@ SECTIONS
     _text = .;
     _nvram_start = .;
 
-    /* ensure main is always @ 0xC0D00000 */
+    /* ensure __stack_chk_init is always @ 0xC0D00000 */
+    KEEP(*(.boot.ssp_init))
+    /* ensure main directly follows __stack_chk_init */
     *(.boot*)
 
     /* place the other code and rodata defined BUT nvram variables that are displaced in a r/w area */
@@ -108,6 +110,9 @@ SECTIONS
     /**
      * Place RAM uninitialized variables
      */
+    __stack_chk_guard = .;
+    PROVIDE(__stack_chk_guard = .);
+    . += 4;
     _bss = .;
     *(.bss*)
     _ebss = .;
@@ -129,6 +134,12 @@ SECTIONS
 
   ASSERT( (_estack - _stack) >= STACK_MIN_SIZE, "stack section too small" )
 
+  /* The .init_array is initialized with functions with the constructor
+   * attribute. Discard this section since there's no loader. */
+  /DISCARD/ : {
+    *(.init_array)
+  }
+
   /****************************************************************/
   /* DEBUG                                                        */
   /****************************************************************/

diff --git a/target/nanos2/script.ld b/target/nanos2/script.ld
@@ -48,7 +48,9 @@ SECTIONS
     _text = .;
     _nvram_start = .;
 
-    /* ensure main is always @ 0xC0D00000 */
+    /* ensure __stack_chk_init is always @ 0xC0D00000 */
+    KEEP(*(.boot.ssp_init))
+    /* ensure main directly follows __stack_chk_init */
     *(.boot*)
 
     /* place the other code and rodata defined BUT nvram variables that are displaced in a r/w area */
@@ -107,6 +109,9 @@ SECTIONS
     /**
      * Place RAM uninitialized variables
      */
+    __stack_chk_guard = .;
+    PROVIDE(__stack_chk_guard = .);
+    . += 4;
     _bss = .;
     *(.bss*)
     _ebss = .;
@@ -128,6 +133,12 @@ SECTIONS
 
   ASSERT( (_estack - _stack) >= STACK_MIN_SIZE, "stack section too small" )
 
+  /* The .init_array is initialized with functions with the constructor
+   * attribute. Discard this section since there's no loader. */
+  /DISCARD/ : {
+    *(.init_array)
+  }
+
   /****************************************************************/
   /* DEBUG                                                        */
   /****************************************************************/

diff --git a/target/nanox/script.ld b/target/nanox/script.ld
@@ -115,10 +115,10 @@ SECTIONS
     /**
      * Place RAM uninitialized variables
      */
-    _bss = .;
     __stack_chk_guard = .;
     PROVIDE(__stack_chk_guard = .);
     . += 4;
+    _bss = .;
     *(.bss*)
     _ebss = .;
 
@@ -139,6 +139,12 @@ SECTIONS
 
   ASSERT( (_estack - _stack) >= STACK_MIN_SIZE, "stack section too small" )
 
+  /* The .init_array is initialized with functions with the constructor
+   * attribute. Discard this section since there's no loader. */
+  /DISCARD/ : {
+    *(.init_array)
+  }
+
   /****************************************************************/
   /* DEBUG                                                        */
   /****************************************************************/

diff --git a/target/stax/script.ld b/target/stax/script.ld
@@ -48,8 +48,9 @@ SECTIONS
     _text = .;
     _nvram_start = .;
 
-    /* ensure main is always @ 0xC0D00000 */
-    *(.boot*)
+    /* ensure __stack_chk_init is always @ 0xC0D00000 */
+    KEEP(*(.boot.ssp_init))
+    /* ensure main directly follows __stack_chk_init */
 
     /* place the other code and rodata defined BUT nvram variables that are displaced in a r/w area */
     _code = .;
@@ -108,6 +109,9 @@ SECTIONS
     /**
      * Place RAM uninitialized variables
      */
+    __stack_chk_guard = .;
+    PROVIDE(__stack_chk_guard = .);
+    . += 4;
     _bss = .;
     *(.bss*)
     _ebss = .;
@@ -129,6 +133,12 @@ SECTIONS
 
   ASSERT( (_estack - _stack) >= STACK_MIN_SIZE, "stack section too small" )
 
+  /* The .init_array is initialized with functions with the constructor
+   * attribute. Discard this section since there's no loader. */
+  /DISCARD/ : {
+    *(.init_array)
+  }
+
   /****************************************************************/
   /* DEBUG                                                        */
   /****************************************************************/