I want to use a blob-free build of OpenWrt with all hardening build/kernel build options enabled on the GL-AR300M.
I checked the OpenWrt Config-kernel.in file and it looks like all the kernel hardening options from the old security page are now enabled by default so long as “SMALL_FLASH” is false… That’s great, but how big exactly does the flash need to be? Does this mean that buying the GL-AR300M router with 16MB of NOR flash vs. 128MB of NAND flash will have real security implications because it’s triggering that flag?
Also, since the GL-AR300M doesn’t need wifi blobs, is the installation blob-free? Or are there other ones in there?
Finally, there’s still some hardening that can be enabled in Config-build.in like stack-smashing protection, PIE, etc. I would like to apply these settings to my router, but that requires a recompile. Would automatic updates be affected? Would I need to recompile every time a new update is released?