diff --git a/layer/bsp-alix/TOOLCHAIN b/layer/bsp-alix/TOOLCHAIN
index 1a38f65..55a88a4 100644
--- a/layer/bsp-alix/TOOLCHAIN
+++ b/layer/bsp-alix/TOOLCHAIN
@@ -11,3 +11,5 @@ LINUXPKG="linux"
 LINUX_CPU="x86"
 LINUX_TGT="bzImage modules"
 OPENSSL_TARGET="linux-generic32 386"
+
+TC_HARDENING="no"
diff --git a/layer/bsp-qemu64/TOOLCHAIN b/layer/bsp-qemu64/TOOLCHAIN
index 9bad218..ed98d69 100644
--- a/layer/bsp-qemu64/TOOLCHAIN
+++ b/layer/bsp-qemu64/TOOLCHAIN
@@ -11,3 +11,5 @@ LINUXPKG="linux"
 LINUX_CPU="x86_64"
 LINUX_TGT="bzImage"
 OPENSSL_TARGET="linux-x86_64"
+
+TC_HARDENING="no"
diff --git a/layer/bsp-rpi3/TOOLCHAIN b/layer/bsp-rpi3/TOOLCHAIN
index f0665a3..06913ad 100644
--- a/layer/bsp-rpi3/TOOLCHAIN
+++ b/layer/bsp-rpi3/TOOLCHAIN
@@ -11,3 +11,5 @@ LINUXPKG="linux-rpi3"
 LINUX_CPU="arm"
 LINUX_TGT="zImage"
 OPENSSL_TARGET="linux-generic32"
+
+TC_HARDENING="no"
diff --git a/layer/router-base/TOOLCHAIN b/layer/router-base/TOOLCHAIN
new file mode 100644
index 0000000..4b875f3
--- /dev/null
+++ b/layer/router-base/TOOLCHAIN
@@ -0,0 +1 @@
+TC_HARDENING="yes"
diff --git a/pkg/bzip2/build b/pkg/bzip2/build
index 65e5b61..022dcd3 100755
--- a/pkg/bzip2/build
+++ b/pkg/bzip2/build
@@ -12,8 +12,13 @@ prepare() {
 build() {
 	cp -r ${1}/* ${PKGBUILDDIR}
 
-	local cflags="-fstack-protector-all"
-	local ldflags="-z noexecstack -z relro -z now"
+	local cflags=""
+	local ldflags=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		cflags="-fstack-protector-all"
+		ldflags="-z noexecstack -z relro -z now"
+	fi
 
 	make CFLAGS="-Wall -Winline -O2 -D_FILE_OFFSET_BITS=64 $cflags" \
 	     LDFLAGS="$ldflags" CC=${TARGET}-gcc AR=${TARGET}-ar \
diff --git a/pkg/dnsmasq/build b/pkg/dnsmasq/build
index 1d0ee30..efd591a 100644
--- a/pkg/dnsmasq/build
+++ b/pkg/dnsmasq/build
@@ -12,8 +12,13 @@ prepare() {
 build() {
 	cp -r ${1}/* ${PKGBUILDDIR}
 
-	local cflags="-fstack-protector-all"
-	local ldflags="-z noexecstack -z relro -z now"
+	local cflags=""
+	local ldflags=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		cflags="-fstack-protector-all"
+		ldflags="-z noexecstack -z relro -z now"
+	fi
 
 	CFLAGS="-O2 $cflags" \
 	LDFLAGS="$ldflags" \
diff --git a/pkg/hostapd/build b/pkg/hostapd/build
index 9c41e02..f923ae8 100755
--- a/pkg/hostapd/build
+++ b/pkg/hostapd/build
@@ -13,8 +13,13 @@ build() {
 	cp -r ${1}/* ${PKGBUILDDIR}
 	cp "$SCRIPTDIR/pkg/$PKGNAME/config" "$PKGBUILDDIR/hostapd/.config"
 
-	local cflags="-fstack-protector-all"
-	local ldflags="-z noexecstack -z relro -z now"
+	local cflags=""
+	local ldflags=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		cflags="-fstack-protector-all"
+		ldflags="-z noexecstack -z relro -z now"
+	fi
 
 	PKG_CONFIG_SYSROOT_DIR="$TCDIR/$TARGET" \
 	CFLAGS="-MMD -O2 $cflags" \
diff --git a/pkg/iproute2/build b/pkg/iproute2/build
index a593ddd..6f02eb2 100755
--- a/pkg/iproute2/build
+++ b/pkg/iproute2/build
@@ -12,8 +12,13 @@ prepare() {
 build() {
 	cp -r ${1}/* ${PKGBUILDDIR}
 
-	local cflags="-fstack-protector-all"
-	local ldflags="-z noexecstack -z relro -z now"
+	local cflags=""
+	local ldflags=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		cflags="-fstack-protector-all"
+		ldflags="-z noexecstack -z relro -z now"
+	fi
 
 	make CCOPTS="-O2 $cflags" LDFLAGS="$ldflags" \
 	     HOSTCC="gcc" AR="${TARGET}-ar" LD="${TARGET}-ld" \
diff --git a/pkg/iw/build b/pkg/iw/build
index 6bc335e..bada604 100755
--- a/pkg/iw/build
+++ b/pkg/iw/build
@@ -12,8 +12,13 @@ prepare() {
 build() {
 	cp -r ${1}/* ${PKGBUILDDIR}
 
-	local cflags="-fstack-protector-all"
-	local ldflags="-z noexecstack -z relro -z now"
+	local cflags=""
+	local ldflags=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		cflags="-fstack-protector-all"
+		ldflags="-z noexecstack -z relro -z now"
+	fi
 
 	CFLAGS="-O2 $cflags" \
 	LDFLAGS="$ldflags" \
diff --git a/pkg/musl/build b/pkg/musl/build
index 9914d62..1d88a30 100755
--- a/pkg/musl/build
+++ b/pkg/musl/build
@@ -10,8 +10,13 @@ prepare() {
 }
 
 build() {
-	local cflags="-fPIE -fPIC -fstack-protector-all"
-	local ldflags="-z noexecstack -z relro -z now"
+	local cflags=""
+	local ldflags=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		cflags="-fPIE -fPIC -fstack-protector-all"
+		ldflags="-z noexecstack -z relro -z now"
+	fi
 
 	CFLAGS="$cflags" LDFLAGS="$ldflags" \
 	CROSS_COMPILE="${TARGET}-" $1/configure --prefix=/ --target="$TARGET"
diff --git a/pkg/nginx/build b/pkg/nginx/build
index f492ab1..7fa9b03 100755
--- a/pkg/nginx/build
+++ b/pkg/nginx/build
@@ -12,8 +12,13 @@ prepare() {
 build() {
 	cp -r ${1}/* ${PKGBUILDDIR}
 
-	local cflags="-fstack-protector-all"
-	local ldflags="-z noexecstack -z relro -z now"
+	local cflags=""
+	local ldflags=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		cflags="-fstack-protector-all"
+		ldflags="-z noexecstack -z relro -z now"
+	fi
 
 	./configure --prefix="" --sbin-path=/bin/nginx \
 		    --modules-path=/lib/nginx \
diff --git a/pkg/openssl/build b/pkg/openssl/build
index f2e67ed..a74626a 100755
--- a/pkg/openssl/build
+++ b/pkg/openssl/build
@@ -10,8 +10,13 @@ prepare() {
 }
 
 build() {
-	local cflags="-fstack-protector-all"
-	local ldflags="-z noexecstack -z relro -z now"
+	local cflags=""
+	local ldflags=""
+
+	if [ "x$TC_HARDENING" = "yes" ]; then
+		cflags="-fstack-protector-all"
+		ldflags="-z noexecstack -z relro -z now"
+	fi
 
 	$1/Configure --prefix=/ --cross-compile-prefix="${TARGET}-" \
 		     --openssldir=/etc/ssl --libdir=/lib \
diff --git a/pkg/tc-binutils/build b/pkg/tc-binutils/build
index 228d381..16714c1 100755
--- a/pkg/tc-binutils/build
+++ b/pkg/tc-binutils/build
@@ -10,9 +10,15 @@ prepare() {
 }
 
 build() {
+	local extra=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		extra="--enable-libssp"
+	fi
+
 	$1/configure --prefix="$TCDIR" --target="$TARGET" --disable-nls \
 		     --with-sysroot="$TCDIR/$TARGET" --disable-multilib \
-		     --with-lib-path="$TCDIR/$TARGET/lib" --enable-libssp
+		     --with-lib-path="$TCDIR/$TARGET/lib" $extra
 
 	make configure-host
 	make -j $NUMJOBS
diff --git a/pkg/tc-gcc1/build b/pkg/tc-gcc1/build
index 812d779..9a4340d 100755
--- a/pkg/tc-gcc1/build
+++ b/pkg/tc-gcc1/build
@@ -37,17 +37,25 @@ prepare() {
 }
 
 build() {
+	local extra=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		extra="--enable-libssp --enable-default-pie"
+		extra="$extra --enable-default-ssp"
+	else
+		extra="--disable-libssp"
+	fi
+
 	$1/configure --prefix="$TCDIR" --target="$TARGET" \
 		     --build="$HOSTTUPLE" --host="$HOSTTUPLE" \
 		     --with-sysroot="$TCDIR/$TARGET" \
 		     --disable-nls --disable-shared --without-headers \
 		     --disable-multilib --disable-decimal-float \
 		     --disable-libgomp --disable-libmudflap \
-		     --enable-libssp --disable-libatomic \
+		     --disable-libatomic \
 		     --disable-libquadmath --disable-threads \
 		     --enable-languages=c --with-newlib \
-		     --enable-default-pie --enable-default-ssp \
-		     --with-arch="$GCC_CPU" $GCC_EXTRACFG
+		     --with-arch="$GCC_CPU" $extra $GCC_EXTRACFG
 
 	make -j $NUMJOBS all-gcc all-target-libgcc
 }
diff --git a/pkg/tc-gcc2/build b/pkg/tc-gcc2/build
index 301be49..1577a0e 100755
--- a/pkg/tc-gcc2/build
+++ b/pkg/tc-gcc2/build
@@ -3,16 +3,23 @@ source "$SCRIPTDIR/pkg/tc-gcc1/build"
 DEPENDS="tc-gcc1 musl linux_headers"
 
 build() {
+	local extra=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		extra="--enable-libssp --enable-default-pie"
+		extra="$extra --enable-default-ssp"
+	else
+		extra="--disable-libssp"
+	fi
+
 	$1/configure --prefix="$TCDIR" --target="$TARGET" \
 		     --build="$HOSTTUPLE" --host="$HOSTTUPLE" \
 		     --with-sysroot="$TCDIR/$TARGET" \
 		     --disable-nls --enable-languages=c,c++ \
 		     --enable-c99 --enable-long-long \
 		     --enable-libmudflap --disable-multilib \
-		     --enable-libssp \
 		     --disable-libsanitizer \
-		     --enable-default-pie --enable-default-ssp \
-		     --with-arch="$GCC_CPU" $GCC_EXTRACFG \
+		     --with-arch="$GCC_CPU" $extra $GCC_EXTRACFG \
 		     --with-native-system-header-dir="/include"
 
 	make -j $NUMJOBS
@@ -46,4 +53,12 @@ deploy() {
 	mv ${TCDIR}/${TARGET}/{include,lib} "$DEPLOY"
 	rm ${DEPLOY}/lib/*.la
 	cp "$SCRIPTDIR/pkg/$PKGNAME/rootfs_files.txt" "$DEPLOY"
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		cat >> "$DEPLOY/rootfs_files.txt" <<_EOF
+lib/libssp.so m 777 0 0
+lib/libssp.so.0 m 777 0 0
+lib/libssp.so.0.0.0 m 555 0 0
+_EOF
+	fi
 }
diff --git a/pkg/tc-gcc2/rootfs_files.txt b/pkg/tc-gcc2/rootfs_files.txt
index d3f29a4..6453e60 100644
--- a/pkg/tc-gcc2/rootfs_files.txt
+++ b/pkg/tc-gcc2/rootfs_files.txt
@@ -9,9 +9,6 @@ lib/libgomp.so.1.0.0 m 555 0 0
 lib/libitm.so m 777 0 0
 lib/libitm.so.1 m 777 0 0
 lib/libitm.so.1.0.0 m 555 0 0
-lib/libssp.so m 777 0 0
-lib/libssp.so.0 m 777 0 0
-lib/libssp.so.0.0.0 m 555 0 0
 lib/libstdc++.so m 777 0 0
 lib/libstdc++.so.6 m 777 0 0
 lib/libstdc++.so.6.0.25 m 555 0 0
diff --git a/pkg/zlib/build b/pkg/zlib/build
index 5acc7e4..6eaae0b 100644
--- a/pkg/zlib/build
+++ b/pkg/zlib/build
@@ -10,8 +10,13 @@ prepare() {
 }
 
 build() {
-	local cflags="-fstack-protector-all"
-	local ldflags="-z noexecstack -z relro -z now"
+	local cflags=""
+	local ldflags=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		cflags="-fstack-protector-all"
+		ldflags="-z noexecstack -z relro -z now"
+	fi
 
 	CFLAGS="$cflags" LDFLAGS="$ldflags" \
 	cmake -DCMAKE_TOOLCHAIN_FILE="$CMAKETCFILE" \
diff --git a/util/autotools.sh b/util/autotools.sh
index a0e5017..8bd6fc9 100644
--- a/util/autotools.sh
+++ b/util/autotools.sh
@@ -2,8 +2,13 @@ run_configure() {
 	local srcdir="$1"
 	shift
 
-	local cflags="-fstack-protector-all"
-	local ldflags="-z noexecstack -z relro -z now"
+	local cflags=""
+	local ldflags=""
+
+	if [ "x$TC_HARDENING" = "xyes" ]; then
+		cflags="-fstack-protector-all"
+		ldflags="-z noexecstack -z relro -z now"
+	fi
 
 	ac_cv_func_malloc_0_nonnull=yes \
 	ac_cv_func_realloc_0_nonnull=yes \