sys/ssp: use a random value as the canary

This implements the randomization of canary values on each build as
mentioned in the comment above the STACK_CHK_GUARD macro. The canary
value is generated by the buildsystem and passed to the ssp module using
a `-D` compiler flag. The ssp object file, using this canary value, is
marked as PHONY to make sure it is rebuild on each make invocation,
thereby ensuring that each build uses a new random canary value.

Implementing this properly would require generating a cryptographically
secure random value on each boot of the RIOT operating system. This is
not deemed possible on some constrained devices, e.g. due to lack of
hardware random number generators. Besides, RIOT only seems to support a
PRNG (random module) currently. While this may be implemented in the
future for some devices the changes implemented in this commit may still
be used as a fallback then.

A hardcoded canary value is used when building software on the CI to not
break the CI test cache [1].

[1]: RIOT-OS#13119 (comment)

sys/ssp/Makefile

@@ -1 +1,17 @@
+# module name is used below, thus set explicitly
+MODULE = ssp
+
+ifeq (,$(RIOT_CI_BUILD))
+  # random canary value newly generated on each build
+  RIOTCANARY := $(shell $(RIOTTOOLS)/randhex/randhex.sh)
+else
+  # hardcoded canary value to not break CI test cache
+  RIOTCANARY := 0xdeadbeefdeadbeef
+endif
+
+# pass the generated canary using a macro and mark the object file using
+# it as PHONY to ensure that a new canary value is used on each build.
+CFLAGS += -DSTACK_CHK_GUARD=$(RIOTCANARY)
+.PHONY: $(BINDIR)/$(MODULE)/$(MODULE).o
+
 include $(RIOTBASE)/Makefile.base

sys/ssp/ssp.c

@@ -22,9 +22,6 @@
 
 #include "panic.h"
 
-/* this should be randomized for each build */
-#define STACK_CHK_GUARD 0x595e9fbd94fda766
-
 uintptr_t __stack_chk_guard = (uintptr_t) STACK_CHK_GUARD;
 
 __attribute__((noreturn)) void __stack_chk_fail(void)