Re: [yocto] Additional hardening options

Re: [yocto] Additional hardening options

[Paul Eggleton]

On Wednesday, 26 January 2022 14:39:39 NZDT Paul Eggleton wrote:
> Hi folks
> 
> I've been looking into a couple of compiler flags for hardening that I think
> we might want to consider enabling by default in security-flags.inc:
> 
> 
> 1) -fstack-clash-protection
> 
> This option was introduced to gcc 8.x and provides protection against the
> stack clash vulnerability:
> 
> https://securingsoftware.blogspot.com/2017/12/stack-clash-vulnerability.html
> 
> It has been enabled in some Linux distributions already (e.g. Ubuntu,
> Fedora).

Another quirk of this - with dunfell, the buildepoxy SDK test fails on Ubuntu 
18.04 with -fstack-clash-protection because the version of meson in dunfell 
uses the same LDFLAGS value for both host and target, and host gcc doesn't 
support that option. Not sure what to do other than just filtering out the 
option from LDFLAGS in the test.

Cheers
Paul

Re: [yocto] Additional hardening options

[Alexander Kanavin]

[-- Attachment #1: Type: text/plain, Size: 1527 bytes --]

I guess you can submit a patch, and it can be taken for a spin on the
autobuilder?

Alex

On Wed, 26 Jan 2022 at 22:17, Paul Eggleton <bluelightning@bluelightning.org>
wrote:

> On Wednesday, 26 January 2022 14:39:39 NZDT Paul Eggleton wrote:
> > Hi folks
> >
> > I've been looking into a couple of compiler flags for hardening that I
> think
> > we might want to consider enabling by default in security-flags.inc:
> >
> >
> > 1) -fstack-clash-protection
> >
> > This option was introduced to gcc 8.x and provides protection against the
> > stack clash vulnerability:
> >
> >
> https://securingsoftware.blogspot.com/2017/12/stack-clash-vulnerability.html
> >
> > It has been enabled in some Linux distributions already (e.g. Ubuntu,
> > Fedora).
>
> Another quirk of this - with dunfell, the buildepoxy SDK test fails on
> Ubuntu
> 18.04 with -fstack-clash-protection because the version of meson in
> dunfell
> uses the same LDFLAGS value for both host and target, and host gcc doesn't
> support that option. Not sure what to do other than just filtering out the
> option from LDFLAGS in the test.
>
> Cheers
> Paul
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#55987):
> https://lists.yoctoproject.org/g/yocto/message/55987
> Mute This Topic: https://lists.yoctoproject.org/mt/88687579/1686489
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 2567 bytes --]

Re: [yocto] Additional hardening options

[Khem Raj]

On Wed, Jan 26, 2022 at 1:17 PM Paul Eggleton
<bluelightning@bluelightning.org> wrote:
>
> On Wednesday, 26 January 2022 14:39:39 NZDT Paul Eggleton wrote:
> > Hi folks
> >
> > I've been looking into a couple of compiler flags for hardening that I think
> > we might want to consider enabling by default in security-flags.inc:
> >
> >
> > 1) -fstack-clash-protection
> >
> > This option was introduced to gcc 8.x and provides protection against the
> > stack clash vulnerability:
> >
> > https://securingsoftware.blogspot.com/2017/12/stack-clash-vulnerability.html
> >
> > It has been enabled in some Linux distributions already (e.g. Ubuntu,
> > Fedora).

That is good testimony,  it will be good to know how  this option
impacts performance
and does it work across architectures and libc's supported in OE.

>
> Another quirk of this - with dunfell, the buildepoxy SDK test fails on Ubuntu
> 18.04 with -fstack-clash-protection because the version of meson in dunfell
> uses the same LDFLAGS value for both host and target, and host gcc doesn't
> support that option. Not sure what to do other than just filtering out the
> option from LDFLAGS in the test.
>
> Cheers
> Paul
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> You automatically follow any topics you start or reply to.
> View/Reply Online (#55987): https://lists.yoctoproject.org/g/yocto/message/55987
> Mute This Topic: https://lists.yoctoproject.org/mt/88687579/1997914
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [yocto] Additional hardening options

[Richard Purdie]

On Wed, 2022-01-26 at 14:39 +1300, Paul Eggleton wrote:
> Hi folks
> 
> I've been looking into a couple of compiler flags for hardening that I think we 
> might want to consider enabling by default in security-flags.inc:
> 
> 
> 1) -fstack-clash-protection
> 
> This option was introduced to gcc 8.x and provides protection against the 
> stack clash vulnerability:
> 
> https://securingsoftware.blogspot.com/2017/12/stack-clash-vulnerability.html
> 
> It has been enabled in some Linux distributions already (e.g. Ubuntu, Fedora).
> 
> 
> 2) -z noexecstack (or alternative mitigations)
> 
> gcc will enable an executable stack under a few different circumstances - see 
> here for details
> 
> https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
> 
> I've written a check that we could add to insane.bbclass that warns/errors on 
> binaries with an executable stack. Does this seem reasonable to have?
> The other possibility is we add -Wl,-z,noexecstack to LDFLAGS and then see 
> what breaks, but unfortunately issues are likely only going to show up when 
> the program crashes at runtime, and also it will stop the aforementioned check 
> from working.
> 
> 
> Any opinions?

These seem like reasonable things to do, are there any downsides to them?

I'd be happy to test some patches, see if they do cause issues...

Cheers,

Richard