From: "Richard Purdie" <richard.purdie@linuxfoundation.org>
To: Michael Ho <Michael.Ho@bmw.de>, openembedded-core@lists.openembedded.org
Cc: Khem Raj <raj.khem@gmail.com>
Subject: Re: [OE-core] Question about security_flags.inc and CC_ARCH
Date: Fri, 15 Jan 2021 16:05:15 +0000 [thread overview]
Message-ID: <ee564b97e176be05739442e9c271bbce565da4d5.camel@linuxfoundation.org> (raw)
In-Reply-To: <CBE0B95A-C2E7-4FAF-AD1D-E0EEBCB177C2@bmw.de>
On Fri, 2021-01-15 at 13:46 +0000, Michael Ho wrote:
> I wanted to get a bit more understanding of why security_flags.inc
> tweaks CC_ARCH instead of CFLAGS.
>
> Some developers who consume an SDK we produce using Yocto noticed
> that CC and
> CXX has FORTIFY_SOURCE embedded in the variables. These developers
> sometimes
> want to compile software in the SDK with compiler optimisations
> turned off in order
> to run code coverage tools like gcov. Typically they drop
> CFLAGS/CXXFLAGS in order
> to do this but they noted that with the SDK they also have to
> manually tweak CC/CXX
> to remove the FORTIFY_SOURCE references (because compilation fails
> without
> optimisation flags when using FORTIFY_SOURCE).
>
> This comes from:
> https://patchwork.openembedded.org/patch/167198/ and
> http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=6733a7873ca121295a2e309a6915b9816e1ae36b
>
> I would’ve expected actually that FORTIFY_SOURCE bundles itself with
> CFLAGS/CXXFLAGS as it is dependent on being with the compiler
> optimisations. This is also how the Debian hardening wiki seems to
> describe it used [1].
>
> I am guessing that this is moved to CC_ARCH to ensure FORTIFY_SOURCE
> is being enforced around the build system in case components are
> skipping out on CFLAGS and CXXFLAGS. Is that right?
In theory we should be giving an error if CFLAGS or LDFLAGS aren't
being used to compile our output. You're right that we probably don't
detect every case though and that was probably why we did that. I don't
really remember though. Khem might remember more, I suspect he'd have
done that for a reason.
> Would there be some objection to moving the security flags to
> CFLAGS/CXXFLAGS for the cross-canadian target (sdk)?
Yes, I'm fairly against people getting a different view of the flags in
the SDK compared to the main build environment, that just creates a
different set of problems unfortunately.
Cheers,
Richard
next prev parent reply other threads:[~2021-01-15 16:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-15 13:46 Question about security_flags.inc and CC_ARCH Michael Ho
2021-01-15 16:05 ` Richard Purdie [this message]
2021-01-15 16:43 ` [OE-core] " Joshua Watt
2021-01-15 20:35 ` Khem Raj
2021-01-25 16:57 ` Michael Ho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ee564b97e176be05739442e9c271bbce565da4d5.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=Michael.Ho@bmw.de \
--cc=openembedded-core@lists.openembedded.org \
--cc=raj.khem@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.