Re: [PATCH] security_flags: Add the compiler and linker flags that enhance security

From: Saul Wold <sgw@linux.intel.com>
To: Mark Hatle <mark.hatle@windriver.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] security_flags: Add the compiler and linker flags that enhance security
Date: Fri, 28 Jun 2013 12:14:23 -0700	[thread overview]
Message-ID: <51CDE08F.6090108@linux.intel.com> (raw)
In-Reply-To: <51CDDE85.8040801@windriver.com>

On 06/28/2013 12:05 PM, Mark Hatle wrote:
> On 6/28/13 1:46 PM, Saul Wold wrote:
>> These flags add addition checks at compile, link and runtime to prevent
>> stack smashing, checking for buffer overflows, and link at program start
>> to prevent call spoofing later.
>>
>> This needs to be explicitly enabled by adding the following line to your
>> local.conf:
>>
>> require conf/distro/include/security_flags.inc
>>
>> [YOCTO #3868]
>>
>> Signed-off-by: Saul Wold <sgw@linux.intel.com>
>> ---
>>   meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++
>>   1 file changed, 21 insertions(+)
>>   create mode 100644 meta/conf/distro/include/security_flags.inc
>>
>> diff --git a/meta/conf/distro/include/security_flags.inc
>> b/meta/conf/distro/include/security_flags.inc
>> new file mode 100644
>> index 0000000..dc231e2
>> --- /dev/null
>> +++ b/meta/conf/distro/include/security_flags.inc
>> @@ -0,0 +1,21 @@
>> +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
>> +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"
>
> Where do the flags get introduced into the actual CFLAGS and LDFLAGS?
> Would it make sense to add this to the existing BUILD_OPTIMIZATION
> settings..  So they would always be available, and someone could just
> flip a switch to enable it?
>
Opps, sorry forgot to send part 2!

Sau!

>> +
>> +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
>> +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-eglibc = ""
>> +SECURITY_CFLAGS_pn-eglibc-initial = ""
>
> I know why you don't use them on -initial, but any reason to not enable
> this on 'eglibc'?  If it doesn't work, it would be good to enhance
> eglibc's recipe to spit out a warning and sanitize the build like it
> does for -O0.
>
> --Mark
>
>> +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +
>> +# These flags seem to
>> +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all
>> -D_FORTIFY_SOURCE=2"
>> +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
>>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>