From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mail.openembedded.org (Postfix) with ESMTP id 3843D61A45 for ; Fri, 28 Jun 2013 19:14:23 +0000 (UTC) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga101.jf.intel.com with ESMTP; 28 Jun 2013 12:14:24 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="4.87,961,1363158000"; d="scan'208";a="361277175" Received: from unknown (HELO [10.255.13.119]) ([10.255.13.119]) by orsmga002.jf.intel.com with ESMTP; 28 Jun 2013 12:14:23 -0700 Message-ID: <51CDE08F.6090108@linux.intel.com> Date: Fri, 28 Jun 2013 12:14:23 -0700 From: Saul Wold User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130514 Thunderbird/17.0.6 MIME-Version: 1.0 To: Mark Hatle References: <1372445217-28739-1-git-send-email-sgw@linux.intel.com> <51CDDE85.8040801@windriver.com> In-Reply-To: <51CDDE85.8040801@windriver.com> Cc: openembedded-core@lists.openembedded.org Subject: Re: [PATCH] security_flags: Add the compiler and linker flags that enhance security X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jun 2013 19:14:23 -0000 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 06/28/2013 12:05 PM, Mark Hatle wrote: > On 6/28/13 1:46 PM, Saul Wold wrote: >> These flags add addition checks at compile, link and runtime to prevent >> stack smashing, checking for buffer overflows, and link at program start >> to prevent call spoofing later. >> >> This needs to be explicitly enabled by adding the following line to your >> local.conf: >> >> require conf/distro/include/security_flags.inc >> >> [YOCTO #3868] >> >> Signed-off-by: Saul Wold >> --- >> meta/conf/distro/include/security_flags.inc | 21 +++++++++++++++++++++ >> 1 file changed, 21 insertions(+) >> create mode 100644 meta/conf/distro/include/security_flags.inc >> >> diff --git a/meta/conf/distro/include/security_flags.inc >> b/meta/conf/distro/include/security_flags.inc >> new file mode 100644 >> index 0000000..dc231e2 >> --- /dev/null >> +++ b/meta/conf/distro/include/security_flags.inc >> @@ -0,0 +1,21 @@ >> +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2" >> +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now" > > Where do the flags get introduced into the actual CFLAGS and LDFLAGS? > Would it make sense to add this to the existing BUILD_OPTIMIZATION > settings.. So they would always be available, and someone could just > flip a switch to enable it? > Opps, sorry forgot to send part 2! Sau! >> + >> +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie" >> +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-eglibc = "" >> +SECURITY_CFLAGS_pn-eglibc-initial = "" > > I know why you don't use them on -initial, but any reason to not enable > this on 'eglibc'? If it doesn't work, it would be good to enhance > eglibc's recipe to spit out a warning and sanitize the build like it > does for -O0. > > --Mark > >> +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all >> -D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all >> -D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all >> -D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all >> -D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all >> -D_FORTIFY_SOURCE=2" >> + >> +# These flags seem to >> +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all >> -D_FORTIFY_SOURCE=2" >> +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2" >> > > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core > >