* [PATCH v3] security_flags: Add the compiler and linker flags that enhance security
@ 2013-06-28 22:08 Saul Wold
2013-06-28 22:22 ` Khem Raj
2013-07-02 10:36 ` Burton, Ross
0 siblings, 2 replies; 4+ messages in thread
From: Saul Wold @ 2013-06-28 22:08 UTC (permalink / raw)
To: openembedded-core
These flags add addition checks at compile, link and runtime to prevent
stack smashing, checking for buffer overflows, and link at program start
to prevent call spoofing later.
This needs to be explicitly enabled by adding the following line to your
local.conf:
require conf/distro/include/security_flags.inc
[YOCTO #3868]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
meta/conf/distro/include/security_flags.inc | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
create mode 100644 meta/conf/distro/include/security_flags.inc
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
new file mode 100644
index 0000000..7a7ab52
--- /dev/null
+++ b/meta/conf/distro/include/security_flags.inc
@@ -0,0 +1,26 @@
+SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
+SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"
+
+# Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned
+# to CPPFLAGS it gets picked into CFLAGS in bitbake.
+#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
+SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-eglibc = ""
+SECURITY_CFLAGS_pn-eglibc-initial = ""
+SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+
+# These 2 have text relco errors with the pie options enabled
+SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
+
+TARGET_CFLAGS_append = " ${SECURITY_CFLAGS}"
+TARGET_LDFLAGS_append = " ${SECURITY_LDFLAGS}"
--
1.8.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v3] security_flags: Add the compiler and linker flags that enhance security
2013-06-28 22:08 [PATCH v3] security_flags: Add the compiler and linker flags that enhance security Saul Wold
@ 2013-06-28 22:22 ` Khem Raj
2013-07-02 10:36 ` Burton, Ross
1 sibling, 0 replies; 4+ messages in thread
From: Khem Raj @ 2013-06-28 22:22 UTC (permalink / raw)
To: Saul Wold; +Cc: openembedded-core
On Jun 28, 2013, at 3:08 PM, Saul Wold <sgw@linux.intel.com> wrote:
> These flags add addition checks at compile, link and runtime to prevent
> stack smashing, checking for buffer overflows, and link at program start
> to prevent call spoofing later.
>
> This needs to be explicitly enabled by adding the following line to your
> local.conf:
>
> require conf/distro/include/security_flags.inc
>
> [YOCTO #3868]
>
> Signed-off-by: Saul Wold <sgw@linux.intel.com>
> ---
> meta/conf/distro/include/security_flags.inc | 26 ++++++++++++++++++++++++++
> 1 file changed, 26 insertions(+)
> create mode 100644 meta/conf/distro/include/security_flags.inc
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> new file mode 100644
> index 0000000..7a7ab52
> --- /dev/null
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -0,0 +1,26 @@
> +SECURITY_CFLAGS = "-fstack-protector-all -pie -fpie -D_FORTIFY_SOURCE=2"
> +SECURITY_LDFLAGS = "-Wl,-z,relro,-z,now"
these should be weak assignments (?=) I think
> +
> +# Curl seems to check for FORTIFY_SOURCE in CFLAGS, but even assigned
> +# to CPPFLAGS it gets picked into CFLAGS in bitbake.
> +#TARGET_CPPFLAGS_pn-curl += "-D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-curl = "-fstack-protector-all -pie -fpie"
> +SECURITY_CFLAGS_pn-ppp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-eglibc = ""
> +SECURITY_CFLAGS_pn-eglibc-initial = ""
> +SECURITY_CFLAGS_pn-zlib = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-gcc-runtime = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-libgcc = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-tcl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-libcap = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-smartpm = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-imaging = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-python-pycurl = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-kexec-tools = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +
> +# These 2 have text relco errors with the pie options enabled
> +SECURITY_CFLAGS_pn-pulseaudio = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +SECURITY_CFLAGS_pn-ltp = "-fstack-protector-all -D_FORTIFY_SOURCE=2"
> +
> +TARGET_CFLAGS_append = " ${SECURITY_CFLAGS}"
> +TARGET_LDFLAGS_append = " ${SECURITY_LDFLAGS}"
> --
> 1.8.1.4
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH v3] security_flags: Add the compiler and linker flags that enhance security
2013-06-28 22:08 [PATCH v3] security_flags: Add the compiler and linker flags that enhance security Saul Wold
2013-06-28 22:22 ` Khem Raj
@ 2013-07-02 10:36 ` Burton, Ross
2013-07-02 14:38 ` Saul Wold
1 sibling, 1 reply; 4+ messages in thread
From: Burton, Ross @ 2013-07-02 10:36 UTC (permalink / raw)
To: Saul Wold; +Cc: openembedded-core
On 28 June 2013 23:08, Saul Wold <sgw@linux.intel.com> wrote:
> These flags add addition checks at compile, link and runtime to prevent
> stack smashing, checking for buffer overflows, and link at program start
> to prevent call spoofing later.
>
> This needs to be explicitly enabled by adding the following line to your
> local.conf:
>
> require conf/distro/include/security_flags.inc
Will we be enabling this in Poky?
Ross
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v3] security_flags: Add the compiler and linker flags that enhance security
2013-07-02 10:36 ` Burton, Ross
@ 2013-07-02 14:38 ` Saul Wold
0 siblings, 0 replies; 4+ messages in thread
From: Saul Wold @ 2013-07-02 14:38 UTC (permalink / raw)
To: Burton, Ross; +Cc: openembedded-core
On 07/02/2013 03:36 AM, Burton, Ross wrote:
> On 28 June 2013 23:08, Saul Wold <sgw@linux.intel.com> wrote:
>> These flags add addition checks at compile, link and runtime to prevent
>> stack smashing, checking for buffer overflows, and link at program start
>> to prevent call spoofing later.
>>
>> This needs to be explicitly enabled by adding the following line to your
>> local.conf:
>>
>> require conf/distro/include/security_flags.inc
>
> Will we be enabling this in Poky?
>
No we will not enable by default, but we will do builds with them
enabled regularly to test for build failures. They add overhead both in
binary size and performance.
Sau!
> Ross
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-07-02 14:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-28 22:08 [PATCH v3] security_flags: Add the compiler and linker flags that enhance security Saul Wold
2013-06-28 22:22 ` Khem Raj
2013-07-02 10:36 ` Burton, Ross
2013-07-02 14:38 ` Saul Wold
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox