[yocto] binutils failing in FIDO branch

Martin Townsend mtownsend1973 at gmail.com
Tue Nov 10 03:17:31 PST 2015 

Hi Paul,

meta/conf/distro/include/security_flags.inc is much better than a blanket
change of compiler flags.  Thanks for the tip.  Are there any other
tips/web pages on Security or Linux hardening using Yocto?

Cheers,
Martin.


On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton <
paul.eggleton at linux.intel.com> wrote:

> On Monday 09 November 2015 22:32:59 Martin Townsend wrote:
> > My issue is particular to my distro, I tried changing to poky and all was
> > well.  The reason for our own distro was to migrate from Arago which we
> > were using.  So I copied Arago into a separate distro and then started
> > morphing it into something more akin to Poky over time.  Alas I left the
> > following line in the distro conf, one which should have removed :(
> >
> > # Enable basic stack and buffer overflow protections
> > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"
> >
> > After commenting this out binutils for the target builds fine.  I'm
> > guesssing that for libiberty CPPFLAGS propogates into configure or
> makefile
> > in the binutils recipe which then fails one of it's config checks and
> > because of this fails to set HAVE_LIMITS and a few others no doubt.
> >
> > Many apologies for leading you on a wild goose chase, I don't know if
> there
> > is anything you can do so others don't fall foul of this.  Is setting
> > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in configuration
> > files??  If so, maybe making sure they are reverted for building
> binutils??
>
> I'm assuming you could do something like:
>
> TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}"
> MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1"
> MY_EXTRAFLAGS_pn-binutils = ""
>
> FYI we do have meta/conf/distro/include/security_flags.inc to apply these
> two
> flags, but interestingly there's no mention of binutils in there.
>
> > Thanks for all the help and maybe it's time we moved over to Poky :)
>
> Well, there's nothing forcing you to use poky - it's a reference
> distribution;
> the assumption is usually that you'll want to change something at the
> distribution level at which point you've effectively created your own
> distro.
>
> Cheers,
> Paul
>
> --
>
> Paul Eggleton
> Intel Open Source Technology Centre
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20151110/9cab59fd/attachment.html>

More information about the yocto mailing list