[yocto] binutils failing in FIDO branch

Tue Nov 10 03:40:02 PST 2015

About all I know that we do have (in the manual at least) is contained in this 
section:

http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure

It's not a lot but it's something. (If anyone has any ideas on how to extend 
this area we'd appreciate the input.)

Cheers,
Paul

On Tuesday 10 November 2015 11:17:31 Martin Townsend wrote:
> Hi Paul,
> 
> meta/conf/distro/include/security_flags.inc is much better than a blanket
> change of compiler flags.  Thanks for the tip.  Are there any other
> tips/web pages on Security or Linux hardening using Yocto?
> 
> Cheers,
> Martin.
> 
> 
> On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton <
> 
> paul.eggleton at linux.intel.com> wrote:
> > On Monday 09 November 2015 22:32:59 Martin Townsend wrote:
> > > My issue is particular to my distro, I tried changing to poky and all
> > > was
> > > well.  The reason for our own distro was to migrate from Arago which we
> > > were using.  So I copied Arago into a separate distro and then started
> > > morphing it into something more akin to Poky over time.  Alas I left the
> > > following line in the distro conf, one which should have removed :(
> > > 
> > > # Enable basic stack and buffer overflow protections
> > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"
> > > 
> > > After commenting this out binutils for the target builds fine.  I'm
> > > guesssing that for libiberty CPPFLAGS propogates into configure or
> > 
> > makefile
> > 
> > > in the binutils recipe which then fails one of it's config checks and
> > > because of this fails to set HAVE_LIMITS and a few others no doubt.
> > > 
> > > Many apologies for leading you on a wild goose chase, I don't know if
> > 
> > there
> > 
> > > is anything you can do so others don't fall foul of this.  Is setting
> > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in configuration
> > > files??  If so, maybe making sure they are reverted for building
> > 
> > binutils??
> > 
> > I'm assuming you could do something like:
> > 
> > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}"
> > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1"
> > MY_EXTRAFLAGS_pn-binutils = ""
> > 
> > FYI we do have meta/conf/distro/include/security_flags.inc to apply these
> > two
> > flags, but interestingly there's no mention of binutils in there.
> > 
> > > Thanks for all the help and maybe it's time we moved over to Poky :)
> > 
> > Well, there's nothing forcing you to use poky - it's a reference
> > distribution;
> > the assumption is usually that you'll want to change something at the
> > distribution level at which point you've effectively created your own
> > distro.
> > 
> > Cheers,
> > Paul
> > 
> > --
> > 
> > Paul Eggleton
> > Intel Open Source Technology Centre

-- 

Paul Eggleton
Intel Open Source Technology Centre