[yocto] binutils failing in FIDO branch
Paul Eggleton
paul.eggleton at linux.intel.com
Tue Nov 10 03:40:02 PST 2015
About all I know that we do have (in the manual at least) is contained in this
section:
http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure
It's not a lot but it's something. (If anyone has any ideas on how to extend
this area we'd appreciate the input.)
Cheers,
Paul
On Tuesday 10 November 2015 11:17:31 Martin Townsend wrote:
> Hi Paul,
>
> meta/conf/distro/include/security_flags.inc is much better than a blanket
> change of compiler flags. Thanks for the tip. Are there any other
> tips/web pages on Security or Linux hardening using Yocto?
>
> Cheers,
> Martin.
>
>
> On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton <
>
> paul.eggleton at linux.intel.com> wrote:
> > On Monday 09 November 2015 22:32:59 Martin Townsend wrote:
> > > My issue is particular to my distro, I tried changing to poky and all
> > > was
> > > well. The reason for our own distro was to migrate from Arago which we
> > > were using. So I copied Arago into a separate distro and then started
> > > morphing it into something more akin to Poky over time. Alas I left the
> > > following line in the distro conf, one which should have removed :(
> > >
> > > # Enable basic stack and buffer overflow protections
> > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"
> > >
> > > After commenting this out binutils for the target builds fine. I'm
> > > guesssing that for libiberty CPPFLAGS propogates into configure or
> >
> > makefile
> >
> > > in the binutils recipe which then fails one of it's config checks and
> > > because of this fails to set HAVE_LIMITS and a few others no doubt.
> > >
> > > Many apologies for leading you on a wild goose chase, I don't know if
> >
> > there
> >
> > > is anything you can do so others don't fall foul of this. Is setting
> > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in configuration
> > > files?? If so, maybe making sure they are reverted for building
> >
> > binutils??
> >
> > I'm assuming you could do something like:
> >
> > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}"
> > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1"
> > MY_EXTRAFLAGS_pn-binutils = ""
> >
> > FYI we do have meta/conf/distro/include/security_flags.inc to apply these
> > two
> > flags, but interestingly there's no mention of binutils in there.
> >
> > > Thanks for all the help and maybe it's time we moved over to Poky :)
> >
> > Well, there's nothing forcing you to use poky - it's a reference
> > distribution;
> > the assumption is usually that you'll want to change something at the
> > distribution level at which point you've effectively created your own
> > distro.
> >
> > Cheers,
> > Paul
> >
> > --
> >
> > Paul Eggleton
> > Intel Open Source Technology Centre
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the yocto
mailing list