[yocto] binutils failing in FIDO branch

Tue Nov 10 05:20:39 PST 2015

And I also found this link
https://www.yoctoproject.org/blogs/andrei-dinu/2013/meta-security-layer-now-available
which looks promising. :)

On Tue, Nov 10, 2015 at 11:40 AM, Paul Eggleton <
paul.eggleton at linux.intel.com> wrote:

> About all I know that we do have (in the manual at least) is contained in
> this
> section:
>
>
> http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure
>
> It's not a lot but it's something. (If anyone has any ideas on how to
> extend
> this area we'd appreciate the input.)
>
> Cheers,
> Paul
>
> On Tuesday 10 November 2015 11:17:31 Martin Townsend wrote:
> > Hi Paul,
> >
> > meta/conf/distro/include/security_flags.inc is much better than a blanket
> > change of compiler flags.  Thanks for the tip.  Are there any other
> > tips/web pages on Security or Linux hardening using Yocto?
> >
> > Cheers,
> > Martin.
> >
> >
> > On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton <
> >
> > paul.eggleton at linux.intel.com> wrote:
> > > On Monday 09 November 2015 22:32:59 Martin Townsend wrote:
> > > > My issue is particular to my distro, I tried changing to poky and all
> > > > was
> > > > well.  The reason for our own distro was to migrate from Arago which
> we
> > > > were using.  So I copied Arago into a separate distro and then
> started
> > > > morphing it into something more akin to Poky over time.  Alas I left
> the
> > > > following line in the distro conf, one which should have removed :(
> > > >
> > > > # Enable basic stack and buffer overflow protections
> > > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"
> > > >
> > > > After commenting this out binutils for the target builds fine.  I'm
> > > > guesssing that for libiberty CPPFLAGS propogates into configure or
> > >
> > > makefile
> > >
> > > > in the binutils recipe which then fails one of it's config checks and
> > > > because of this fails to set HAVE_LIMITS and a few others no doubt.
> > > >
> > > > Many apologies for leading you on a wild goose chase, I don't know if
> > >
> > > there
> > >
> > > > is anything you can do so others don't fall foul of this.  Is setting
> > > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in
> configuration
> > > > files??  If so, maybe making sure they are reverted for building
> > >
> > > binutils??
> > >
> > > I'm assuming you could do something like:
> > >
> > > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}"
> > > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1"
> > > MY_EXTRAFLAGS_pn-binutils = ""
> > >
> > > FYI we do have meta/conf/distro/include/security_flags.inc to apply
> these
> > > two
> > > flags, but interestingly there's no mention of binutils in there.
> > >
> > > > Thanks for all the help and maybe it's time we moved over to Poky :)
> > >
> > > Well, there's nothing forcing you to use poky - it's a reference
> > > distribution;
> > > the assumption is usually that you'll want to change something at the
> > > distribution level at which point you've effectively created your own
> > > distro.
> > >
> > > Cheers,
> > > Paul
> > >
> > > --
> > >
> > > Paul Eggleton
> > > Intel Open Source Technology Centre
>
> --
>
> Paul Eggleton
> Intel Open Source Technology Centre
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20151110/e9845eb6/attachment.html>