[yocto] binutils failing in FIDO branch

Paul Eggleton paul.eggleton at linux.intel.com
Tue Nov 10 05:51:38 PST 2015 

Right, there's a link to that layer in the manual section as well.

Cheers,
Paul

On Tuesday 10 November 2015 13:20:39 Martin Townsend wrote:
> And I also found this link
> https://www.yoctoproject.org/blogs/andrei-dinu/2013/meta-security-layer-now-> available which looks promising. :)
> 
> On Tue, Nov 10, 2015 at 11:40 AM, Paul Eggleton <
> 
> paul.eggleton at linux.intel.com> wrote:
> > About all I know that we do have (in the manual at least) is contained in
> > this
> > section:
> > 
> > 
> > http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making
> > -images-more-secure
> > 
> > It's not a lot but it's something. (If anyone has any ideas on how to
> > extend
> > this area we'd appreciate the input.)
> > 
> > Cheers,
> > Paul
> > 
> > On Tuesday 10 November 2015 11:17:31 Martin Townsend wrote:
> > > Hi Paul,
> > > 
> > > meta/conf/distro/include/security_flags.inc is much better than a
> > > blanket
> > > change of compiler flags.  Thanks for the tip.  Are there any other
> > > tips/web pages on Security or Linux hardening using Yocto?
> > > 
> > > Cheers,
> > > Martin.
> > > 
> > > 
> > > On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton <
> > > 
> > > paul.eggleton at linux.intel.com> wrote:
> > > > On Monday 09 November 2015 22:32:59 Martin Townsend wrote:
> > > > > My issue is particular to my distro, I tried changing to poky and
> > > > > all
> > > > > was
> > > > > well.  The reason for our own distro was to migrate from Arago which
> > 
> > we
> > 
> > > > > were using.  So I copied Arago into a separate distro and then
> > 
> > started
> > 
> > > > > morphing it into something more akin to Poky over time.  Alas I left
> > 
> > the
> > 
> > > > > following line in the distro conf, one which should have removed :(
> > > > > 
> > > > > # Enable basic stack and buffer overflow protections
> > > > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"
> > > > > 
> > > > > After commenting this out binutils for the target builds fine.  I'm
> > > > > guesssing that for libiberty CPPFLAGS propogates into configure or
> > > > 
> > > > makefile
> > > > 
> > > > > in the binutils recipe which then fails one of it's config checks
> > > > > and
> > > > > because of this fails to set HAVE_LIMITS and a few others no doubt.
> > > > > 
> > > > > Many apologies for leading you on a wild goose chase, I don't know
> > > > > if
> > > > 
> > > > there
> > > > 
> > > > > is anything you can do so others don't fall foul of this.  Is
> > > > > setting
> > > > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in
> > 
> > configuration
> > 
> > > > > files??  If so, maybe making sure they are reverted for building
> > > > 
> > > > binutils??
> > > > 
> > > > I'm assuming you could do something like:
> > > > 
> > > > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}"
> > > > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1"
> > > > MY_EXTRAFLAGS_pn-binutils = ""
> > > > 
> > > > FYI we do have meta/conf/distro/include/security_flags.inc to apply
> > 
> > these
> > 
> > > > two
> > > > flags, but interestingly there's no mention of binutils in there.
> > > > 
> > > > > Thanks for all the help and maybe it's time we moved over to Poky :)
> > > > 
> > > > Well, there's nothing forcing you to use poky - it's a reference
> > > > distribution;
> > > > the assumption is usually that you'll want to change something at the
> > > > distribution level at which point you've effectively created your own
> > > > distro.
> > > > 
> > > > Cheers,
> > > > Paul
> > > > 
> > > > --
> > > > 
> > > > Paul Eggleton
> > > > Intel Open Source Technology Centre
> > 
> > --
> > 
> > Paul Eggleton
> > Intel Open Source Technology Centre

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the yocto mailing list