Re: [OE-core] [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS

[Hongxu Jia]

On 2018年09月04日 00:30, Khem Raj wrote:
On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <hongxu....@windriver.com> wrote:
The `-fstack-protector-***' should be passed to gcc rather than linker,
since `4ca946c security_flags: use -fstack-protector-strong', it was
added to LDFLAGS, although there is no extra build failure introduced,
but it is still unnecessary.(-Wl,** is for linker)
There are cases where CFLAGS is not combined into LDFLAGS by package
component builds
which creates the disjoint, If we remove this here then that will
start to show up. remember we do
not configure toolchains to provide the hardening flags by default as
yet, so we have to be explicit.
Do you see issues with current settings ?

Yes, I know a recipe (libsign in meta-secure-core) check LDFLAGS with 
`-Wl,***'
and it failed with `-fstack-protector-strong', and our Wind River Linux
had to maintain a list of `SECURITY_LDFLAGS_remove_pn-*** = 
"-fstack-protector-strong"'
for non oe-core layers.

I know some recipes may not combine CFLAGS to their build, but
we should investigate some way like `-Wl,--hash-style=gnu'
to check LDFALGS for CFLAGS, and mention a warning to figure it out.

//Hongxu

Reported-by: Lans Zhang <https://github.com/jiazhang0>

Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
---
  meta/conf/distro/include/security_flags.inc | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/conf/distro/include/security_flags.inc 
b/meta/conf/distro/include/security_flags.inc
index 620978a..362b1db 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong"
  SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} 
${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
  SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} 
${SECURITY_STRINGFORMAT}"

-SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now"
-SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro"
+SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
+SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"

  # powerpc does not get on with pie for reasons not looked into as yet
  GCCPIE_powerpc = ""
--
2.7.4


--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core