Hi all, I wanted to get a bit more understanding of why security_flags.inc tweaks CC_ARCH instead of CFLAGS.
Some developers who consume an SDK we produce using Yocto noticed that CC and CXX has FORTIFY_SOURCE embedded in the variables. These developers sometimes want to compile software in the SDK with compiler optimisations turned off in order to run code coverage tools like gcov. Typically they drop CFLAGS/CXXFLAGS in order to do this but they noted that with the SDK they also have to manually tweak CC/CXX to remove the FORTIFY_SOURCE references (because compilation fails without optimisation flags when using FORTIFY_SOURCE). This comes from: https://patchwork.openembedded.org/patch/167198/ and http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=6733a7873ca121295a2e309a6915b9816e1ae36b I would’ve expected actually that FORTIFY_SOURCE bundles itself with CFLAGS/CXXFLAGS as it is dependent on being with the compiler optimisations. This is also how the Debian hardening wiki seems to describe it used [1]. I am guessing that this is moved to CC_ARCH to ensure FORTIFY_SOURCE is being enforced around the build system in case components are skipping out on CFLAGS and CXXFLAGS. Is that right? Would there be some objection to moving the security flags to CFLAGS/CXXFLAGS for the cross-canadian target (sdk)? Thanks for any insights people can share! Kind regards, Michael Ho [1] https://wiki.debian.org/Hardening#Using_Hardening_Options ---------------------------------------------------------------------------------------------------- -- BMW Car IT GmbH Michael Ho Spezialist Entwicklung – Build and Release Engineering Lise-Meitner-Straße 14 89081 Ulm Tel.: +49-731-37804-071 Mobil: +49-152-54980-471 Fax: +49-731-37804-001 Mail: [email protected]<mailto:[email protected]> Web: http://www.bmw-carit.de<http://www.bmw-carit.de/> ------------------------------------------------------------------------- BMW Car IT GmbH Geschäftsführer: Kai-Uwe Balszuweit und Michael Böttrich Sitz und Registergericht: München HRB 134810 -------------------------------------------------------------------------
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146824): https://lists.openembedded.org/g/openembedded-core/message/146824 Mute This Topic: https://lists.openembedded.org/mt/79701669/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
