About all I know that we do have (in the manual at least) is contained in this section:
http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure It's not a lot but it's something. (If anyone has any ideas on how to extend this area we'd appreciate the input.) Cheers, Paul On Tuesday 10 November 2015 11:17:31 Martin Townsend wrote: > Hi Paul, > > meta/conf/distro/include/security_flags.inc is much better than a blanket > change of compiler flags. Thanks for the tip. Are there any other > tips/web pages on Security or Linux hardening using Yocto? > > Cheers, > Martin. > > > On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton < > > [email protected]> wrote: > > On Monday 09 November 2015 22:32:59 Martin Townsend wrote: > > > My issue is particular to my distro, I tried changing to poky and all > > > was > > > well. The reason for our own distro was to migrate from Arago which we > > > were using. So I copied Arago into a separate distro and then started > > > morphing it into something more akin to Poky over time. Alas I left the > > > following line in the distro conf, one which should have removed :( > > > > > > # Enable basic stack and buffer overflow protections > > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1" > > > > > > After commenting this out binutils for the target builds fine. I'm > > > guesssing that for libiberty CPPFLAGS propogates into configure or > > > > makefile > > > > > in the binutils recipe which then fails one of it's config checks and > > > because of this fails to set HAVE_LIMITS and a few others no doubt. > > > > > > Many apologies for leading you on a wild goose chase, I don't know if > > > > there > > > > > is anything you can do so others don't fall foul of this. Is setting > > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in configuration > > > files?? If so, maybe making sure they are reverted for building > > > > binutils?? > > > > I'm assuming you could do something like: > > > > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}" > > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1" > > MY_EXTRAFLAGS_pn-binutils = "" > > > > FYI we do have meta/conf/distro/include/security_flags.inc to apply these > > two > > flags, but interestingly there's no mention of binutils in there. > > > > > Thanks for all the help and maybe it's time we moved over to Poky :) > > > > Well, there's nothing forcing you to use poky - it's a reference > > distribution; > > the assumption is usually that you'll want to change something at the > > distribution level at which point you've effectively created your own > > distro. > > > > Cheers, > > Paul > > > > -- > > > > Paul Eggleton > > Intel Open Source Technology Centre -- Paul Eggleton Intel Open Source Technology Centre -- _______________________________________________ yocto mailing list [email protected] https://lists.yoctoproject.org/listinfo/yocto
