And I also found this link https://www.yoctoproject.org/blogs/andrei-dinu/2013/meta-security-layer-now-available which looks promising. :)
On Tue, Nov 10, 2015 at 11:40 AM, Paul Eggleton < [email protected]> wrote: > About all I know that we do have (in the manual at least) is contained in > this > section: > > > http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure > > It's not a lot but it's something. (If anyone has any ideas on how to > extend > this area we'd appreciate the input.) > > Cheers, > Paul > > On Tuesday 10 November 2015 11:17:31 Martin Townsend wrote: > > Hi Paul, > > > > meta/conf/distro/include/security_flags.inc is much better than a blanket > > change of compiler flags. Thanks for the tip. Are there any other > > tips/web pages on Security or Linux hardening using Yocto? > > > > Cheers, > > Martin. > > > > > > On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton < > > > > [email protected]> wrote: > > > On Monday 09 November 2015 22:32:59 Martin Townsend wrote: > > > > My issue is particular to my distro, I tried changing to poky and all > > > > was > > > > well. The reason for our own distro was to migrate from Arago which > we > > > > were using. So I copied Arago into a separate distro and then > started > > > > morphing it into something more akin to Poky over time. Alas I left > the > > > > following line in the distro conf, one which should have removed :( > > > > > > > > # Enable basic stack and buffer overflow protections > > > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1" > > > > > > > > After commenting this out binutils for the target builds fine. I'm > > > > guesssing that for libiberty CPPFLAGS propogates into configure or > > > > > > makefile > > > > > > > in the binutils recipe which then fails one of it's config checks and > > > > because of this fails to set HAVE_LIMITS and a few others no doubt. > > > > > > > > Many apologies for leading you on a wild goose chase, I don't know if > > > > > > there > > > > > > > is anything you can do so others don't fall foul of this. Is setting > > > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in > configuration > > > > files?? If so, maybe making sure they are reverted for building > > > > > > binutils?? > > > > > > I'm assuming you could do something like: > > > > > > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}" > > > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1" > > > MY_EXTRAFLAGS_pn-binutils = "" > > > > > > FYI we do have meta/conf/distro/include/security_flags.inc to apply > these > > > two > > > flags, but interestingly there's no mention of binutils in there. > > > > > > > Thanks for all the help and maybe it's time we moved over to Poky :) > > > > > > Well, there's nothing forcing you to use poky - it's a reference > > > distribution; > > > the assumption is usually that you'll want to change something at the > > > distribution level at which point you've effectively created your own > > > distro. > > > > > > Cheers, > > > Paul > > > > > > -- > > > > > > Paul Eggleton > > > Intel Open Source Technology Centre > > -- > > Paul Eggleton > Intel Open Source Technology Centre >
-- _______________________________________________ yocto mailing list [email protected] https://lists.yoctoproject.org/listinfo/yocto
