Right, there's a link to that layer in the manual section as well. Cheers, Paul
On Tuesday 10 November 2015 13:20:39 Martin Townsend wrote: > And I also found this link > https://www.yoctoproject.org/blogs/andrei-dinu/2013/meta-security-layer-now-> > available which looks promising. :) > > On Tue, Nov 10, 2015 at 11:40 AM, Paul Eggleton < > > [email protected]> wrote: > > About all I know that we do have (in the manual at least) is contained in > > this > > section: > > > > > > http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making > > -images-more-secure > > > > It's not a lot but it's something. (If anyone has any ideas on how to > > extend > > this area we'd appreciate the input.) > > > > Cheers, > > Paul > > > > On Tuesday 10 November 2015 11:17:31 Martin Townsend wrote: > > > Hi Paul, > > > > > > meta/conf/distro/include/security_flags.inc is much better than a > > > blanket > > > change of compiler flags. Thanks for the tip. Are there any other > > > tips/web pages on Security or Linux hardening using Yocto? > > > > > > Cheers, > > > Martin. > > > > > > > > > On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton < > > > > > > [email protected]> wrote: > > > > On Monday 09 November 2015 22:32:59 Martin Townsend wrote: > > > > > My issue is particular to my distro, I tried changing to poky and > > > > > all > > > > > was > > > > > well. The reason for our own distro was to migrate from Arago which > > > > we > > > > > > > were using. So I copied Arago into a separate distro and then > > > > started > > > > > > > morphing it into something more akin to Poky over time. Alas I left > > > > the > > > > > > > following line in the distro conf, one which should have removed :( > > > > > > > > > > # Enable basic stack and buffer overflow protections > > > > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1" > > > > > > > > > > After commenting this out binutils for the target builds fine. I'm > > > > > guesssing that for libiberty CPPFLAGS propogates into configure or > > > > > > > > makefile > > > > > > > > > in the binutils recipe which then fails one of it's config checks > > > > > and > > > > > because of this fails to set HAVE_LIMITS and a few others no doubt. > > > > > > > > > > Many apologies for leading you on a wild goose chase, I don't know > > > > > if > > > > > > > > there > > > > > > > > > is anything you can do so others don't fall foul of this. Is > > > > > setting > > > > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in > > > > configuration > > > > > > > files?? If so, maybe making sure they are reverted for building > > > > > > > > binutils?? > > > > > > > > I'm assuming you could do something like: > > > > > > > > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}" > > > > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1" > > > > MY_EXTRAFLAGS_pn-binutils = "" > > > > > > > > FYI we do have meta/conf/distro/include/security_flags.inc to apply > > > > these > > > > > > two > > > > flags, but interestingly there's no mention of binutils in there. > > > > > > > > > Thanks for all the help and maybe it's time we moved over to Poky :) > > > > > > > > Well, there's nothing forcing you to use poky - it's a reference > > > > distribution; > > > > the assumption is usually that you'll want to change something at the > > > > distribution level at which point you've effectively created your own > > > > distro. > > > > > > > > Cheers, > > > > Paul > > > > > > > > -- > > > > > > > > Paul Eggleton > > > > Intel Open Source Technology Centre > > > > -- > > > > Paul Eggleton > > Intel Open Source Technology Centre -- Paul Eggleton Intel Open Source Technology Centre -- _______________________________________________ yocto mailing list [email protected] https://lists.yoctoproject.org/listinfo/yocto
