Building perf without security_flags.inc being included in one's
distro results in the buildpaths warning
WARNING: perf-1.0-r9 do_package_qa: QA Issue: File /usr/bin/trace in
package perf contains reference to TMPDIR
because the ${DEBUG_PREFIX_MAP} does not get used. Most recipes get
that from CFLAGS, but the perf recipe explicitly unsets that.
Now ${SELECTED_OPTIMIZATION} of course contains more than just
${DEBUG_FLAGS}/${DEBUG_PREFIX_MAP}. For most TUs, perf's build system
adds its own optimization flags (-O6 for odd reasons), so for those
including the -O2 or -Og doesn't change anything. But looking at the
.o.cmd files show that there are some TUs which currently get built
without any -O flag. So for those adding the distro's
SELECTED_OPTIMIZATION seem to be the right thing to do.
(From OE-Core rev: aa01c9122ef4a2159df503ef6ed25e802277f13a)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adding -O can be troublesome in some packages where it may override the
O<n> specified by CFLAGS, this can be due to configure processing of
CFLAGS and munging them into new values in Makefiles, which is
contructed from CC and CFLAGS passed by bitbake environment. Problem
arises if the sequence is altered, which seems to be the case in some
packages e.g. ncurses, where the value from CC variable is added last
and thus overrides -O<n> coming from CFLAGS,
Therefore grok the value from SELECTED_OPTIMIZATION and append the
appropriate -O<level> flag to lcl_maybe_fortify so the level does not
change inaderdantly.
Since we do not use -O0 anymore there is no point of checking for
DEBUG_BUILD since it uses -Og now which works fine with
-D_FORTIFY_SOURCE=2, so check for optlevel O0 instead
(From OE-Core rev: 9571a18f7d15b3bffafc2e277ab90a21d6763697)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
compiler can only use fortify options when some level of optimization is
on, otherwise it ends up sending some warnings.
warning: _FORTIFY_SOURCE requires compiling with optimization (-O) [-W#warnings]
this is usually OK, since -O<level> would be added via CFLAGS to
compiler cmdline in normal compile stages, however during configure
there are problems when CC,CPP,CXX are probed alone in configure tests
which results in above warning, which confuses the configure results and
autotools 2.70+ detects it as error e.g.
configure:17292: error: C preprocessor "riscv32-yoe-linux-clang -target riscv32-yoe-linux -mlittle-endian -mno-relax -Qunused-arguments -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/mnt/b/yoe/master/build/tmp/work/riscv32-yoe-linux/ndpi/3.4-r0/recipe-sysroot -E" fails sanity check
See `config.log' for more details
therefore adding a -O ( which actually is -O1 ) to lcl_maybe_fortify
means we can properly test these configure tests and real -O<level> will
still override -O added here, so overrall behavior improves
(From OE-Core rev: b6113dd68caa46d56cf3c8293119f2b9d8b137fd)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The native version of grub-efi only installs the tools
/usr/bin/grub-editenv
/usr/bin/grub-mkimage
to sysroots-components/, but equivalent tools are already provided by
grub-native, the difference on x86_64 being 4 hardwired paths in grub-mkimage
(values taken from grub-native):
LOCALEDIR = $TMPDIR/work/x86_64-linux/grub-native/2.04-r0/recipe-sysroot-native/usr/share/locale
GRUB_DATADIR = $TMPDIR/work/x86_64-linux/grub-native/2.04-r0/recipe-sysroot-native/usr/share
GRUB_LIBDIR = $TMPDIR/work/x86_64-linux/grub-native/2.04-r0/recipe-sysroot-native/usr/lib
GRUB_SYSCONFDIR = $TMPDIR/work/x86_64-linux/grub-native/2.04-r0/recipe-sysroot-native/etc
If grub-native and grub-efi-native are built with the following patch
--- grub-2.04.orig/configure.ac
+++ grub-2.04/configure.ac
@@ -1980,10 +1980,10 @@ grub_libdir="$(eval echo "$libdir")"
grub_localedir="$(eval echo "$localedir")"
grub_datadir="$(eval echo "$datadir")"
grub_sysconfdir="$(eval echo "$sysconfdir")"
-AC_DEFINE_UNQUOTED(LOCALEDIR, "$grub_localedir", [Locale dir])
-AC_DEFINE_UNQUOTED(GRUB_LIBDIR, "$grub_libdir", [Library dir])
-AC_DEFINE_UNQUOTED(GRUB_DATADIR, "$grub_datadir", [Data dir])
-AC_DEFINE_UNQUOTED(GRUB_SYSCONFDIR, "$grub_sysconfdir", [Configuration dir])
+AC_DEFINE_UNQUOTED(LOCALEDIR, "/non-existent", [Locale dir])
+AC_DEFINE_UNQUOTED(GRUB_LIBDIR, "/non-existent", [Library dir])
+AC_DEFINE_UNQUOTED(GRUB_DATADIR, "/non-existent", [Data dir])
+AC_DEFINE_UNQUOTED(GRUB_SYSCONFDIR, "/non-existent", [Configuration dir])
the produced grub-editenv/grub-mkimage binaries become binary equivalent,
assuming reproducible builds is active. Since the unpatched values of
LOCALEDIR/GRUB_DATADIR/GRUB_LIBDIR/GRUB_SYSCONFDIR point to directories that
are not expected to exist at runtime, they can be ignored.
Therefore:
* remove grub-efi-native and instead rely on the same tools from
grub-native
* replace references to grub-efi-native with grub-native
* remove unused grub-efi-native security flags overrides
(From OE-Core rev: 7044181df7487f047d175242f7ebbc3c35bf5402)
Signed-off-by: Jacob Kroon <jacob.kroon@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
SECURITY_LDFLAGS contains stack protector flag inappropriately, which
has already be contained in SECURITY_CFLAGS. Let's remove it from
SECURITY_LDFLAGS.
(From OE-Core rev: 549cce578b859986e37900bf15c1bf904d33e47b)
Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The security flags were missing from the SDK toolchain
because they were added specifically to class-target.
Add them to class-cross-canadian as well (since the SDK environment
file is created from cross-canadian target flags).
(From OE-Core rev: cd46e8f890069a40d1e9048cfa0f378dec1dc5e9)
Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
Signed-off-by: Antoine Manache <a.manache@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ensure glibc-testsuite has the same flags as glibc.
(From OE-Core rev: f8ab08441f90eb75295304c57746c6e5f907ca64)
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There are var-SECURITY_PIE_CFLAGS, var-lcl_maybe_fortify and
var-SECURITY_STRINGFORMAT which are helpful for OVERRIDES.
Also add var-SECURITY_STACK_PROTECTOR, and drop hardcoded `_remove'
overrides. Such as `4ca946c security_flags: use -fstack-protector-strong',
it s/-fstack-protector-all/-fstack-protector-strong/, only tweak
var-SECURITY_STACK_PROTECTOR is sufficient.
The fix does not have any side affect on SECURITY_CFLAGS of glibc/
glibc-initial/gcc-runtime, these three directly assigned with "".
...
SECURITY_CFLAGS_pn-glibc = ""
SECURITY_CFLAGS_pn-glibc-initial = ""
SECURITY_CFLAGS_pn-gcc-runtime = ""
...
(From OE-Core rev: 0ed4a6233bdcb25cbdce698504611541420d92d0)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Since poky enable security flags+pie by default, tweak comments
to sync with it.
[poky commit]
491082c poky.conf: Enable security flags+pie by default
29d76b3 poky-lsb: Remove including security_flags.inc
[poky commit]
- Use `?=' to set a default lcl_maybe_fortify, it is helpful for
variable OVERRIDES.
(From OE-Core rev: 38c410bb7d1688cd952da9f19269c2a65a92ab45)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Original approach to add -no-<pie> flags cause link time behavior changes
where packages start to lose the -fPIC -DPIC in compiler cmdline and this
list keeps growing as we build more and more packages,
Instead lets just remove the options we dont need from SECURITY_CFLAGS
this makes it more robust and less intrusive
This also means we do not need to re-add pic options as we started to do
for affected packages
(From OE-Core rev: 1520f5a345fd03d46f33f0efaf76191e96344bec)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes issues related out of range R_PPC_REL24
e.g.
/usr/lib/xorg/modules/input/libinput_drv.so: /usr/lib/libinput.so.10: R_PPC_REL24 relocation at 0x0e8602c4 for symbol `libevdev_has_event_code' out of range
(From OE-Core rev: 48c8d13a9bdcacb64a330074588f7c6bb5cae90d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Static PIE doesn't work entirely right in GCC 7, for example ldconfig on ARM
with the flags enabled will something segfault during initialisation.
To mitigate this until we have GCC 8 integrated, don't enable static PIE.
(From OE-Core rev: 5f64946b8740a5d944f48ec430470265703bfe5e)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We need to ensure that all xorg modules are linked with
SECURITY_X_LDFLAGS to ensure that they will be able to resolve their run
time dependencies. The approach of listing each driver in
security_flags.inc lets less frequently used drivers be run-time
broken. Move the flag logic into xorg-driver-common.inc so that all
xorg modules from all layers will have the correct security flags used.
Cc: Khem Raj <raj.khem@gmail.com>
(From OE-Core rev: 27fce6ec277788f8fad0c9799e784df80f791120)
Signed-off-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These functions were moved to meta/lib/oe in 2010 and the base_* functions in
utils.bbclass were intended to be a short-term compatibility layer. They're
still used in a few places, so update the callers to use the new functions.
(From OE-Core rev: c97acbd034532895ce57c6717ed1b3ccc7900b0d)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since we have disabled FPIE from SECURITY_CFLAGS already, we have
to ensure the same with gcc, otherwise gcc (on-device) will be built
defaulting to PIE, and such binaries will fail to execute
(From OE-Core rev: 4f3a9ccdb1d45804f4c094589e69e0bc87dc9c62)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GCC is configured correctly to pass PIE cflags/ldflags
(From OE-Core rev: e93765ffb5718b0fce84f0b8123963176dea95e4)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GCCPIE flag which is empty by default adds "--enable-default-pie"
configure option for harderned distros
We do not require to add -fpie -pie flag externally anymore
(From OE-Core rev: 1c7e195c94764d680a12a49b870f04cd58860f81)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
uclibc support was removed a while ago and musl works much better. Start to
remove the various overrides and patches related to uclibc which are no longer
needed.
uclibc support in a layer would still be possible. I have strong reasons to
believe nobody is still using uclibc since patches are missing and I doubt
the metadata even parses anymore.
(From OE-Core rev: 653704e9cf325cb494eb23facca19e9f05132ffd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The python-pycurl recipe can be used with python2 only even
though python3 is officially supported by upstream.
Create python3-pycurl recipe enabling the pycurl module for
python3.
(From OE-Core rev: 6cb9c0a4e75c647b38c81d2d7217b54b2fdfd972)
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Also remove the override from security_flags.inc
(From OE-Core rev: 33d084a66a371fb10e26a0a23c639c69ddd3f1e5)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport build fix that removes -Wformat-security for specific tests.
Enable "-Wformat-security" for cmake in security_flags.inc.
(From OE-Core rev: b00f9c77ebd211578ba133c28abcbc5752305e25)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Otherwise this fails to build the libraries:
relocation R_X86_64_PC32 against undefined hidden symbol `__init_array_start'
can not be used when making a shared object
(From OE-Core rev: 632eee4fbd4627482aae752eb41104b3a848fd58)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As we've fixed the string formatting issue in console-tools, we don't
need to override SECURITY_STRINGFORMAT for console-tools any more.
[YOCTO #9540]
(From OE-Core rev: 3883332f84d9da0792c2c7337e842da34ea1b06c)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This creeped in along with rest of the changes in
c999b3d88dfcffbe0fb66406fb0bff1fb66f34bc
even after it was reported a build failure in mesa-gl
This is also showing up on arm architecture now
| /usr/src/debug/glibc/2.24-r0/git/csu/elf-init.c:87: undefined reference to `__init_array_end'
| /usr/src/debug/glibc/2.24-r0/git/csu/elf-init.c:87: undefined reference to `__init_array_start'
| /a/builder/mnt/build/tmp-glibc/sysroots/x86_64-linux/usr/libexec/arm-oe-linux-gnueabi/gcc/arm-oe-linux-gnueabi/6.2.0/ld: .libs/mesa_dri_drivers.so: hidden symbol `__init_array_end' isn't defined
(From OE-Core rev: 9211fb2a6d6c2d72ec7c2664737aee3a6b6149cf)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Removed:
change-char-type-to-signed-char-in-macros.patch
sprintf-bug-concerning-8-bit-characters.patch
They are already in the source.
* Updated:
fix-check-pcre.patch
fix-check-pcre.patch
slang-fix-the-iconv-existence-checking.patch
* Use SECURITY_NO_PIE_CFLAGS for SECURITY_CFLAGS, it can't be built with
"-pie -fpie":
tmp/sysroots/qemux86-64/usr/lib64/../lib64/Scrt1.o: In function `_start':
/usr/src/debug/glibc/2.24-r0/git/csu/../sysdeps/x86_64/start.S:104: undefined reference to `main'
/tmp/ccMFTA8A.o: In function `smg_char_at':
/usr/src/debug/slang/2.3.0-r0/slang-2.3.0/modules/slsmg-module.c:134: undefined reference to `SLsmg_char_at'
/tmp/ccMFTA8A.o: In function `smg_resume_smg':
(From OE-Core rev: b2d6e069b9ecc5a13754393200a6fa48cdaaf4c6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These recipes no longer seem to need full exclusion from security hardening.
The rest (glibc, gcc-runtime, valgrind, grub, grub-efi, uclibc) still do.
[YOCTO #9489]
(From OE-Core rev: b3d7aae42550fb92bcb82fdee7e518b04bdf49b4)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The entry is same as for python-numpy and prevents build failures
when extra security flags are in use (e.g. in poky-lsb).
(From OE-Core rev: 4a95989848df62b34e3115c7e81d4f005de74119)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch avoids unzip fails to compile with compiler flags which elevate common string formatting issues into an error (-Wformat -Wformat-security -Werror=format-security).
[YOCTO #9551]
(From OE-Core rev: 2dd1c02fbc7492002df9030f50710e242369e8b2)
Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This avoids makedevs failure to compile with compiler flags
which elevate common string formatting issues into an error
(-Wformat -Wformat-security -Werror=format-security).
[YOCTO #9549]
(From OE-Core rev: f6b0dd13ac90bb431bb51e0cbf1681a4d9fbea14)
Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch avoids zip recipe fails to compile with compiler
flags which elevate common string formatting issues into an
error (-Wformat -Wformat-security -Werror=format-security).
[YOCTO #9552]
(From OE-Core rev: f63a36360b7e138d2a63c84b5b1a8287ffe3d2ae)
Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch avoids stat fails to compile with compiler flags which
elevate common string formatting issues into an error (-Wformat
-Wformat-security -Werror=format-security).
[YOCTO #9550]
(From OE-Core rev: f03c1f41933e9997a01a8b1dcdf9fb18579de1d1)
Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Now we have patches that solves the security formatting issues into
those packages.
(From OE-Core rev: 901cfa5a217f78464f8b81a990039fe60810650f)
Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add "-Wformat -Wformat-security -Werror=format-security" to the default
SECURITY_CFLAGS to catch potential security vulnerabilities due to the
misuse of various string formatting functions.
These flags are widely used in distributions such as Fedora and Ubuntu,
however we have 15 recipes in OE-Core which fail to build with these
flags included and thus the flags are removed for:
- busybox
- console-tools
- cmake
- expect
- gcc
- gettext
- kexec-tools
- leafpad
- libuser
- ltp
- makedevs
- oh-puzzles
- stat
- unzip
- zip
[YOCTO #9488]
(From OE-Core rev: f335f8e744fb312b3eb599c331d08a9a6e5a8ff8)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
RPM interally has support to build and work with the stack protector.
This is disabled by default in the RPM package, and the proper settings
should be specified in the security_flags. Using the default setting of
stack-protector-strong causes linking problems due to issues with libtool
selecting the wrong GCC objections to link against.
Falling back to the RPM values of stack-protector will permit linking to
work properly, and some level of protection.
(From OE-Core rev: 98b5f1ef188965f0116ebbe00be746dceb96936e)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
