mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-12 19:53:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
dc5bbd2607fe55e2cb42e655dfd86dc7531f5a86
poky/meta/conf/distro/include/security_flags.inc
Khem Raj fa7db24367 security_flags.inc: Add same O<level> as in SELECTED_OPTIMIZATION 
Adding -O can be troublesome in some packages where it may override the
O<n> specified by CFLAGS, this can be due to configure processing of
CFLAGS and munging them into new values in Makefiles, which is
contructed from CC and CFLAGS passed by bitbake environment. Problem
arises if the sequence is altered, which seems to be the case in some
packages e.g. ncurses, where the value from CC variable is added last
and thus overrides -O<n> coming from CFLAGS,

Therefore grok the value from SELECTED_OPTIMIZATION and append the
appropriate -O<level> flag to lcl_maybe_fortify so the level does not
change inaderdantly.

Since we do not use -O0 anymore there is no point of checking for
DEBUG_BUILD since it uses -Og now which works fine with
-D_FORTIFY_SOURCE=2, so check for optlevel O0 instead

(From OE-Core rev: 9571a18f7d15b3bffafc2e277ab90a21d6763697)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2021-02-12 23:32:16 +00:00

72 lines
3.1 KiB
PHP
Raw Blame History

# Setup extra CFLAGS and LDFLAGS which have 'security' benefits. These
# don't work universally, there are recipes which can't use one, the other
# or both so a blacklist is maintained here. The idea would be over
# time to reduce this list to nothing.
# From a Yocto Project perspective, this file is included and tested
# in the DISTRO="poky" configuration.
GCCPIE ?= "--enable-default-pie"
# If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can be set
# _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
# -O0 which then results in a compiler warning.
OPTLEVEL = "${@bb.utils.filter('SELECTED_OPTIMIZATION', '-O0 -O1 -O2 -O3 -Ofast -Og -Os -Oz -O', d)}"
lcl_maybe_fortify ?= "${@oe.utils.conditional('OPTLEVEL','-O0','','${OPTLEVEL} -D_FORTIFY_SOURCE=2',d)}"
# Error on use of format strings that represent possible security problems
SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
# Inject pie flags into compiler flags if not configured with gcc itself
# especially useful with external toolchains
SECURITY_PIE_CFLAGS ?= "${@'' if '${GCCPIE}' else '-pie -fPIE'}"
SECURITY_NOPIE_CFLAGS ?= "-no-pie -fno-PIE"
SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong"
SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
# powerpc does not get on with pie for reasons not looked into as yet
GCCPIE_powerpc = ""
GLIBCPIE_powerpc = ""
SECURITY_CFLAGS_remove_powerpc = "${SECURITY_PIE_CFLAGS}"
SECURITY_CFLAGS_pn-libgcc_powerpc = ""
SECURITY_CFLAGS_pn-glibc = ""
SECURITY_CFLAGS_pn-glibc-testsuite = ""
SECURITY_CFLAGS_pn-gcc-runtime = ""
SECURITY_CFLAGS_pn-grub = ""
SECURITY_CFLAGS_pn-grub-efi = ""
SECURITY_CFLAGS_pn-mkelfimage_x86 = ""
SECURITY_CFLAGS_pn-valgrind = "${SECURITY_NOPIE_CFLAGS}"
SECURITY_LDFLAGS_pn-valgrind = ""
SECURITY_CFLAGS_pn-sysklogd = "${SECURITY_NOPIE_CFLAGS}"
SECURITY_LDFLAGS_pn-sysklogd = ""
# Recipes which fail to compile when elevating -Wformat-security to an error
SECURITY_STRINGFORMAT_pn-busybox = ""
SECURITY_STRINGFORMAT_pn-gcc = ""
TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
SECURITY_STACK_PROTECTOR_pn-glibc = ""
SECURITY_STACK_PROTECTOR_pn-glibc-testsuite = ""
# All xorg module drivers need to be linked this way as well and are
# handled in recipes-graphics/xorg-driver/xorg-driver-common.inc
SECURITY_LDFLAGS_pn-xserver-xorg = "${SECURITY_X_LDFLAGS}"
TARGET_CC_ARCH_append_pn-binutils = " ${SELECTED_OPTIMIZATION}"
TARGET_CC_ARCH_append_pn-gcc = " ${SELECTED_OPTIMIZATION}"
TARGET_CC_ARCH_append_pn-gdb = " ${SELECTED_OPTIMIZATION}"
TARGET_CC_ARCH_append_pn-perf = " ${SELECTED_OPTIMIZATION}"
Reference in New Issue View Git Blame Copy Permalink