defaultsetup.conf: Enable security flags+pie by default

Message ID 20180723190928.27368-1-raj.khem@gmail.com
State New
Headers show
Series
  • defaultsetup.conf: Enable security flags+pie by default
Related show

Commit Message

Khem Raj July 23, 2018, 7:09 p.m.
This has been an opt-in for so long, some distributions e.g.
poky-lsb uses it by default however, since most of linux
distros have started to default to these settings for security
enhancements, time has come for OE to make it default too

Signed-off-by: Khem Raj <raj.khem@gmail.com>

---
 meta/conf/distro/defaultsetup.conf | 1 +
 1 file changed, 1 insertion(+)

-- 
2.18.0

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Comments

Anuj Mittal July 24, 2018, 6:42 a.m. | #1
On 07/24/2018 03:09 AM, Khem Raj wrote:
> This has been an opt-in for so long, some distributions e.g.

> poky-lsb uses it by default however, since most of linux

> distros have started to default to these settings for security

> enhancements, time has come for OE to make it default too


Should be removed from poky-lsb in that case otherwise gives duplicate
inclusion warnings.

> 

> Signed-off-by: Khem Raj <raj.khem@gmail.com>

> ---

>  meta/conf/distro/defaultsetup.conf | 1 +

>  1 file changed, 1 insertion(+)

> 

> diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf

> index ca2f9178d2..352e279596 100644

> --- a/meta/conf/distro/defaultsetup.conf

> +++ b/meta/conf/distro/defaultsetup.conf

> @@ -1,6 +1,7 @@

>  include conf/distro/include/default-providers.inc

>  include conf/distro/include/default-versions.inc

>  include conf/distro/include/default-distrovars.inc

> +require conf/distro/include/security_flags.inc

>  include conf/distro/include/world-broken.inc

>  

>  TCMODE ?= "default"

> 


-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
ChenQi July 24, 2018, 7:34 a.m. | #2
Hi Khem,

The comments in security-flags.inc also needs to be modified to remove 
'poky-lsb' info.

I'd suggest we still put it into distro conf file (poky.conf) instead of 
defaultsetup.conf, because defaultsetup.conf is included by 
bitbake.conf. I think things in defaultsetup.conf should be necessary 
default values to build things out. I don't think security flags is 
necessary to build things out.

Also, I got a question when I just looked at this file.
Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc 
instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS? We are naming 
variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they 
belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it.

Best Regards,
Chen Qi


On 07/24/2018 03:09 AM, Khem Raj wrote:
> This has been an opt-in for so long, some distributions e.g.

> poky-lsb uses it by default however, since most of linux

> distros have started to default to these settings for security

> enhancements, time has come for OE to make it default too

>

> Signed-off-by: Khem Raj <raj.khem@gmail.com>

> ---

>   meta/conf/distro/defaultsetup.conf | 1 +

>   1 file changed, 1 insertion(+)

>

> diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf

> index ca2f9178d2..352e279596 100644

> --- a/meta/conf/distro/defaultsetup.conf

> +++ b/meta/conf/distro/defaultsetup.conf

> @@ -1,6 +1,7 @@

>   include conf/distro/include/default-providers.inc

>   include conf/distro/include/default-versions.inc

>   include conf/distro/include/default-distrovars.inc

> +require conf/distro/include/security_flags.inc

>   include conf/distro/include/world-broken.inc

>   

>   TCMODE ?= "default"



-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Khem Raj July 24, 2018, 2:12 p.m. | #3
On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com> wrote:
>

> Hi Khem,

>

> The comments in security-flags.inc also needs to be modified to remove

> 'poky-lsb' info.

>

> I'd suggest we still put it into distro conf file (poky.conf) instead of

> defaultsetup.conf, because defaultsetup.conf is included by

> bitbake.conf. I think things in defaultsetup.conf should be necessary

> default values to build things out. I don't think security flags is

> necessary to build things out.


this is the default setup, even non-poky users will get consistent experience.

>

> Also, I got a question when I just looked at this file.

> Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc

> instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS?


in many cases packages do not honor CFLAGS/LDFLAGS say during configure

We are naming
> variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they

> belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it.

>

yes they do, but this makes it easy to override the setting for packages where
these options are needed to be overridden or modified.


> Best Regards,

> Chen Qi

>

>

> On 07/24/2018 03:09 AM, Khem Raj wrote:

> > This has been an opt-in for so long, some distributions e.g.

> > poky-lsb uses it by default however, since most of linux

> > distros have started to default to these settings for security

> > enhancements, time has come for OE to make it default too

> >

> > Signed-off-by: Khem Raj <raj.khem@gmail.com>

> > ---

> >   meta/conf/distro/defaultsetup.conf | 1 +

> >   1 file changed, 1 insertion(+)

> >

> > diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf

> > index ca2f9178d2..352e279596 100644

> > --- a/meta/conf/distro/defaultsetup.conf

> > +++ b/meta/conf/distro/defaultsetup.conf

> > @@ -1,6 +1,7 @@

> >   include conf/distro/include/default-providers.inc

> >   include conf/distro/include/default-versions.inc

> >   include conf/distro/include/default-distrovars.inc

> > +require conf/distro/include/security_flags.inc

> >   include conf/distro/include/world-broken.inc

> >

> >   TCMODE ?= "default"

>

>

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Khem Raj July 24, 2018, 2:13 p.m. | #4
On Mon, Jul 23, 2018 at 11:42 PM Anuj Mittal <anuj.mittal@intel.com> wrote:
>

> On 07/24/2018 03:09 AM, Khem Raj wrote:

> > This has been an opt-in for so long, some distributions e.g.

> > poky-lsb uses it by default however, since most of linux

> > distros have started to default to these settings for security

> > enhancements, time has come for OE to make it default too

>

> Should be removed from poky-lsb in that case otherwise gives duplicate

> inclusion warnings.

>


yes. after this patch lands we can do that.

> >

> > Signed-off-by: Khem Raj <raj.khem@gmail.com>

> > ---

> >  meta/conf/distro/defaultsetup.conf | 1 +

> >  1 file changed, 1 insertion(+)

> >

> > diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf

> > index ca2f9178d2..352e279596 100644

> > --- a/meta/conf/distro/defaultsetup.conf

> > +++ b/meta/conf/distro/defaultsetup.conf

> > @@ -1,6 +1,7 @@

> >  include conf/distro/include/default-providers.inc

> >  include conf/distro/include/default-versions.inc

> >  include conf/distro/include/default-distrovars.inc

> > +require conf/distro/include/security_flags.inc

> >  include conf/distro/include/world-broken.inc

> >

> >  TCMODE ?= "default"

> >

>

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Peter Kjellerstedt July 27, 2018, 8:49 p.m. | #5
> -----Original Message-----

> From: openembedded-core-bounces@lists.openembedded.org <openembedded-

> core-bounces@lists.openembedded.org> On Behalf Of Khem Raj

> Sent: den 24 juli 2018 16:12

> To: ChenQi <Qi.Chen@windriver.com>

> Cc: Patches and discussions about the oe-core layer <openembedded-

> core@lists.openembedded.org>

> Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security

> flags+pie by default

> 

> On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com> wrote:

> >

> > Hi Khem,

> >

> > The comments in security-flags.inc also needs to be modified to

> remove

> > 'poky-lsb' info.

> >

> > I'd suggest we still put it into distro conf file (poky.conf) instead

> of

> > defaultsetup.conf, because defaultsetup.conf is included by

> > bitbake.conf. I think things in defaultsetup.conf should be necessary

> > default values to build things out. I don't think security flags is

> > necessary to build things out.

> 

> this is the default setup, even non-poky users will get consistent

> experience.


I have to agree with Chen here. I think requiring security_flags.inc from 
defaultsetup.conf is the wrong thing to do. We use security_flags.inc in 
our setup, and I know how much trouble it has brought. To me, using it 
should be a distro decision, not something that is enforced by the use 
of bitbake.

> > Also, I got a question when I just looked at this file.

> > Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc

> > instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS?

> 

> in many cases packages do not honor CFLAGS/LDFLAGS say during configure

> 

> > We are naming

> > variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they

> > belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it.

> >

> yes they do, but this makes it easy to override the setting for

> packages where these options are needed to be overridden or modified.


Actually, with the changes introduced in Pyro, SECURITY_CFLAGS became a 
mess. Before Pyro, you either set SECURITY_CFLAGS to 
"${SECURITY_NO_PIE_CFLAGS}" (to disable the use of -fpie), or you set it 
to the empty string (to disable all security options). With Pyro and later, 
you instead have to set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS} 
${SECURITY_NOPIE_CFLAGS}" to make sure -fpie is disabled, or set it to 
"${SECURITY_NOPIE_CFLAGS}" to disable everything. Alternatively you can 
set SECURITY_PIE_CFLAGS to "${SECURITY_NOPIE_CFLAGS}" to only disable 
-fpie.

I have considered to suggest changing the definition of 
SECURITY_NOPIE_CFLAGS to:

SECURITY_NOPIE_CFLAGS ?= "${@'-no-pie -fno-PIE' if '${GCCPIE}' else ''}"

and then change SECURITY_NO_PIE_CFLAGS to:

SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${SECURITY_NOPIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"

That would better have matched the situation before Pyro, in that one yet 
again would set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}" to disable 
-fpie. Unfortunately one would still have to set SECURITY_CFLAGS to 
"${SECURITY_NOPIE_CFLAGS}" to disable everything.

> > Best Regards,

> > Chen Qi

> >

> >

> > On 07/24/2018 03:09 AM, Khem Raj wrote:

> > > This has been an opt-in for so long, some distributions e.g.

> > > poky-lsb uses it by default however, since most of linux

> > > distros have started to default to these settings for security

> > > enhancements, time has come for OE to make it default too

> > >

> > > Signed-off-by: Khem Raj <raj.khem@gmail.com>

> > > ---

> > >   meta/conf/distro/defaultsetup.conf | 1 +

> > >   1 file changed, 1 insertion(+)

> > >

> > > diff --git a/meta/conf/distro/defaultsetup.conf

> b/meta/conf/distro/defaultsetup.conf

> > > index ca2f9178d2..352e279596 100644

> > > --- a/meta/conf/distro/defaultsetup.conf

> > > +++ b/meta/conf/distro/defaultsetup.conf

> > > @@ -1,6 +1,7 @@

> > >   include conf/distro/include/default-providers.inc

> > >   include conf/distro/include/default-versions.inc

> > >   include conf/distro/include/default-distrovars.inc

> > > +require conf/distro/include/security_flags.inc

> > >   include conf/distro/include/world-broken.inc

> > >

> > >   TCMODE ?= "default"


//Peter

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Andre McCurdy July 27, 2018, 9:05 p.m. | #6
On Fri, Jul 27, 2018 at 1:49 PM, Peter Kjellerstedt
<peter.kjellerstedt@axis.com> wrote:
>> -----Original Message-----

>> From: openembedded-core-bounces@lists.openembedded.org <openembedded-

>> core-bounces@lists.openembedded.org> On Behalf Of Khem Raj

>> Sent: den 24 juli 2018 16:12

>> To: ChenQi <Qi.Chen@windriver.com>

>> Cc: Patches and discussions about the oe-core layer <openembedded-

>> core@lists.openembedded.org>

>> Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security

>> flags+pie by default

>>

>> On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com> wrote:

>> >

>> > Hi Khem,

>> >

>> > The comments in security-flags.inc also needs to be modified to

>> remove

>> > 'poky-lsb' info.

>> >

>> > I'd suggest we still put it into distro conf file (poky.conf) instead

>> of

>> > defaultsetup.conf, because defaultsetup.conf is included by

>> > bitbake.conf. I think things in defaultsetup.conf should be necessary

>> > default values to build things out. I don't think security flags is

>> > necessary to build things out.

>>

>> this is the default setup, even non-poky users will get consistent

>> experience.

>

> I have to agree with Chen here. I think requiring security_flags.inc from

> defaultsetup.conf is the wrong thing to do. We use security_flags.inc in

> our setup, and I know how much trouble it has brought. To me, using it

> should be a distro decision, not something that is enforced by the use

> of bitbake.


The current approach taken by security_flags.inc is basically to
enable every possible option related to security. Some of these
options cause trouble and but some are trouble free... and
unfortunately up to now we've lumped them all in together.

If we enable security related flags by default it would be better to
do so step by step - starting with the smallest and least risky change
and (for now) leaving the rest for distros who want/need them.

ie I agree that enabling the current security_flags.inc by default
isn't the right approach.


>> > Also, I got a question when I just looked at this file.

>> > Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc

>> > instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS?

>>

>> in many cases packages do not honor CFLAGS/LDFLAGS say during configure

>>

>> > We are naming

>> > variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they

>> > belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it.

>> >

>> yes they do, but this makes it easy to override the setting for

>> packages where these options are needed to be overridden or modified.

>

> Actually, with the changes introduced in Pyro, SECURITY_CFLAGS became a

> mess. Before Pyro, you either set SECURITY_CFLAGS to

> "${SECURITY_NO_PIE_CFLAGS}" (to disable the use of -fpie), or you set it

> to the empty string (to disable all security options). With Pyro and later,

> you instead have to set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}

> ${SECURITY_NOPIE_CFLAGS}" to make sure -fpie is disabled, or set it to

> "${SECURITY_NOPIE_CFLAGS}" to disable everything. Alternatively you can

> set SECURITY_PIE_CFLAGS to "${SECURITY_NOPIE_CFLAGS}" to only disable

> -fpie.

>

> I have considered to suggest changing the definition of

> SECURITY_NOPIE_CFLAGS to:

>

> SECURITY_NOPIE_CFLAGS ?= "${@'-no-pie -fno-PIE' if '${GCCPIE}' else ''}"

>

> and then change SECURITY_NO_PIE_CFLAGS to:

>

> SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${SECURITY_NOPIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"

>

> That would better have matched the situation before Pyro, in that one yet

> again would set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}" to disable

> -fpie. Unfortunately one would still have to set SECURITY_CFLAGS to

> "${SECURITY_NOPIE_CFLAGS}" to disable everything.

>

>> > Best Regards,

>> > Chen Qi

>> >

>> >

>> > On 07/24/2018 03:09 AM, Khem Raj wrote:

>> > > This has been an opt-in for so long, some distributions e.g.

>> > > poky-lsb uses it by default however, since most of linux

>> > > distros have started to default to these settings for security

>> > > enhancements, time has come for OE to make it default too

>> > >

>> > > Signed-off-by: Khem Raj <raj.khem@gmail.com>

>> > > ---

>> > >   meta/conf/distro/defaultsetup.conf | 1 +

>> > >   1 file changed, 1 insertion(+)

>> > >

>> > > diff --git a/meta/conf/distro/defaultsetup.conf

>> b/meta/conf/distro/defaultsetup.conf

>> > > index ca2f9178d2..352e279596 100644

>> > > --- a/meta/conf/distro/defaultsetup.conf

>> > > +++ b/meta/conf/distro/defaultsetup.conf

>> > > @@ -1,6 +1,7 @@

>> > >   include conf/distro/include/default-providers.inc

>> > >   include conf/distro/include/default-versions.inc

>> > >   include conf/distro/include/default-distrovars.inc

>> > > +require conf/distro/include/security_flags.inc

>> > >   include conf/distro/include/world-broken.inc

>> > >

>> > >   TCMODE ?= "default"

>

> //Peter

>

> --

> _______________________________________________

> Openembedded-core mailing list

> Openembedded-core@lists.openembedded.org

> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Khem Raj July 27, 2018, 9:26 p.m. | #7
On Fri, Jul 27, 2018 at 1:49 PM Peter Kjellerstedt
<peter.kjellerstedt@axis.com> wrote:
>

> > -----Original Message-----

> > From: openembedded-core-bounces@lists.openembedded.org <openembedded-

> > core-bounces@lists.openembedded.org> On Behalf Of Khem Raj

> > Sent: den 24 juli 2018 16:12

> > To: ChenQi <Qi.Chen@windriver.com>

> > Cc: Patches and discussions about the oe-core layer <openembedded-

> > core@lists.openembedded.org>

> > Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security

> > flags+pie by default

> >

> > On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com> wrote:

> > >

> > > Hi Khem,

> > >

> > > The comments in security-flags.inc also needs to be modified to

> > remove

> > > 'poky-lsb' info.

> > >

> > > I'd suggest we still put it into distro conf file (poky.conf) instead

> > of

> > > defaultsetup.conf, because defaultsetup.conf is included by

> > > bitbake.conf. I think things in defaultsetup.conf should be necessary

> > > default values to build things out. I don't think security flags is

> > > necessary to build things out.

> >

> > this is the default setup, even non-poky users will get consistent

> > experience.

>

> I have to agree with Chen here. I think requiring security_flags.inc from

> defaultsetup.conf is the wrong thing to do. We use security_flags.inc in

> our setup, and I know how much trouble it has brought. To me, using it

> should be a distro decision, not something that is enforced by the use

> of bitbake.


Thats fine, I can move this to poky distro settings, using it by
default would have
been in sync for all since reference distro is using it would be
easier for others when
submitting patches, as a phase 2 I was also thinking of defaulting to
hardeing in the toolchain itself
and remove this file completely that would have made it much better,
then folks who dont want hardeing could just disable
it in toolchain. but I am fine to leave it a distro decision for now.

>

> > > Also, I got a question when I just looked at this file.

> > > Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc

> > > instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS?

> >

> > in many cases packages do not honor CFLAGS/LDFLAGS say during configure

> >

> > > We are naming

> > > variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they

> > > belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it.

> > >

> > yes they do, but this makes it easy to override the setting for

> > packages where these options are needed to be overridden or modified.

>

> Actually, with the changes introduced in Pyro, SECURITY_CFLAGS became a

> mess. Before Pyro, you either set SECURITY_CFLAGS to

> "${SECURITY_NO_PIE_CFLAGS}" (to disable the use of -fpie), or you set it

> to the empty string (to disable all security options). With Pyro and later,

> you instead have to set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}

> ${SECURITY_NOPIE_CFLAGS}" to make sure -fpie is disabled, or set it to

> "${SECURITY_NOPIE_CFLAGS}" to disable everything. Alternatively you can

> set SECURITY_PIE_CFLAGS to "${SECURITY_NOPIE_CFLAGS}" to only disable

> -fpie.

>

> I have considered to suggest changing the definition of

> SECURITY_NOPIE_CFLAGS to:

>

> SECURITY_NOPIE_CFLAGS ?= "${@'-no-pie -fno-PIE' if '${GCCPIE}' else ''}"

>

> and then change SECURITY_NO_PIE_CFLAGS to:

>

> SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${SECURITY_NOPIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"

>

> That would better have matched the situation before Pyro, in that one yet

> again would set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}" to disable

> -fpie. Unfortunately one would still have to set SECURITY_CFLAGS to

> "${SECURITY_NOPIE_CFLAGS}" to disable everything.

>

> > > Best Regards,

> > > Chen Qi

> > >

> > >

> > > On 07/24/2018 03:09 AM, Khem Raj wrote:

> > > > This has been an opt-in for so long, some distributions e.g.

> > > > poky-lsb uses it by default however, since most of linux

> > > > distros have started to default to these settings for security

> > > > enhancements, time has come for OE to make it default too

> > > >

> > > > Signed-off-by: Khem Raj <raj.khem@gmail.com>

> > > > ---

> > > >   meta/conf/distro/defaultsetup.conf | 1 +

> > > >   1 file changed, 1 insertion(+)

> > > >

> > > > diff --git a/meta/conf/distro/defaultsetup.conf

> > b/meta/conf/distro/defaultsetup.conf

> > > > index ca2f9178d2..352e279596 100644

> > > > --- a/meta/conf/distro/defaultsetup.conf

> > > > +++ b/meta/conf/distro/defaultsetup.conf

> > > > @@ -1,6 +1,7 @@

> > > >   include conf/distro/include/default-providers.inc

> > > >   include conf/distro/include/default-versions.inc

> > > >   include conf/distro/include/default-distrovars.inc

> > > > +require conf/distro/include/security_flags.inc

> > > >   include conf/distro/include/world-broken.inc

> > > >

> > > >   TCMODE ?= "default"

>

> //Peter

>

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Peter Kjellerstedt July 31, 2018, 9:17 p.m. | #8
> -----Original Message-----

> From: Khem Raj <raj.khem@gmail.com>

> Sent: den 27 juli 2018 23:27

> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>

> Cc: ChenQi <Qi.Chen@windriver.com>; Patches and discussions about the

> oe-core layer <openembedded-core@lists.openembedded.org>

> Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security

> flags+pie by default

> 

> On Fri, Jul 27, 2018 at 1:49 PM Peter Kjellerstedt

> <peter.kjellerstedt@axis.com> wrote:

> >

> > > -----Original Message-----

> > > From: openembedded-core-bounces@lists.openembedded.org

> <openembedded-

> > > core-bounces@lists.openembedded.org> On Behalf Of Khem Raj

> > > Sent: den 24 juli 2018 16:12

> > > To: ChenQi <Qi.Chen@windriver.com>

> > > Cc: Patches and discussions about the oe-core layer <openembedded-

> > > core@lists.openembedded.org>

> > > Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security

> > > flags+pie by default

> > >

> > > On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com>

> wrote:

> > > >

> > > > Hi Khem,

> > > >

> > > > The comments in security-flags.inc also needs to be modified to

> > > remove

> > > > 'poky-lsb' info.

> > > >

> > > > I'd suggest we still put it into distro conf file (poky.conf)

> instead

> > > of

> > > > defaultsetup.conf, because defaultsetup.conf is included by

> > > > bitbake.conf. I think things in defaultsetup.conf should be

> necessary

> > > > default values to build things out. I don't think security flags

> is

> > > > necessary to build things out.

> > >

> > > this is the default setup, even non-poky users will get consistent

> > > experience.

> >

> > I have to agree with Chen here. I think requiring security_flags.inc

> from

> > defaultsetup.conf is the wrong thing to do. We use security_flags.inc

> in

> > our setup, and I know how much trouble it has brought. To me, using

> it

> > should be a distro decision, not something that is enforced by the

> use

> > of bitbake.

> 

> Thats fine, I can move this to poky distro settings, using it by

> default would have

> been in sync for all since reference distro is using it would be

> easier for others when

> submitting patches, as a phase 2 I was also thinking of defaulting to

> hardeing in the toolchain itself

> and remove this file completely that would have made it much better,

> then folks who dont want hardeing could just disable

> it in toolchain. but I am fine to leave it a distro decision for now.


I do not think that relying on the toolchain to handle this is the 
right thing to do, given that some of us use external toolchains in 
addition to the toolchain from OE-Core... With the current setup we 
get roughly the same coverage regardless of which toolchain we use.

//Peter

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Khem Raj Aug. 2, 2018, 9:26 a.m. | #9
On Tue, Jul 31, 2018 at 2:17 PM Peter Kjellerstedt
<peter.kjellerstedt@axis.com> wrote:
>

> > -----Original Message-----

> > From: Khem Raj <raj.khem@gmail.com>

> > Sent: den 27 juli 2018 23:27

> > To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>

> > Cc: ChenQi <Qi.Chen@windriver.com>; Patches and discussions about the

> > oe-core layer <openembedded-core@lists.openembedded.org>

> > Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security

> > flags+pie by default

> >

> > On Fri, Jul 27, 2018 at 1:49 PM Peter Kjellerstedt

> > <peter.kjellerstedt@axis.com> wrote:

> > >

> > > > -----Original Message-----

> > > > From: openembedded-core-bounces@lists.openembedded.org

> > <openembedded-

> > > > core-bounces@lists.openembedded.org> On Behalf Of Khem Raj

> > > > Sent: den 24 juli 2018 16:12

> > > > To: ChenQi <Qi.Chen@windriver.com>

> > > > Cc: Patches and discussions about the oe-core layer <openembedded-

> > > > core@lists.openembedded.org>

> > > > Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security

> > > > flags+pie by default

> > > >

> > > > On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com>

> > wrote:

> > > > >

> > > > > Hi Khem,

> > > > >

> > > > > The comments in security-flags.inc also needs to be modified to

> > > > remove

> > > > > 'poky-lsb' info.

> > > > >

> > > > > I'd suggest we still put it into distro conf file (poky.conf)

> > instead

> > > > of

> > > > > defaultsetup.conf, because defaultsetup.conf is included by

> > > > > bitbake.conf. I think things in defaultsetup.conf should be

> > necessary

> > > > > default values to build things out. I don't think security flags

> > is

> > > > > necessary to build things out.

> > > >

> > > > this is the default setup, even non-poky users will get consistent

> > > > experience.

> > >

> > > I have to agree with Chen here. I think requiring security_flags.inc

> > from

> > > defaultsetup.conf is the wrong thing to do. We use security_flags.inc

> > in

> > > our setup, and I know how much trouble it has brought. To me, using

> > it

> > > should be a distro decision, not something that is enforced by the

> > use

> > > of bitbake.

> >

> > Thats fine, I can move this to poky distro settings, using it by

> > default would have

> > been in sync for all since reference distro is using it would be

> > easier for others when

> > submitting patches, as a phase 2 I was also thinking of defaulting to

> > hardeing in the toolchain itself

> > and remove this file completely that would have made it much better,

> > then folks who dont want hardeing could just disable

> > it in toolchain. but I am fine to leave it a distro decision for now.

>

> I do not think that relying on the toolchain to handle this is the

> right thing to do, given that some of us use external toolchains in

> addition to the toolchain from OE-Core... With the current setup we

> get roughly the same coverage regardless of which toolchain we use.


conversely,
external toolchains can then include unsecure-flags.inc or some such file
IMO we should provide best experience out of box for internal toolchain users
since thats all what we can do effectively. If we were to switch
defaults to use hardened flags
then it will be much better to have toolchains default to it and
thereby we can remove
many patches which we carry to inject these flags artificially in many
recipes confusing the
component build systems especially when dealing with PIE and PIC and
shared objects
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Patch

diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf
index ca2f9178d2..352e279596 100644
--- a/meta/conf/distro/defaultsetup.conf
+++ b/meta/conf/distro/defaultsetup.conf
@@ -1,6 +1,7 @@ 
 include conf/distro/include/default-providers.inc
 include conf/distro/include/default-versions.inc
 include conf/distro/include/default-distrovars.inc
+require conf/distro/include/security_flags.inc
 include conf/distro/include/world-broken.inc
 
 TCMODE ?= "default"