| Message ID | 20180723190928.27368-1-raj.khem@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | defaultsetup.conf: Enable security flags+pie by default | expand |
On 07/24/2018 03:09 AM, Khem Raj wrote: > This has been an opt-in for so long, some distributions e.g. > poky-lsb uses it by default however, since most of linux > distros have started to default to these settings for security > enhancements, time has come for OE to make it default too Should be removed from poky-lsb in that case otherwise gives duplicate inclusion warnings. > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > --- > meta/conf/distro/defaultsetup.conf | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf > index ca2f9178d2..352e279596 100644 > --- a/meta/conf/distro/defaultsetup.conf > +++ b/meta/conf/distro/defaultsetup.conf > @@ -1,6 +1,7 @@ > include conf/distro/include/default-providers.inc > include conf/distro/include/default-versions.inc > include conf/distro/include/default-distrovars.inc > +require conf/distro/include/security_flags.inc > include conf/distro/include/world-broken.inc > > TCMODE ?= "default" > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Hi Khem, The comments in security-flags.inc also needs to be modified to remove 'poky-lsb' info. I'd suggest we still put it into distro conf file (poky.conf) instead of defaultsetup.conf, because defaultsetup.conf is included by bitbake.conf. I think things in defaultsetup.conf should be necessary default values to build things out. I don't think security flags is necessary to build things out. Also, I got a question when I just looked at this file. Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS? We are naming variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it. Best Regards, Chen Qi On 07/24/2018 03:09 AM, Khem Raj wrote: > This has been an opt-in for so long, some distributions e.g. > poky-lsb uses it by default however, since most of linux > distros have started to default to these settings for security > enhancements, time has come for OE to make it default too > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > --- > meta/conf/distro/defaultsetup.conf | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf > index ca2f9178d2..352e279596 100644 > --- a/meta/conf/distro/defaultsetup.conf > +++ b/meta/conf/distro/defaultsetup.conf > @@ -1,6 +1,7 @@ > include conf/distro/include/default-providers.inc > include conf/distro/include/default-versions.inc > include conf/distro/include/default-distrovars.inc > +require conf/distro/include/security_flags.inc > include conf/distro/include/world-broken.inc > > TCMODE ?= "default" -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com> wrote: > > Hi Khem, > > The comments in security-flags.inc also needs to be modified to remove > 'poky-lsb' info. > > I'd suggest we still put it into distro conf file (poky.conf) instead of > defaultsetup.conf, because defaultsetup.conf is included by > bitbake.conf. I think things in defaultsetup.conf should be necessary > default values to build things out. I don't think security flags is > necessary to build things out. this is the default setup, even non-poky users will get consistent experience. > > Also, I got a question when I just looked at this file. > Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc > instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS? in many cases packages do not honor CFLAGS/LDFLAGS say during configure We are naming > variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they > belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it. > yes they do, but this makes it easy to override the setting for packages where these options are needed to be overridden or modified. > Best Regards, > Chen Qi > > > On 07/24/2018 03:09 AM, Khem Raj wrote: > > This has been an opt-in for so long, some distributions e.g. > > poky-lsb uses it by default however, since most of linux > > distros have started to default to these settings for security > > enhancements, time has come for OE to make it default too > > > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > > --- > > meta/conf/distro/defaultsetup.conf | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf > > index ca2f9178d2..352e279596 100644 > > --- a/meta/conf/distro/defaultsetup.conf > > +++ b/meta/conf/distro/defaultsetup.conf > > @@ -1,6 +1,7 @@ > > include conf/distro/include/default-providers.inc > > include conf/distro/include/default-versions.inc > > include conf/distro/include/default-distrovars.inc > > +require conf/distro/include/security_flags.inc > > include conf/distro/include/world-broken.inc > > > > TCMODE ?= "default" > > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
On Mon, Jul 23, 2018 at 11:42 PM Anuj Mittal <anuj.mittal@intel.com> wrote: > > On 07/24/2018 03:09 AM, Khem Raj wrote: > > This has been an opt-in for so long, some distributions e.g. > > poky-lsb uses it by default however, since most of linux > > distros have started to default to these settings for security > > enhancements, time has come for OE to make it default too > > Should be removed from poky-lsb in that case otherwise gives duplicate > inclusion warnings. > yes. after this patch lands we can do that. > > > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > > --- > > meta/conf/distro/defaultsetup.conf | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf > > index ca2f9178d2..352e279596 100644 > > --- a/meta/conf/distro/defaultsetup.conf > > +++ b/meta/conf/distro/defaultsetup.conf > > @@ -1,6 +1,7 @@ > > include conf/distro/include/default-providers.inc > > include conf/distro/include/default-versions.inc > > include conf/distro/include/default-distrovars.inc > > +require conf/distro/include/security_flags.inc > > include conf/distro/include/world-broken.inc > > > > TCMODE ?= "default" > > > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
> -----Original Message----- > From: openembedded-core-bounces@lists.openembedded.org <openembedded- > core-bounces@lists.openembedded.org> On Behalf Of Khem Raj > Sent: den 24 juli 2018 16:12 > To: ChenQi <Qi.Chen@windriver.com> > Cc: Patches and discussions about the oe-core layer <openembedded- > core@lists.openembedded.org> > Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security > flags+pie by default > > On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com> wrote: > > > > Hi Khem, > > > > The comments in security-flags.inc also needs to be modified to > remove > > 'poky-lsb' info. > > > > I'd suggest we still put it into distro conf file (poky.conf) instead > of > > defaultsetup.conf, because defaultsetup.conf is included by > > bitbake.conf. I think things in defaultsetup.conf should be necessary > > default values to build things out. I don't think security flags is > > necessary to build things out. > > this is the default setup, even non-poky users will get consistent > experience. I have to agree with Chen here. I think requiring security_flags.inc from defaultsetup.conf is the wrong thing to do. We use security_flags.inc in our setup, and I know how much trouble it has brought. To me, using it should be a distro decision, not something that is enforced by the use of bitbake. > > Also, I got a question when I just looked at this file. > > Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc > > instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS? > > in many cases packages do not honor CFLAGS/LDFLAGS say during configure > > > We are naming > > variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they > > belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it. > > > yes they do, but this makes it easy to override the setting for > packages where these options are needed to be overridden or modified. Actually, with the changes introduced in Pyro, SECURITY_CFLAGS became a mess. Before Pyro, you either set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}" (to disable the use of -fpie), or you set it to the empty string (to disable all security options). With Pyro and later, you instead have to set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS} ${SECURITY_NOPIE_CFLAGS}" to make sure -fpie is disabled, or set it to "${SECURITY_NOPIE_CFLAGS}" to disable everything. Alternatively you can set SECURITY_PIE_CFLAGS to "${SECURITY_NOPIE_CFLAGS}" to only disable -fpie. I have considered to suggest changing the definition of SECURITY_NOPIE_CFLAGS to: SECURITY_NOPIE_CFLAGS ?= "${@'-no-pie -fno-PIE' if '${GCCPIE}' else ''}" and then change SECURITY_NO_PIE_CFLAGS to: SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${SECURITY_NOPIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" That would better have matched the situation before Pyro, in that one yet again would set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}" to disable -fpie. Unfortunately one would still have to set SECURITY_CFLAGS to "${SECURITY_NOPIE_CFLAGS}" to disable everything. > > Best Regards, > > Chen Qi > > > > > > On 07/24/2018 03:09 AM, Khem Raj wrote: > > > This has been an opt-in for so long, some distributions e.g. > > > poky-lsb uses it by default however, since most of linux > > > distros have started to default to these settings for security > > > enhancements, time has come for OE to make it default too > > > > > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > > > --- > > > meta/conf/distro/defaultsetup.conf | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/meta/conf/distro/defaultsetup.conf > b/meta/conf/distro/defaultsetup.conf > > > index ca2f9178d2..352e279596 100644 > > > --- a/meta/conf/distro/defaultsetup.conf > > > +++ b/meta/conf/distro/defaultsetup.conf > > > @@ -1,6 +1,7 @@ > > > include conf/distro/include/default-providers.inc > > > include conf/distro/include/default-versions.inc > > > include conf/distro/include/default-distrovars.inc > > > +require conf/distro/include/security_flags.inc > > > include conf/distro/include/world-broken.inc > > > > > > TCMODE ?= "default" //Peter -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
On Fri, Jul 27, 2018 at 1:49 PM, Peter Kjellerstedt <peter.kjellerstedt@axis.com> wrote: >> -----Original Message----- >> From: openembedded-core-bounces@lists.openembedded.org <openembedded- >> core-bounces@lists.openembedded.org> On Behalf Of Khem Raj >> Sent: den 24 juli 2018 16:12 >> To: ChenQi <Qi.Chen@windriver.com> >> Cc: Patches and discussions about the oe-core layer <openembedded- >> core@lists.openembedded.org> >> Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security >> flags+pie by default >> >> On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com> wrote: >> > >> > Hi Khem, >> > >> > The comments in security-flags.inc also needs to be modified to >> remove >> > 'poky-lsb' info. >> > >> > I'd suggest we still put it into distro conf file (poky.conf) instead >> of >> > defaultsetup.conf, because defaultsetup.conf is included by >> > bitbake.conf. I think things in defaultsetup.conf should be necessary >> > default values to build things out. I don't think security flags is >> > necessary to build things out. >> >> this is the default setup, even non-poky users will get consistent >> experience. > > I have to agree with Chen here. I think requiring security_flags.inc from > defaultsetup.conf is the wrong thing to do. We use security_flags.inc in > our setup, and I know how much trouble it has brought. To me, using it > should be a distro decision, not something that is enforced by the use > of bitbake. The current approach taken by security_flags.inc is basically to enable every possible option related to security. Some of these options cause trouble and but some are trouble free... and unfortunately up to now we've lumped them all in together. If we enable security related flags by default it would be better to do so step by step - starting with the smallest and least risky change and (for now) leaving the rest for distros who want/need them. ie I agree that enabling the current security_flags.inc by default isn't the right approach. >> > Also, I got a question when I just looked at this file. >> > Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc >> > instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS? >> >> in many cases packages do not honor CFLAGS/LDFLAGS say during configure >> >> > We are naming >> > variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they >> > belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it. >> > >> yes they do, but this makes it easy to override the setting for >> packages where these options are needed to be overridden or modified. > > Actually, with the changes introduced in Pyro, SECURITY_CFLAGS became a > mess. Before Pyro, you either set SECURITY_CFLAGS to > "${SECURITY_NO_PIE_CFLAGS}" (to disable the use of -fpie), or you set it > to the empty string (to disable all security options). With Pyro and later, > you instead have to set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS} > ${SECURITY_NOPIE_CFLAGS}" to make sure -fpie is disabled, or set it to > "${SECURITY_NOPIE_CFLAGS}" to disable everything. Alternatively you can > set SECURITY_PIE_CFLAGS to "${SECURITY_NOPIE_CFLAGS}" to only disable > -fpie. > > I have considered to suggest changing the definition of > SECURITY_NOPIE_CFLAGS to: > > SECURITY_NOPIE_CFLAGS ?= "${@'-no-pie -fno-PIE' if '${GCCPIE}' else ''}" > > and then change SECURITY_NO_PIE_CFLAGS to: > > SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${SECURITY_NOPIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > > That would better have matched the situation before Pyro, in that one yet > again would set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}" to disable > -fpie. Unfortunately one would still have to set SECURITY_CFLAGS to > "${SECURITY_NOPIE_CFLAGS}" to disable everything. > >> > Best Regards, >> > Chen Qi >> > >> > >> > On 07/24/2018 03:09 AM, Khem Raj wrote: >> > > This has been an opt-in for so long, some distributions e.g. >> > > poky-lsb uses it by default however, since most of linux >> > > distros have started to default to these settings for security >> > > enhancements, time has come for OE to make it default too >> > > >> > > Signed-off-by: Khem Raj <raj.khem@gmail.com> >> > > --- >> > > meta/conf/distro/defaultsetup.conf | 1 + >> > > 1 file changed, 1 insertion(+) >> > > >> > > diff --git a/meta/conf/distro/defaultsetup.conf >> b/meta/conf/distro/defaultsetup.conf >> > > index ca2f9178d2..352e279596 100644 >> > > --- a/meta/conf/distro/defaultsetup.conf >> > > +++ b/meta/conf/distro/defaultsetup.conf >> > > @@ -1,6 +1,7 @@ >> > > include conf/distro/include/default-providers.inc >> > > include conf/distro/include/default-versions.inc >> > > include conf/distro/include/default-distrovars.inc >> > > +require conf/distro/include/security_flags.inc >> > > include conf/distro/include/world-broken.inc >> > > >> > > TCMODE ?= "default" > > //Peter > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
On Fri, Jul 27, 2018 at 1:49 PM Peter Kjellerstedt <peter.kjellerstedt@axis.com> wrote: > > > -----Original Message----- > > From: openembedded-core-bounces@lists.openembedded.org <openembedded- > > core-bounces@lists.openembedded.org> On Behalf Of Khem Raj > > Sent: den 24 juli 2018 16:12 > > To: ChenQi <Qi.Chen@windriver.com> > > Cc: Patches and discussions about the oe-core layer <openembedded- > > core@lists.openembedded.org> > > Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security > > flags+pie by default > > > > On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com> wrote: > > > > > > Hi Khem, > > > > > > The comments in security-flags.inc also needs to be modified to > > remove > > > 'poky-lsb' info. > > > > > > I'd suggest we still put it into distro conf file (poky.conf) instead > > of > > > defaultsetup.conf, because defaultsetup.conf is included by > > > bitbake.conf. I think things in defaultsetup.conf should be necessary > > > default values to build things out. I don't think security flags is > > > necessary to build things out. > > > > this is the default setup, even non-poky users will get consistent > > experience. > > I have to agree with Chen here. I think requiring security_flags.inc from > defaultsetup.conf is the wrong thing to do. We use security_flags.inc in > our setup, and I know how much trouble it has brought. To me, using it > should be a distro decision, not something that is enforced by the use > of bitbake. Thats fine, I can move this to poky distro settings, using it by default would have been in sync for all since reference distro is using it would be easier for others when submitting patches, as a phase 2 I was also thinking of defaulting to hardeing in the toolchain itself and remove this file completely that would have made it much better, then folks who dont want hardeing could just disable it in toolchain. but I am fine to leave it a distro decision for now. > > > > Also, I got a question when I just looked at this file. > > > Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc > > > instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS? > > > > in many cases packages do not honor CFLAGS/LDFLAGS say during configure > > > > > We are naming > > > variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they > > > belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it. > > > > > yes they do, but this makes it easy to override the setting for > > packages where these options are needed to be overridden or modified. > > Actually, with the changes introduced in Pyro, SECURITY_CFLAGS became a > mess. Before Pyro, you either set SECURITY_CFLAGS to > "${SECURITY_NO_PIE_CFLAGS}" (to disable the use of -fpie), or you set it > to the empty string (to disable all security options). With Pyro and later, > you instead have to set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS} > ${SECURITY_NOPIE_CFLAGS}" to make sure -fpie is disabled, or set it to > "${SECURITY_NOPIE_CFLAGS}" to disable everything. Alternatively you can > set SECURITY_PIE_CFLAGS to "${SECURITY_NOPIE_CFLAGS}" to only disable > -fpie. > > I have considered to suggest changing the definition of > SECURITY_NOPIE_CFLAGS to: > > SECURITY_NOPIE_CFLAGS ?= "${@'-no-pie -fno-PIE' if '${GCCPIE}' else ''}" > > and then change SECURITY_NO_PIE_CFLAGS to: > > SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${SECURITY_NOPIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > > That would better have matched the situation before Pyro, in that one yet > again would set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}" to disable > -fpie. Unfortunately one would still have to set SECURITY_CFLAGS to > "${SECURITY_NOPIE_CFLAGS}" to disable everything. > > > > Best Regards, > > > Chen Qi > > > > > > > > > On 07/24/2018 03:09 AM, Khem Raj wrote: > > > > This has been an opt-in for so long, some distributions e.g. > > > > poky-lsb uses it by default however, since most of linux > > > > distros have started to default to these settings for security > > > > enhancements, time has come for OE to make it default too > > > > > > > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > > > > --- > > > > meta/conf/distro/defaultsetup.conf | 1 + > > > > 1 file changed, 1 insertion(+) > > > > > > > > diff --git a/meta/conf/distro/defaultsetup.conf > > b/meta/conf/distro/defaultsetup.conf > > > > index ca2f9178d2..352e279596 100644 > > > > --- a/meta/conf/distro/defaultsetup.conf > > > > +++ b/meta/conf/distro/defaultsetup.conf > > > > @@ -1,6 +1,7 @@ > > > > include conf/distro/include/default-providers.inc > > > > include conf/distro/include/default-versions.inc > > > > include conf/distro/include/default-distrovars.inc > > > > +require conf/distro/include/security_flags.inc > > > > include conf/distro/include/world-broken.inc > > > > > > > > TCMODE ?= "default" > > //Peter > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
> -----Original Message----- > From: Khem Raj <raj.khem@gmail.com> > Sent: den 27 juli 2018 23:27 > To: Peter Kjellerstedt <peter.kjellerstedt@axis.com> > Cc: ChenQi <Qi.Chen@windriver.com>; Patches and discussions about the > oe-core layer <openembedded-core@lists.openembedded.org> > Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security > flags+pie by default > > On Fri, Jul 27, 2018 at 1:49 PM Peter Kjellerstedt > <peter.kjellerstedt@axis.com> wrote: > > > > > -----Original Message----- > > > From: openembedded-core-bounces@lists.openembedded.org > <openembedded- > > > core-bounces@lists.openembedded.org> On Behalf Of Khem Raj > > > Sent: den 24 juli 2018 16:12 > > > To: ChenQi <Qi.Chen@windriver.com> > > > Cc: Patches and discussions about the oe-core layer <openembedded- > > > core@lists.openembedded.org> > > > Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security > > > flags+pie by default > > > > > > On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com> > wrote: > > > > > > > > Hi Khem, > > > > > > > > The comments in security-flags.inc also needs to be modified to > > > remove > > > > 'poky-lsb' info. > > > > > > > > I'd suggest we still put it into distro conf file (poky.conf) > instead > > > of > > > > defaultsetup.conf, because defaultsetup.conf is included by > > > > bitbake.conf. I think things in defaultsetup.conf should be > necessary > > > > default values to build things out. I don't think security flags > is > > > > necessary to build things out. > > > > > > this is the default setup, even non-poky users will get consistent > > > experience. > > > > I have to agree with Chen here. I think requiring security_flags.inc > from > > defaultsetup.conf is the wrong thing to do. We use security_flags.inc > in > > our setup, and I know how much trouble it has brought. To me, using > it > > should be a distro decision, not something that is enforced by the > use > > of bitbake. > > Thats fine, I can move this to poky distro settings, using it by > default would have > been in sync for all since reference distro is using it would be > easier for others when > submitting patches, as a phase 2 I was also thinking of defaulting to > hardeing in the toolchain itself > and remove this file completely that would have made it much better, > then folks who dont want hardeing could just disable > it in toolchain. but I am fine to leave it a distro decision for now. I do not think that relying on the toolchain to handle this is the right thing to do, given that some of us use external toolchains in addition to the toolchain from OE-Core... With the current setup we get roughly the same coverage regardless of which toolchain we use. //Peter -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
On Tue, Jul 31, 2018 at 2:17 PM Peter Kjellerstedt <peter.kjellerstedt@axis.com> wrote: > > > -----Original Message----- > > From: Khem Raj <raj.khem@gmail.com> > > Sent: den 27 juli 2018 23:27 > > To: Peter Kjellerstedt <peter.kjellerstedt@axis.com> > > Cc: ChenQi <Qi.Chen@windriver.com>; Patches and discussions about the > > oe-core layer <openembedded-core@lists.openembedded.org> > > Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security > > flags+pie by default > > > > On Fri, Jul 27, 2018 at 1:49 PM Peter Kjellerstedt > > <peter.kjellerstedt@axis.com> wrote: > > > > > > > -----Original Message----- > > > > From: openembedded-core-bounces@lists.openembedded.org > > <openembedded- > > > > core-bounces@lists.openembedded.org> On Behalf Of Khem Raj > > > > Sent: den 24 juli 2018 16:12 > > > > To: ChenQi <Qi.Chen@windriver.com> > > > > Cc: Patches and discussions about the oe-core layer <openembedded- > > > > core@lists.openembedded.org> > > > > Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security > > > > flags+pie by default > > > > > > > > On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen@windriver.com> > > wrote: > > > > > > > > > > Hi Khem, > > > > > > > > > > The comments in security-flags.inc also needs to be modified to > > > > remove > > > > > 'poky-lsb' info. > > > > > > > > > > I'd suggest we still put it into distro conf file (poky.conf) > > instead > > > > of > > > > > defaultsetup.conf, because defaultsetup.conf is included by > > > > > bitbake.conf. I think things in defaultsetup.conf should be > > necessary > > > > > default values to build things out. I don't think security flags > > is > > > > > necessary to build things out. > > > > > > > > this is the default setup, even non-poky users will get consistent > > > > experience. > > > > > > I have to agree with Chen here. I think requiring security_flags.inc > > from > > > defaultsetup.conf is the wrong thing to do. We use security_flags.inc > > in > > > our setup, and I know how much trouble it has brought. To me, using > > it > > > should be a distro decision, not something that is enforced by the > > use > > > of bitbake. > > > > Thats fine, I can move this to poky distro settings, using it by > > default would have > > been in sync for all since reference distro is using it would be > > easier for others when > > submitting patches, as a phase 2 I was also thinking of defaulting to > > hardeing in the toolchain itself > > and remove this file completely that would have made it much better, > > then folks who dont want hardeing could just disable > > it in toolchain. but I am fine to leave it a distro decision for now. > > I do not think that relying on the toolchain to handle this is the > right thing to do, given that some of us use external toolchains in > addition to the toolchain from OE-Core... With the current setup we > get roughly the same coverage regardless of which toolchain we use. conversely, external toolchains can then include unsecure-flags.inc or some such file IMO we should provide best experience out of box for internal toolchain users since thats all what we can do effectively. If we were to switch defaults to use hardened flags then it will be much better to have toolchains default to it and thereby we can remove many patches which we carry to inject these flags artificially in many recipes confusing the component build systems especially when dealing with PIE and PIC and shared objects -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf index ca2f9178d2..352e279596 100644 --- a/meta/conf/distro/defaultsetup.conf +++ b/meta/conf/distro/defaultsetup.conf @@ -1,6 +1,7 @@ include conf/distro/include/default-providers.inc include conf/distro/include/default-versions.inc include conf/distro/include/default-distrovars.inc +require conf/distro/include/security_flags.inc include conf/distro/include/world-broken.inc TCMODE ?= "default"
This has been an opt-in for so long, some distributions e.g. poky-lsb uses it by default however, since most of linux distros have started to default to these settings for security enhancements, time has come for OE to make it default too Signed-off-by: Khem Raj <raj.khem@gmail.com> --- meta/conf/distro/defaultsetup.conf | 1 + 1 file changed, 1 insertion(+) -- 2.18.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core