[OE-core] [PATCH 5/5] security_flags: ensure changes to SHARED_OBJECTS cause recompile

Joshua G Lock joshua.g.lock at linux.intel.com
Fri Aug 19 18:26:56 UTC 2016 

On Fri, 2016-08-19 at 10:11 -0700, Khem Raj wrote:
> > 
> > On Aug 19, 2016, at 9:02 AM, Richard Purdie <richard.purdie at linuxfo
> > undation.org> wrote:
> > 
> > On Fri, 2016-08-19 at 16:34 +0100, Joshua Lock wrote:
> > > 
> > > Add the SHARED_OBJECTS variable to SECURITY_LDFLAGS vardeps so
> > > that
> > > changing SHARED_OBJECTS causes do_compile to re-run.
> > > 
> > > Signed-off-by: Joshua Lock <joshua.g.lock at intel.com>
> > > ---
> > > meta/conf/distro/include/security_flags.inc | 1 +
> > > 1 file changed, 1 insertion(+)
> > > 
> > > diff --git a/meta/conf/distro/include/security_flags.inc
> > > b/meta/conf/distro/include/security_flags.inc
> > > index 295c733..901c841 100644
> > > --- a/meta/conf/distro/include/security_flags.inc
> > > +++ b/meta/conf/distro/include/security_flags.inc
> > > @@ -24,6 +24,7 @@ SECURITY_CFLAGS ?= "-fstack-protector-strong -
> > > -param ssp-buffer-size=4 -pie -fpi
> > > SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong --param ssp
> > > -buffer-size=4 ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
> > > 
> > > SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now${pie_ld}"
> > > +SECURITY_LDFLAGS[vardeps] += "SHARED_OBJECTS"
> > 
> > Surely you want:
> > 
> > pid_ld[vardeps] += "SHARED_OBJECTS"
> > 
> > ?
> > 
> > Also, you mention SHARED_OBJECTS defaults to "0", where is that? I
> > am a
> > little worried the variable name is also a bit generic? Setting
> > this in
> > the following way:
> > 
> > SECURITY_SHARED_OBJECTS = "-fpie"
> > SECURITY_SHARED_OBJECTS_pn-XXX = ""
> > 
> > may be more in keeping with the way the rest of the file is written
> > and
> > avoids games with base_conditional and vardeps?
> > 
> > I am also worried about trying to maintain a large list like this,
> > the
> > idea was to reduce the number of exceptions, not build lists which
> > will
> > ever increase :(. I can't see this scaling.
> 
> I agree with you here. I am mulling over a proposal for architecture
> change in 2.3
> where we harden the toolchain by default and then dont have to keep
> the securiry
> band-aid. Opinion?

It is my intention to make a proposal in 2.3 that we provide more
hardening by default. I'm in favour.

Regards,

Joshua

More information about the Openembedded-core mailing list