[OE-core] [PATCH] defaultsetup.conf: Enable security flags+pie by default

Andre McCurdy armccurdy at gmail.com
Fri Jul 27 21:05:10 UTC 2018 

On Fri, Jul 27, 2018 at 1:49 PM, Peter Kjellerstedt
<peter.kjellerstedt at axis.com> wrote:
>> -----Original Message-----
>> From: openembedded-core-bounces at lists.openembedded.org <openembedded-
>> core-bounces at lists.openembedded.org> On Behalf Of Khem Raj
>> Sent: den 24 juli 2018 16:12
>> To: ChenQi <Qi.Chen at windriver.com>
>> Cc: Patches and discussions about the oe-core layer <openembedded-
>> core at lists.openembedded.org>
>> Subject: Re: [OE-core] [PATCH] defaultsetup.conf: Enable security
>> flags+pie by default
>>
>> On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen at windriver.com> wrote:
>> >
>> > Hi Khem,
>> >
>> > The comments in security-flags.inc also needs to be modified to
>> remove
>> > 'poky-lsb' info.
>> >
>> > I'd suggest we still put it into distro conf file (poky.conf) instead
>> of
>> > defaultsetup.conf, because defaultsetup.conf is included by
>> > bitbake.conf. I think things in defaultsetup.conf should be necessary
>> > default values to build things out. I don't think security flags is
>> > necessary to build things out.
>>
>> this is the default setup, even non-poky users will get consistent
>> experience.
>
> I have to agree with Chen here. I think requiring security_flags.inc from
> defaultsetup.conf is the wrong thing to do. We use security_flags.inc in
> our setup, and I know how much trouble it has brought. To me, using it
> should be a distro decision, not something that is enforced by the use
> of bitbake.

The current approach taken by security_flags.inc is basically to
enable every possible option related to security. Some of these
options cause trouble and but some are trouble free... and
unfortunately up to now we've lumped them all in together.

If we enable security related flags by default it would be better to
do so step by step - starting with the smallest and least risky change
and (for now) leaving the rest for distros who want/need them.

ie I agree that enabling the current security_flags.inc by default
isn't the right approach.


>> > Also, I got a question when I just looked at this file.
>> > Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc
>> > instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS?
>>
>> in many cases packages do not honor CFLAGS/LDFLAGS say during configure
>>
>> > We are naming
>> > variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they
>> > belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it.
>> >
>> yes they do, but this makes it easy to override the setting for
>> packages where these options are needed to be overridden or modified.
>
> Actually, with the changes introduced in Pyro, SECURITY_CFLAGS became a
> mess. Before Pyro, you either set SECURITY_CFLAGS to
> "${SECURITY_NO_PIE_CFLAGS}" (to disable the use of -fpie), or you set it
> to the empty string (to disable all security options). With Pyro and later,
> you instead have to set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}
> ${SECURITY_NOPIE_CFLAGS}" to make sure -fpie is disabled, or set it to
> "${SECURITY_NOPIE_CFLAGS}" to disable everything. Alternatively you can
> set SECURITY_PIE_CFLAGS to "${SECURITY_NOPIE_CFLAGS}" to only disable
> -fpie.
>
> I have considered to suggest changing the definition of
> SECURITY_NOPIE_CFLAGS to:
>
> SECURITY_NOPIE_CFLAGS ?= "${@'-no-pie -fno-PIE' if '${GCCPIE}' else ''}"
>
> and then change SECURITY_NO_PIE_CFLAGS to:
>
> SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${SECURITY_NOPIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>
> That would better have matched the situation before Pyro, in that one yet
> again would set SECURITY_CFLAGS to "${SECURITY_NO_PIE_CFLAGS}" to disable
> -fpie. Unfortunately one would still have to set SECURITY_CFLAGS to
> "${SECURITY_NOPIE_CFLAGS}" to disable everything.
>
>> > Best Regards,
>> > Chen Qi
>> >
>> >
>> > On 07/24/2018 03:09 AM, Khem Raj wrote:
>> > > This has been an opt-in for so long, some distributions e.g.
>> > > poky-lsb uses it by default however, since most of linux
>> > > distros have started to default to these settings for security
>> > > enhancements, time has come for OE to make it default too
>> > >
>> > > Signed-off-by: Khem Raj <raj.khem at gmail.com>
>> > > ---
>> > >   meta/conf/distro/defaultsetup.conf | 1 +
>> > >   1 file changed, 1 insertion(+)
>> > >
>> > > diff --git a/meta/conf/distro/defaultsetup.conf
>> b/meta/conf/distro/defaultsetup.conf
>> > > index ca2f9178d2..352e279596 100644
>> > > --- a/meta/conf/distro/defaultsetup.conf
>> > > +++ b/meta/conf/distro/defaultsetup.conf
>> > > @@ -1,6 +1,7 @@
>> > >   include conf/distro/include/default-providers.inc
>> > >   include conf/distro/include/default-versions.inc
>> > >   include conf/distro/include/default-distrovars.inc
>> > > +require conf/distro/include/security_flags.inc
>> > >   include conf/distro/include/world-broken.inc
>> > >
>> > >   TCMODE ?= "default"
>
> //Peter
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

More information about the Openembedded-core mailing list