[OE-core] [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS
Hongxu Jia
hongxu.jia at windriver.com
Tue Sep 4 01:35:27 UTC 2018
On 2018年09月04日 00:30, Khem Raj wrote:
> On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <hongxu.jia at windriver.com> wrote:
>> The `-fstack-protector-***' should be passed to gcc rather than linker,
>> since `4ca946c security_flags: use -fstack-protector-strong', it was
>> added to LDFLAGS, although there is no extra build failure introduced,
>> but it is still unnecessary.(-Wl,** is for linker)
>>
> There are cases where CFLAGS is not combined into LDFLAGS by package
> component builds
> which creates the disjoint, If we remove this here then that will
> start to show up. remember we do
> not configure toolchains to provide the hardening flags by default as
> yet, so we have to be explicit.
> Do you see issues with current settings ?
Yes, I know a recipe (libsign in meta-secure-core) check LDFLAGS with
`-Wl,***'
and it failed with `-fstack-protector-strong', and our Wind River Linux
had to maintain a list of `SECURITY_LDFLAGS_remove_pn-*** =
"-fstack-protector-strong"'
for non oe-core layers.
I know some recipes may not combine CFLAGS to their build, but
we should investigate some way like `-Wl,--hash-style=gnu'
to check LDFALGS for CFLAGS, and mention a warning to figure it out.
//Hongxu
>> Reported-by: Lans Zhang <https://github.com/jiazhang0>
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>> ---
>> meta/conf/distro/include/security_flags.inc | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
>> index 620978a..362b1db 100644
>> --- a/meta/conf/distro/include/security_flags.inc
>> +++ b/meta/conf/distro/include/security_flags.inc
>> @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong"
>> SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>> SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>>
>> -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now"
>> -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro"
>> +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
>> +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
>>
>> # powerpc does not get on with pie for reasons not looked into as yet
>> GCCPIE_powerpc = ""
>> --
>> 2.7.4
>>
More information about the Openembedded-core
mailing list