| Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame^] | 1 | # Setup extra CFLAGS and LDFLAGS which have 'security' benefits. These |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 2 | # don't work universally, there are recipes which can't use one, the other |
| 3 | # or both so a blacklist is maintained here. The idea would be over |
| 4 | # time to reduce this list to nothing. |
| 5 | # From a Yocto Project perspective, this file is included and tested |
| 6 | # in the DISTRO="poky-lsb" configuration. |
| 7 | |
| Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame^] | 8 | GCCPIE ?= "--enable-default-pie" |
| 9 | |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 10 | # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use |
| 11 | # -O0 which then results in a compiler warning. |
| 12 | lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}" |
| 13 | |
| Patrick Williams | c0f7c04 | 2017-02-23 20:41:17 -0600 | [diff] [blame] | 14 | # Error on use of format strings that represent possible security problems |
| 15 | SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security" |
| 16 | |
| Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame^] | 17 | # Inject pie flags into compiler flags if not configured with gcc itself |
| 18 | # especially useful with external toolchains |
| 19 | SECURITY_PIE_CFLAGS ?= "${@'' if '${GCCPIE}' else '-pie -fPIE'}" |
| 20 | |
| 21 | SECURITY_NOPIE_CFLAGS ?= "-no-pie -fno-PIE" |
| 22 | |
| 23 | SECURITY_CFLAGS ?= "-fstack-protector-strong ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" |
| Patrick Williams | c0f7c04 | 2017-02-23 20:41:17 -0600 | [diff] [blame] | 24 | SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 25 | |
| Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 26 | SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now" |
| 27 | SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro" |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 28 | |
| 29 | # powerpc does not get on with pie for reasons not looked into as yet |
| Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame^] | 30 | SECURITY_CFLAGS_powerpc = "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_NOPIE_CFLAGS}" |
| 31 | SECURITY_CFLAGS_pn-libgcc_powerpc = "" |
| 32 | GCCPIE_powerpc = "" |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 33 | |
| 34 | # arm specific security flag issues |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 35 | SECURITY_CFLAGS_pn-glibc = "" |
| 36 | SECURITY_CFLAGS_pn-glibc-initial = "" |
| Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 37 | SECURITY_CFLAGS_pn-gcc-runtime = "" |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 38 | SECURITY_CFLAGS_pn-grub = "" |
| 39 | SECURITY_CFLAGS_pn-grub-efi = "" |
| 40 | SECURITY_CFLAGS_pn-grub-efi-native = "" |
| 41 | SECURITY_CFLAGS_pn-grub-efi-x86-native = "" |
| 42 | SECURITY_CFLAGS_pn-grub-efi-i586-native = "" |
| 43 | SECURITY_CFLAGS_pn-grub-efi-x86-64-native = "" |
| Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame^] | 44 | |
| 45 | SECURITY_CFLAGS_pn-mkelfimage_x86 = "" |
| 46 | |
| 47 | SECURITY_CFLAGS_pn-valgrind = "${SECURITY_NOPIE_CFLAGS}" |
| 48 | SECURITY_LDFLAGS_pn-valgrind = "" |
| 49 | SECURITY_CFLAGS_pn-sysklogd = "${SECURITY_NOPIE_CFLAGS}" |
| 50 | SECURITY_LDFLAGS_pn-sysklogd = "" |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 51 | |
| Patrick Williams | c0f7c04 | 2017-02-23 20:41:17 -0600 | [diff] [blame] | 52 | # Recipes which fail to compile when elevating -Wformat-security to an error |
| 53 | SECURITY_STRINGFORMAT_pn-busybox = "" |
| Patrick Williams | c0f7c04 | 2017-02-23 20:41:17 -0600 | [diff] [blame] | 54 | SECURITY_STRINGFORMAT_pn-gcc = "" |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 55 | |
| Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame^] | 56 | TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}" |
| Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 57 | TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}" |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 58 | |
| Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 59 | SECURITY_LDFLAGS_remove_pn-gcc-runtime = "-fstack-protector-strong" |
| Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 60 | SECURITY_LDFLAGS_remove_pn-glibc = "-fstack-protector-strong" |
| 61 | SECURITY_LDFLAGS_remove_pn-glibc-initial = "-fstack-protector-strong" |
| Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 62 | SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}" |
| 63 | SECURITY_LDFLAGS_pn-xf86-video-intel = "${SECURITY_X_LDFLAGS}" |
| 64 | SECURITY_LDFLAGS_pn-xf86-video-omapfb = "${SECURITY_X_LDFLAGS}" |
| 65 | SECURITY_LDFLAGS_pn-xf86-video-omap = "${SECURITY_X_LDFLAGS}" |
| 66 | SECURITY_LDFLAGS_pn-xf86-video-vesa = "${SECURITY_X_LDFLAGS}" |
| 67 | SECURITY_LDFLAGS_pn-xf86-video-vmware = "${SECURITY_X_LDFLAGS}" |
| 68 | SECURITY_LDFLAGS_pn-xserver-xorg = "${SECURITY_X_LDFLAGS}" |
| Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 69 | |
| Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame^] | 70 | TARGET_CC_ARCH_append_pn-binutils = " ${SELECTED_OPTIMIZATION}" |
| 71 | TARGET_CC_ARCH_append_pn-gcc = " ${SELECTED_OPTIMIZATION}" |
| 72 | TARGET_CC_ARCH_append_pn-gdb = " ${SELECTED_OPTIMIZATION}" |
| 73 | TARGET_CC_ARCH_append_pn-perf = " ${SELECTED_OPTIMIZATION}" |