Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
On Wed, 2020-03-25 at 01:33 +, Tom Hochstein wrote: > > -Original Message- > > From: Richard Purdie > > Sent: Tuesday, March 24, 2020 5:58 PM > > To: Antoine Manache ; Tom Hochstein < > > tom.hochst...@nxp.com> > > Cc: openembedded-core@lists.openembedded.org > > Subject: Re: [OE-core][PATCH] security_flags.inc: fix flags missing > > from SDK toolchain > > > > I've therefore taken Tom's version with some tweaks to the commit > > message. > > Thanks. Can we get this on zeus? Do I need to cherry-pick and submit > the patch? Yes, please post it and then the stable maintainers can review it. Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#136690): https://lists.openembedded.org/g/openembedded-core/message/136690 Mute This Topic: https://lists.openembedded.org/mt/72521987/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
> -Original Message- > From: Richard Purdie > Sent: Tuesday, March 24, 2020 5:58 PM > To: Antoine Manache ; Tom Hochstein > > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK > toolchain > > I've therefore taken Tom's version with some tweaks to the commit > message. Thanks. Can we get this on zeus? Do I need to cherry-pick and submit the patch? Tom -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#136685): https://lists.openembedded.org/g/openembedded-core/message/136685 Mute This Topic: https://lists.openembedded.org/mt/72521987/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
On Tue, 2020-03-24 at 20:06 +0100, Antoine Manache wrote: > Absolutely. > I would add an example of issue I've seen in a software project. > Someone developing a new application and using the image-based SDK > that I provided got the right functional behaviour on target. > Once this application was integrated into the core image of our Yocto > project (new recipe), the same tests on target failed (application > crash). > The root cause was : the two binaries produced were different because > the effective GCC options at compile time were different between both > methods (security flags not enabled when compiling with the SDK). > Antoine Thanks. Antonine's emails/patches are coming through as html and hence are mangled and I can't apply them which is probably where things got lost previously. I've therefore taken Tom's version with some tweaks to the commit message. Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#136678): https://lists.openembedded.org/g/openembedded-core/message/136678 Mute This Topic: https://lists.openembedded.org/mt/72521987/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
Absolutely.
I would add an example of issue I've seen in a software project.
Someone developing a new application and using the image-based SDK that I
provided got the right functional behaviour on target.
Once this application was integrated into the core image of our Yocto
project (new recipe), the same tests on target failed (application crash).
The root cause was : the two binaries produced were different because the
effective GCC options at compile time were different between both methods
(security flags not enabled when compiling with the SDK).
Antoine
Le mar. 24 mars 2020 à 19:34, Tom Hochstein a
écrit :
>
>
> > -Original Message-
> > From: Richard Purdie
> > Sent: Tuesday, March 24, 2020 1:03 PM
> > To: Antoine Manache ; Tom Hochstein <
> tom.hochst...@nxp.com>
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core][PATCH] security_flags.inc: fix flags missing from
> SDK toolchain
> >
> > On Tue, 2020-03-24 at 18:25 +0100, Antoine Manache wrote:
> > > I've already sent this patch few months ago but not taken into
> > > account yet.
> >
> > Can someone explain more about the issue here please?
> >
> > Shouldn't these flags be added to the SDK toolchain environment files
> > rather than coded into the compiler? Why aren't they being coded in? or
> > is gcc being misconfigured?
>
> The recipe meta-environment inherits cross-canadian and toolchain-scripts.
> The latter generates the SDK toolchain environment file using
> TARGET_CC_ARCH and TARGET_LDFLAGS like this:
>
> echo 'export CC="${TARGET_PREFIX}gcc ${TARGET_CC_ARCH}
> --sysroot=$SDKTARGETSYSROOT"' >> $script
> echo 'export LDFLAGS="${TARGET_LDFLAGS}"' >> $script
>
>
> https://github.com/openembedded/openembedded-core/blob/master/meta/classes/toolchain-scripts.bbclass#L82
>
> With class-cross-canadian as the applicable override, updating the
> security flags for class-target does nothing for the SDK toolchain, hence
> the proposed fix:
>
> TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> +TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
> TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> +TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
>
> Tom
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#136668):
https://lists.openembedded.org/g/openembedded-core/message/136668
Mute This Topic: https://lists.openembedded.org/mt/72521987/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
> -Original Message-
> From: Richard Purdie
> Sent: Tuesday, March 24, 2020 1:03 PM
> To: Antoine Manache ; Tom Hochstein
>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK
> toolchain
>
> On Tue, 2020-03-24 at 18:25 +0100, Antoine Manache wrote:
> > I've already sent this patch few months ago but not taken into
> > account yet.
>
> Can someone explain more about the issue here please?
>
> Shouldn't these flags be added to the SDK toolchain environment files
> rather than coded into the compiler? Why aren't they being coded in? or
> is gcc being misconfigured?
The recipe meta-environment inherits cross-canadian and toolchain-scripts. The
latter generates the SDK toolchain environment file using TARGET_CC_ARCH and
TARGET_LDFLAGS like this:
echo 'export CC="${TARGET_PREFIX}gcc ${TARGET_CC_ARCH}
--sysroot=$SDKTARGETSYSROOT"' >> $script
echo 'export LDFLAGS="${TARGET_LDFLAGS}"' >> $script
https://github.com/openembedded/openembedded-core/blob/master/meta/classes/toolchain-scripts.bbclass#L82
With class-cross-canadian as the applicable override, updating the security
flags for class-target does nothing for the SDK toolchain, hence the proposed
fix:
TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
+TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
+TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
Tom
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#136665):
https://lists.openembedded.org/g/openembedded-core/message/136665
Mute This Topic: https://lists.openembedded.org/mt/72521987/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
On Tue, 2020-03-24 at 18:25 +0100, Antoine Manache wrote: > I've already sent this patch few months ago but not taken into > account yet. Can someone explain more about the issue here please? Shouldn't these flags be added to the SDK toolchain environment files rather than coded into the compiler? Why aren't they being coded in? or is gcc being misconfigured? Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#136660): https://lists.openembedded.org/g/openembedded-core/message/136660 Mute This Topic: https://lists.openembedded.org/mt/72521987/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
I've already sent this patch few months ago but not taken into account yet.
AM
>From : Antoine Manache
Date: mer. 20 nov. 2019 at 16:44
Subject: [OE-core] [PATCH v2] sdk: environment script doesn't set security
options in CC and LDFLAGS variables
To:
When building a SDK from a DISTRO with security flags enabled, options
added to
CC and LDFLAGS are not replicated in the SDK environment script.
This could lead to some situations where an application compiled with
the SDK and having some security weaknesses correctly runs on target but
crashes once integrated to the core image built with the full Yocto
stack.
Signed-off-by: Antoine Manache
---
meta/conf/distro/include/security_flags.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/conf/distro/include/security_flags.inc
b/meta/conf/distro/include/security_flags.inc
index 620978a8ed..329482bfa3 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -56,7 +56,9 @@ SECURITY_STRINGFORMAT_pn-busybox = ""
SECURITY_STRINGFORMAT_pn-gcc = ""
TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
+TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
+TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
SECURITY_STACK_PROTECTOR_pn-glibc = ""
--
2.11.0
Le mar. 24 mars 2020 à 18:03, Tom Hochstein a
écrit :
> The security flags were missing from the SDK toolchain
> because they were added specifically to class-target.
> Add them to class-cross-canadian as well.
>
> Signed-off-by: Tom Hochstein
> ---
> meta/conf/distro/include/security_flags.inc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta/conf/distro/include/security_flags.inc
> b/meta/conf/distro/include/security_flags.inc
> index aaf04e9e59..568d03693c 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -57,6 +57,8 @@ SECURITY_STRINGFORMAT_pn-gcc = ""
>
> TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> +TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
> +TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
>
> SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
> SECURITY_STACK_PROTECTOR_pn-glibc = ""
> --
> 2.17.1
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#136658):
https://lists.openembedded.org/g/openembedded-core/message/136658
Mute This Topic: https://lists.openembedded.org/mt/72521987/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
The security flags were missing from the SDK toolchain
because they were added specifically to class-target.
Add them to class-cross-canadian as well.
Signed-off-by: Tom Hochstein
---
meta/conf/distro/include/security_flags.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/conf/distro/include/security_flags.inc
b/meta/conf/distro/include/security_flags.inc
index aaf04e9e59..568d03693c 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -57,6 +57,8 @@ SECURITY_STRINGFORMAT_pn-gcc = ""
TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
+TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
+TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
SECURITY_STACK_PROTECTOR_pn-glibc = ""
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#136657):
https://lists.openembedded.org/g/openembedded-core/message/136657
Mute This Topic: https://lists.openembedded.org/mt/72521987/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
