Hi Paul, meta/conf/distro/include/security_flags.inc is much better than a blanket change of compiler flags. Thanks for the tip. Are there any other tips/web pages on Security or Linux hardening using Yocto?
Cheers, Martin. On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton < paul.eggle...@linux.intel.com> wrote: > On Monday 09 November 2015 22:32:59 Martin Townsend wrote: > > My issue is particular to my distro, I tried changing to poky and all was > > well. The reason for our own distro was to migrate from Arago which we > > were using. So I copied Arago into a separate distro and then started > > morphing it into something more akin to Poky over time. Alas I left the > > following line in the distro conf, one which should have removed :( > > > > # Enable basic stack and buffer overflow protections > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1" > > > > After commenting this out binutils for the target builds fine. I'm > > guesssing that for libiberty CPPFLAGS propogates into configure or > makefile > > in the binutils recipe which then fails one of it's config checks and > > because of this fails to set HAVE_LIMITS and a few others no doubt. > > > > Many apologies for leading you on a wild goose chase, I don't know if > there > > is anything you can do so others don't fall foul of this. Is setting > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in configuration > > files?? If so, maybe making sure they are reverted for building > binutils?? > > I'm assuming you could do something like: > > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}" > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1" > MY_EXTRAFLAGS_pn-binutils = "" > > FYI we do have meta/conf/distro/include/security_flags.inc to apply these > two > flags, but interestingly there's no mention of binutils in there. > > > Thanks for all the help and maybe it's time we moved over to Poky :) > > Well, there's nothing forcing you to use poky - it's a reference > distribution; > the assumption is usually that you'll want to change something at the > distribution level at which point you've effectively created your own > distro. > > Cheers, > Paul > > -- > > Paul Eggleton > Intel Open Source Technology Centre >
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto