diff options
| author | Ed Tanous <edtanous@google.com> | 2021-01-26 00:15:36 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2021-01-28 00:55:07 +0300 |
| commit | d47f9a099a4ef992351237b0f2f562b5dc843397 (patch) | |
| tree | f3feb818bdfb57ddfe1bc6a595e31b3d540b4f49 /meta-phosphor/conf | |
| parent | f4a1ba5e78e225e598066c0a61474b943be5385a (diff) | |
| download | openbmc-d47f9a099a4ef992351237b0f2f562b5dc843397.tar.xz | |
Add security flags to all phosphor builds
Yocto has a built-in class for applying compiler security flags to
builds. Some security concious projects within OpenBMC set these flags
manually. We should do this project wide, given that it has a
negligible performance impact, and brings us in line with modern
security requirements.
There are some whitepapers on the specifics of what these flags do,
which is a much better documentation than I am able to write here, but
the key takeaways are that this:
1. Enables position independent code.
2. Enables FORTIFY_SOURCE level 2.
3. Enables -wformat and -wformat-security
4. Enables strong stack protection.
None of these flags should have any change in functional behavior.
Section 4.3 of this doc goes through this file in more detail:
https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/improving-embedded-linux-security-yocto3.pdf
croserver/eCMD doesn't currently compile with these flags, so it's
explicitly excluded for the moment. Patchset has been merged against
eCMD master to fix this, but we're so far behind, the bump doesn't build
obmc-libobmc-intf has an error that I can't quite understand yet about
unused results, which shouldn't have been effected by this, yet it seems
to be related to enabling the security hardening, so it is also excluded
from the security flags for the moment.
libpldm includes an IBM OEM command that relies on undefined behavior with
open() the proposed fix is here, but libpldm is excluded until that is
merged and bumped.
https://gerrit.openbmc-project.xyz/c/openbmc/pldm/+/3998412
Even with those three exceptions, getting a majority of the security flags
enabled on a majority of the repos should be an overall win.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I0483b1dbe1123a7beff8c5788363685487fb9c09
Diffstat (limited to 'meta-phosphor/conf')
| -rw-r--r-- | meta-phosphor/conf/distro/include/phosphor-defaults.inc | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/meta-phosphor/conf/distro/include/phosphor-defaults.inc b/meta-phosphor/conf/distro/include/phosphor-defaults.inc index b90f28062..d5e07e34e 100644 --- a/meta-phosphor/conf/distro/include/phosphor-defaults.inc +++ b/meta-phosphor/conf/distro/include/phosphor-defaults.inc @@ -226,6 +226,19 @@ OBMC_DBUS_IFACE_ROOT ?= "xyz.openbmc_project" # phosphor-ipmi-fru-whitelist-native recipe. VIRTUAL-RUNTIME_phosphor-ipmi-providers ?= "phosphor-ipmi-fru" +# Set security headers on builds +require conf/distro/include/security_flags.inc + +# Disable security on croserver. +# Remove if https://github.com/open-power/eCMD/pull/433 is ever merged +SECURITY_STRINGFORMAT_pn-croserver = "" +# obmc-libobmc-intf doesn't compile with security flags enabled +SECURITY_CFLAGS_pn-obmc-libobmc-intf = "" + +# remove when https://gerrit.openbmc-project.xyz/c/openbmc/pldm/+/39984 +# is merged and rev bumped +SECURITY_CFLAGS_pn-pldm = "" + # Set the root password to '0penBmc' inherit extrausers |