diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-12-17 04:11:34 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-01-09 02:21:44 +0300 |
| commit | 1a4b7ee28bf7413af6513fb45ad0d0736048f866 (patch) | |
| tree | 79f6d8ea698cab8f2eaf4f54b793d2ca7a1451ce /poky/meta/conf/distro/include/security_flags.inc | |
| parent | 5b9ede0403237c7dace972affa65cf64a1aadd0e (diff) | |
| download | openbmc-1a4b7ee28bf7413af6513fb45ad0d0736048f866.tar.xz | |
reset upstream subtrees to yocto 2.6
Reset the following subtrees on thud HEAD:
poky: 87e3a9739d
meta-openembedded: 6094ae18c8
meta-security: 31dc4e7532
meta-raspberrypi: a48743dc36
meta-xilinx: c42016e2e6
Also re-apply backports that didn't make it into thud:
poky:
17726d0 systemd-systemctl-native: handle Install wildcards
meta-openembedded:
4321a5d libtinyxml2: update to 7.0.1
042f0a3 libcereal: Add native and nativesdk classes
e23284f libcereal: Allow empty package
030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
179a1b9 gtest: update to 1.8.1
Squashed OpenBMC subtree compatibility updates:
meta-aspeed:
Brad Bishop (1):
aspeed: add yocto 2.6 compatibility
meta-ibm:
Brad Bishop (1):
ibm: prepare for yocto 2.6
meta-ingrasys:
Brad Bishop (1):
ingrasys: set layer compatibility to yocto 2.6
meta-openpower:
Brad Bishop (1):
openpower: set layer compatibility to yocto 2.6
meta-phosphor:
Brad Bishop (3):
phosphor: set layer compatibility to thud
phosphor: libgpg-error: drop patches
phosphor: react to fitimage artifact rename
Ed Tanous (4):
Dropbear: upgrade options for latest upgrade
yocto2.6: update openssl options
busybox: remove upstream watchdog patch
systemd: Rebase CONFIG_CGROUP_BPF patch
Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/conf/distro/include/security_flags.inc')
| -rw-r--r-- | poky/meta/conf/distro/include/security_flags.inc | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/poky/meta/conf/distro/include/security_flags.inc b/poky/meta/conf/distro/include/security_flags.inc index aaeca6991..620978a8e 100644 --- a/poky/meta/conf/distro/include/security_flags.inc +++ b/poky/meta/conf/distro/include/security_flags.inc @@ -3,14 +3,14 @@ # or both so a blacklist is maintained here. The idea would be over # time to reduce this list to nothing. # From a Yocto Project perspective, this file is included and tested -# in the DISTRO="poky-lsb" configuration. +# in the DISTRO="poky" configuration. GCCPIE ?= "--enable-default-pie" # If static PIE is known to work well, GLIBCPIE="--enable-static-pie" can be set # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use # -O0 which then results in a compiler warning. -lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}" +lcl_maybe_fortify ?= "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}" # Error on use of format strings that represent possible security problems SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security" @@ -21,19 +21,20 @@ SECURITY_PIE_CFLAGS ?= "${@'' if '${GCCPIE}' else '-pie -fPIE'}" SECURITY_NOPIE_CFLAGS ?= "-no-pie -fno-PIE" -SECURITY_CFLAGS ?= "-fstack-protector-strong ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" -SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" +SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong" -SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now" -SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro" +SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" +SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" + +SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now" +SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro" # powerpc does not get on with pie for reasons not looked into as yet -SECURITY_CFLAGS_powerpc = "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_NOPIE_CFLAGS}" -SECURITY_CFLAGS_pn-libgcc_powerpc = "" GCCPIE_powerpc = "" GLIBCPIE_powerpc = "" +SECURITY_CFLAGS_remove_powerpc = "${SECURITY_PIE_CFLAGS}" +SECURITY_CFLAGS_pn-libgcc_powerpc = "" -# arm specific security flag issues SECURITY_CFLAGS_pn-glibc = "" SECURITY_CFLAGS_pn-glibc-initial = "" SECURITY_CFLAGS_pn-gcc-runtime = "" @@ -43,7 +44,6 @@ SECURITY_CFLAGS_pn-grub-efi-native = "" SECURITY_CFLAGS_pn-grub-efi-x86-native = "" SECURITY_CFLAGS_pn-grub-efi-i586-native = "" SECURITY_CFLAGS_pn-grub-efi-x86-64-native = "" - SECURITY_CFLAGS_pn-mkelfimage_x86 = "" SECURITY_CFLAGS_pn-valgrind = "${SECURITY_NOPIE_CFLAGS}" @@ -58,9 +58,9 @@ SECURITY_STRINGFORMAT_pn-gcc = "" TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}" TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}" -SECURITY_LDFLAGS_remove_pn-gcc-runtime = "-fstack-protector-strong" -SECURITY_LDFLAGS_remove_pn-glibc = "-fstack-protector-strong" -SECURITY_LDFLAGS_remove_pn-glibc-initial = "-fstack-protector-strong" +SECURITY_STACK_PROTECTOR_pn-gcc-runtime = "" +SECURITY_STACK_PROTECTOR_pn-glibc = "" +SECURITY_STACK_PROTECTOR_pn-glibc-initial = "" # All xorg module drivers need to be linked this way as well and are # handled in recipes-graphics/xorg-driver/xorg-driver-common.inc SECURITY_LDFLAGS_pn-xserver-xorg = "${SECURITY_X_LDFLAGS}" |