From d47f9a099a4ef992351237b0f2f562b5dc843397 Mon Sep 17 00:00:00 2001 From: Ed Tanous Date: Mon, 25 Jan 2021 13:15:36 -0800 Subject: Add security flags to all phosphor builds Yocto has a built-in class for applying compiler security flags to builds. Some security concious projects within OpenBMC set these flags manually. We should do this project wide, given that it has a negligible performance impact, and brings us in line with modern security requirements. There are some whitepapers on the specifics of what these flags do, which is a much better documentation than I am able to write here, but the key takeaways are that this: 1. Enables position independent code. 2. Enables FORTIFY_SOURCE level 2. 3. Enables -wformat and -wformat-security 4. Enables strong stack protection. None of these flags should have any change in functional behavior. Section 4.3 of this doc goes through this file in more detail: https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2018/improving-embedded-linux-security-yocto3.pdf croserver/eCMD doesn't currently compile with these flags, so it's explicitly excluded for the moment. Patchset has been merged against eCMD master to fix this, but we're so far behind, the bump doesn't build obmc-libobmc-intf has an error that I can't quite understand yet about unused results, which shouldn't have been effected by this, yet it seems to be related to enabling the security hardening, so it is also excluded from the security flags for the moment. libpldm includes an IBM OEM command that relies on undefined behavior with open() the proposed fix is here, but libpldm is excluded until that is merged and bumped. https://gerrit.openbmc-project.xyz/c/openbmc/pldm/+/3998412 Even with those three exceptions, getting a majority of the security flags enabled on a majority of the repos should be an overall win. Signed-off-by: Ed Tanous Change-Id: I0483b1dbe1123a7beff8c5788363685487fb9c09 --- meta-phosphor/conf/distro/include/phosphor-defaults.inc | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'meta-phosphor/conf/distro/include') diff --git a/meta-phosphor/conf/distro/include/phosphor-defaults.inc b/meta-phosphor/conf/distro/include/phosphor-defaults.inc index b90f28062..d5e07e34e 100644 --- a/meta-phosphor/conf/distro/include/phosphor-defaults.inc +++ b/meta-phosphor/conf/distro/include/phosphor-defaults.inc @@ -226,6 +226,19 @@ OBMC_DBUS_IFACE_ROOT ?= "xyz.openbmc_project" # phosphor-ipmi-fru-whitelist-native recipe. VIRTUAL-RUNTIME_phosphor-ipmi-providers ?= "phosphor-ipmi-fru" +# Set security headers on builds +require conf/distro/include/security_flags.inc + +# Disable security on croserver. +# Remove if https://github.com/open-power/eCMD/pull/433 is ever merged +SECURITY_STRINGFORMAT_pn-croserver = "" +# obmc-libobmc-intf doesn't compile with security flags enabled +SECURITY_CFLAGS_pn-obmc-libobmc-intf = "" + +# remove when https://gerrit.openbmc-project.xyz/c/openbmc/pldm/+/39984 +# is merged and rev bumped +SECURITY_CFLAGS_pn-pldm = "" + # Set the root password to '0penBmc' inherit extrausers -- cgit v1.2.3