[yocto-security] [PATCH] SDK environment script doesn't set security options in CC and LDFLAGS variables
Mikko.Rapeli at bmw.de
Mikko.Rapeli at bmw.de
Wed Nov 20 05:13:44 PST 2019
On Wed, Nov 20, 2019 at 11:02:42AM +0100, Antoine MANACHE wrote:
> When building a SDK from a DISTRO with security flags enabled, options
> added to
>
> CC and LDFLAGS are not replicated in the SDK environment script.
> This could lead to some situations where an application compiled with
> the SDK and having some security weaknesses correctly runs on target but
> crashes once integrated to the core image built with the full Yocto
> stack.
>
> Signed-off-by: Antoine Manache <a.manache at gmail.com>
> ---
> meta/conf/distro/include/security_flags.inc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta/conf/distro/include/security_flags.inc
> b/meta/conf/distro/include/security_flags.inc
> index 620978a8ed..329482bfa3 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -56,7 +56,9 @@ SECURITY_STRINGFORMAT_pn-busybox = ""
> SECURITY_STRINGFORMAT_pn-gcc = ""
>
> TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> +TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
> TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> +TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
Thanks for this! I've also been wondering about this.
IMO this should be backport to stable branches.
-Mikko
> SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
> SECURITY_STACK_PROTECTOR_pn-glibc = ""
> --
> 2.11.0
> _______________________________________________
> yocto-security mailing list
> yocto-security at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto-security
More information about the yocto-security
mailing list