[yocto-security] [PATCH] SDK environment script doesn't set security options in CC and LDFLAGS variables
Antoine Manache
a.manache at gmail.com
Wed Nov 20 06:23:48 PST 2019
@Alex : patch forwarded to the openembedded-core mailing list
Regards.
Antoine
Le mer. 20 nov. 2019 à 14:13, <Mikko.Rapeli at bmw.de> a écrit :
> On Wed, Nov 20, 2019 at 11:02:42AM +0100, Antoine MANACHE wrote:
> > When building a SDK from a DISTRO with security flags enabled, options
> > added to
> >
> > CC and LDFLAGS are not replicated in the SDK environment script.
> > This could lead to some situations where an application compiled with
> > the SDK and having some security weaknesses correctly runs on target but
> > crashes once integrated to the core image built with the full Yocto
> > stack.
> >
> > Signed-off-by: Antoine Manache <a.manache at gmail.com>
> > ---
> > meta/conf/distro/include/security_flags.inc | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/meta/conf/distro/include/security_flags.inc
> > b/meta/conf/distro/include/security_flags.inc
> > index 620978a8ed..329482bfa3 100644
> > --- a/meta/conf/distro/include/security_flags.inc
> > +++ b/meta/conf/distro/include/security_flags.inc
> > @@ -56,7 +56,9 @@ SECURITY_STRINGFORMAT_pn-busybox = ""
> > SECURITY_STRINGFORMAT_pn-gcc = ""
> >
> > TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> > +TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
> > TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> > +TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
>
> Thanks for this! I've also been wondering about this.
>
> IMO this should be backport to stable branches.
>
> -Mikko
>
> > SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
> > SECURITY_STACK_PROTECTOR_pn-glibc = ""
> > --
> > 2.11.0
>
> > _______________________________________________
> > yocto-security mailing list
> > yocto-security at yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/yocto-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto-security/attachments/20191120/1aa43815/attachment-0001.html>
More information about the yocto-security
mailing list