* [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS @ 2018-09-03 13:31 Hongxu Jia 2018-09-03 14:02 ` ✗ patchtest: failure for " Patchwork 2018-09-03 16:30 ` [PATCH] " Khem Raj 0 siblings, 2 replies; 5+ messages in thread From: Hongxu Jia @ 2018-09-03 13:31 UTC (permalink / raw) To: openembedded-core The `-fstack-protector-***' should be passed to gcc rather than linker, since `4ca946c security_flags: use -fstack-protector-strong', it was added to LDFLAGS, although there is no extra build failure introduced, but it is still unnecessary.(-Wl,** is for linker) Reported-by: Lans Zhang <https://github.com/jiazhang0> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- meta/conf/distro/include/security_flags.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index 620978a..362b1db 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong" SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now" -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro" +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now" +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro" # powerpc does not get on with pie for reasons not looked into as yet GCCPIE_powerpc = "" -- 2.7.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* ✗ patchtest: failure for security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS 2018-09-03 13:31 [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS Hongxu Jia @ 2018-09-03 14:02 ` Patchwork 2018-09-03 14:12 ` Hongxu Jia 2018-09-03 16:30 ` [PATCH] " Khem Raj 1 sibling, 1 reply; 5+ messages in thread From: Patchwork @ 2018-09-03 14:02 UTC (permalink / raw) To: Hongxu Jia; +Cc: openembedded-core == Series Details == Series: security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS Revision: 1 URL : https://patchwork.openembedded.org/series/13868/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Issue Series does not apply on top of target branch [test_series_merge_on_head] Suggested fix Rebase your series on top of targeted branch Targeted branch master (currently at 853e0499be) If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ✗ patchtest: failure for security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS 2018-09-03 14:02 ` ✗ patchtest: failure for " Patchwork @ 2018-09-03 14:12 ` Hongxu Jia 0 siblings, 0 replies; 5+ messages in thread From: Hongxu Jia @ 2018-09-03 14:12 UTC (permalink / raw) To: openembedded-core On 2018年09月03日 22:02, Patchwork wrote: > == Series Details == > > Series: security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS > Revision: 1 > URL : https://patchwork.openembedded.org/series/13868/ > State : failure > > == Summary == > > > Thank you for submitting this patch series to OpenEmbedded Core. This is > an automated response. Several tests have been executed on the proposed > series by patchtest resulting in the following failures: > > > > * Issue Series does not apply on top of target branch [test_series_merge_on_head] The patch is based on `0ed4a62 security_flags.inc: add var-SECURITY_STACK_PROTECTOR to improve variable OVERRIDES' which is on master-next //Hongxu > Suggested fix Rebase your series on top of targeted branch > Targeted branch master (currently at 853e0499be) > > > > If you believe any of these test results are incorrect, please reply to the > mailing list (openembedded-core@lists.openembedded.org) raising your concerns. > Otherwise we would appreciate you correcting the issues and submitting a new > version of the patchset if applicable. Please ensure you add/increment the > version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> > [PATCH v3] -> ...). > > --- > Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines > Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest > Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS 2018-09-03 13:31 [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS Hongxu Jia 2018-09-03 14:02 ` ✗ patchtest: failure for " Patchwork @ 2018-09-03 16:30 ` Khem Raj 2018-09-04 1:35 ` Hongxu Jia 1 sibling, 1 reply; 5+ messages in thread From: Khem Raj @ 2018-09-03 16:30 UTC (permalink / raw) To: Hongxu Jia; +Cc: Patches and discussions about the oe-core layer On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <hongxu.jia@windriver.com> wrote: > > The `-fstack-protector-***' should be passed to gcc rather than linker, > since `4ca946c security_flags: use -fstack-protector-strong', it was > added to LDFLAGS, although there is no extra build failure introduced, > but it is still unnecessary.(-Wl,** is for linker) > There are cases where CFLAGS is not combined into LDFLAGS by package component builds which creates the disjoint, If we remove this here then that will start to show up. remember we do not configure toolchains to provide the hardening flags by default as yet, so we have to be explicit. Do you see issues with current settings ? > Reported-by: Lans Zhang <https://github.com/jiazhang0> > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > meta/conf/distro/include/security_flags.inc | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc > index 620978a..362b1db 100644 > --- a/meta/conf/distro/include/security_flags.inc > +++ b/meta/conf/distro/include/security_flags.inc > @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong" > SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > > -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now" > -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro" > +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now" > +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro" > > # powerpc does not get on with pie for reasons not looked into as yet > GCCPIE_powerpc = "" > -- > 2.7.4 > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS 2018-09-03 16:30 ` [PATCH] " Khem Raj @ 2018-09-04 1:35 ` Hongxu Jia 0 siblings, 0 replies; 5+ messages in thread From: Hongxu Jia @ 2018-09-04 1:35 UTC (permalink / raw) To: Khem Raj; +Cc: Patches and discussions about the oe-core layer On 2018年09月04日 00:30, Khem Raj wrote: > On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <hongxu.jia@windriver.com> wrote: >> The `-fstack-protector-***' should be passed to gcc rather than linker, >> since `4ca946c security_flags: use -fstack-protector-strong', it was >> added to LDFLAGS, although there is no extra build failure introduced, >> but it is still unnecessary.(-Wl,** is for linker) >> > There are cases where CFLAGS is not combined into LDFLAGS by package > component builds > which creates the disjoint, If we remove this here then that will > start to show up. remember we do > not configure toolchains to provide the hardening flags by default as > yet, so we have to be explicit. > Do you see issues with current settings ? Yes, I know a recipe (libsign in meta-secure-core) check LDFLAGS with `-Wl,***' and it failed with `-fstack-protector-strong', and our Wind River Linux had to maintain a list of `SECURITY_LDFLAGS_remove_pn-*** = "-fstack-protector-strong"' for non oe-core layers. I know some recipes may not combine CFLAGS to their build, but we should investigate some way like `-Wl,--hash-style=gnu' to check LDFALGS for CFLAGS, and mention a warning to figure it out. //Hongxu >> Reported-by: Lans Zhang <https://github.com/jiazhang0> >> >> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> >> --- >> meta/conf/distro/include/security_flags.inc | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc >> index 620978a..362b1db 100644 >> --- a/meta/conf/distro/include/security_flags.inc >> +++ b/meta/conf/distro/include/security_flags.inc >> @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong" >> SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" >> SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" >> >> -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now" >> -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro" >> +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now" >> +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro" >> >> # powerpc does not get on with pie for reasons not looked into as yet >> GCCPIE_powerpc = "" >> -- >> 2.7.4 >> ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-09-04 1:35 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-09-03 13:31 [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS Hongxu Jia 2018-09-03 14:02 ` ✗ patchtest: failure for " Patchwork 2018-09-03 14:12 ` Hongxu Jia 2018-09-03 16:30 ` [PATCH] " Khem Raj 2018-09-04 1:35 ` Hongxu Jia
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.