[PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS

[PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS

[Hongxu Jia]

The `-fstack-protector-***' should be passed to gcc rather than linker,
since `4ca946c security_flags: use -fstack-protector-strong', it was
added to LDFLAGS, although there is no extra build failure introduced,
but it is still unnecessary.(-Wl,** is for linker)

Reported-by: Lans Zhang <https://github.com/jiazhang0>

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 meta/conf/distro/include/security_flags.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index 620978a..362b1db 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong"
 SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
 SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
 
-SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now"
-SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro"
+SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
+SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
 
 # powerpc does not get on with pie for reasons not looked into as yet
 GCCPIE_powerpc = ""
-- 
2.7.4

✗ patchtest: failure for security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS

[Patchwork]

== Series Details ==

Series: security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS
Revision: 1
URL   : https://patchwork.openembedded.org/series/13868/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  master (currently at 853e0499be)



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: ✗ patchtest: failure for security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS

[Hongxu Jia]

On 2018年09月03日 22:02, Patchwork wrote:
> == Series Details ==
>
> Series: security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS
> Revision: 1
> URL   : https://patchwork.openembedded.org/series/13868/
> State : failure
>
> == Summary ==
>
>
> Thank you for submitting this patch series to OpenEmbedded Core. This is
> an automated response. Several tests have been executed on the proposed
> series by patchtest resulting in the following failures:
>
>
>
> * Issue             Series does not apply on top of target branch [test_series_merge_on_head]

The patch is based on `0ed4a62 security_flags.inc: add 
var-SECURITY_STACK_PROTECTOR to improve variable OVERRIDES'
which is on master-next

//Hongxu

>    Suggested fix    Rebase your series on top of targeted branch
>    Targeted branch  master (currently at 853e0499be)
>
>
>
> If you believe any of these test results are incorrect, please reply to the
> mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
> Otherwise we would appreciate you correcting the issues and submitting a new
> version of the patchset if applicable. Please ensure you add/increment the
> version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
> [PATCH v3] -> ...).
>
> ---
> Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
> Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
> Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
>

Re: [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS

[Khem Raj]

On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
> The `-fstack-protector-***' should be passed to gcc rather than linker,
> since `4ca946c security_flags: use -fstack-protector-strong', it was
> added to LDFLAGS, although there is no extra build failure introduced,
> but it is still unnecessary.(-Wl,** is for linker)
>

There are cases where CFLAGS is not combined into LDFLAGS by package
component builds
which creates the disjoint, If we remove this here then that will
start to show up. remember we do
not configure toolchains to provide the hardening flags by default as
yet, so we have to be explicit.
Do you see issues with current settings ?

> Reported-by: Lans Zhang <https://github.com/jiazhang0>
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
>  meta/conf/distro/include/security_flags.inc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> index 620978a..362b1db 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong"
>  SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>  SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>
> -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now"
> -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro"
> +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
> +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
>
>  # powerpc does not get on with pie for reasons not looked into as yet
>  GCCPIE_powerpc = ""
> --
> 2.7.4
>

Re: [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS

[Hongxu Jia]

On 2018年09月04日 00:30, Khem Raj wrote:
> On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> The `-fstack-protector-***' should be passed to gcc rather than linker,
>> since `4ca946c security_flags: use -fstack-protector-strong', it was
>> added to LDFLAGS, although there is no extra build failure introduced,
>> but it is still unnecessary.(-Wl,** is for linker)
>>
> There are cases where CFLAGS is not combined into LDFLAGS by package
> component builds
> which creates the disjoint, If we remove this here then that will
> start to show up. remember we do
> not configure toolchains to provide the hardening flags by default as
> yet, so we have to be explicit.
> Do you see issues with current settings ?

Yes, I know a recipe (libsign in meta-secure-core) check LDFLAGS with 
`-Wl,***'
and it failed with `-fstack-protector-strong', and our Wind River Linux
had to maintain a list of `SECURITY_LDFLAGS_remove_pn-*** = 
"-fstack-protector-strong"'
for non oe-core layers.

I know some recipes may not combine CFLAGS to their build, but
we should investigate some way like `-Wl,--hash-style=gnu'
to check LDFALGS for CFLAGS, and mention a warning to figure it out.

//Hongxu

>> Reported-by: Lans Zhang <https://github.com/jiazhang0>
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>>   meta/conf/distro/include/security_flags.inc | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
>> index 620978a..362b1db 100644
>> --- a/meta/conf/distro/include/security_flags.inc
>> +++ b/meta/conf/distro/include/security_flags.inc
>> @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong"
>>   SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>>   SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>>
>> -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now"
>> -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro"
>> +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
>> +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
>>
>>   # powerpc does not get on with pie for reasons not looked into as yet
>>   GCCPIE_powerpc = ""
>> --
>> 2.7.4
>>