[PATCH V2] defaultsetup.conf: Enable security flags+pie by default

[PATCH V2] defaultsetup.conf: Enable security flags+pie by default

[Khem Raj]

This has been an opt-in for so long, some distributions e.g.
poky-lsb uses it by default however, since most of linux
distros have started to default to these settings for security
enhancements, time has come for OE to make it default too

remove documentation from advanced local.conf sample

Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
v2:
- Remove references to explicitly enabling security flags

 meta/conf/distro/defaultsetup.conf   |  1 +
 meta/conf/local.conf.sample.extended | 11 -----------
 2 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf
index ca2f9178d2..352e279596 100644
--- a/meta/conf/distro/defaultsetup.conf
+++ b/meta/conf/distro/defaultsetup.conf
@@ -1,6 +1,7 @@
 include conf/distro/include/default-providers.inc
 include conf/distro/include/default-versions.inc
 include conf/distro/include/default-distrovars.inc
+require conf/distro/include/security_flags.inc
 include conf/distro/include/world-broken.inc
 
 TCMODE ?= "default"
diff --git a/meta/conf/local.conf.sample.extended b/meta/conf/local.conf.sample.extended
index e698acb84b..7f107831ee 100644
--- a/meta/conf/local.conf.sample.extended
+++ b/meta/conf/local.conf.sample.extended
@@ -270,17 +270,6 @@
 #COPYLEFT_RECIPE_TYPES = 'target'
 #
 
-#
-# GCC/LD FLAGS to enable more secure code generation
-#
-# By including the security_flags include file you enable flags
-# to the compiler and linker that cause them to generate more secure
-# code, this is enabled by default in the poky-lsb distro.
-# This does affect compile speed slightly.
-#
-# Use the following line to enable the security compiler and linker flags to your build
-#require conf/distro/include/security_flags.inc
-
 # Image level user/group configuration.
 # Inherit extrausers to make the setting of EXTRA_USERS_PARAMS effective.
 #INHERIT += "extrausers"
-- 
2.18.0

Re: [PATCH V2] defaultsetup.conf: Enable security flags+pie by default

[Andrea Adami]

What is holding back this patch?

Cheers
Andrea
On Fri, Jul 27, 2018 at 9:41 AM Khem Raj <raj.khem@gmail.com> wrote:
>
> This has been an opt-in for so long, some distributions e.g.
> poky-lsb uses it by default however, since most of linux
> distros have started to default to these settings for security
> enhancements, time has come for OE to make it default too
>
> remove documentation from advanced local.conf sample
>
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> ---
> v2:
> - Remove references to explicitly enabling security flags
>
>  meta/conf/distro/defaultsetup.conf   |  1 +
>  meta/conf/local.conf.sample.extended | 11 -----------
>  2 files changed, 1 insertion(+), 11 deletions(-)
>
> diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf
> index ca2f9178d2..352e279596 100644
> --- a/meta/conf/distro/defaultsetup.conf
> +++ b/meta/conf/distro/defaultsetup.conf
> @@ -1,6 +1,7 @@
>  include conf/distro/include/default-providers.inc
>  include conf/distro/include/default-versions.inc
>  include conf/distro/include/default-distrovars.inc
> +require conf/distro/include/security_flags.inc
>  include conf/distro/include/world-broken.inc
>
>  TCMODE ?= "default"
> diff --git a/meta/conf/local.conf.sample.extended b/meta/conf/local.conf.sample.extended
> index e698acb84b..7f107831ee 100644
> --- a/meta/conf/local.conf.sample.extended
> +++ b/meta/conf/local.conf.sample.extended
> @@ -270,17 +270,6 @@
>  #COPYLEFT_RECIPE_TYPES = 'target'
>  #
>
> -#
> -# GCC/LD FLAGS to enable more secure code generation
> -#
> -# By including the security_flags include file you enable flags
> -# to the compiler and linker that cause them to generate more secure
> -# code, this is enabled by default in the poky-lsb distro.
> -# This does affect compile speed slightly.
> -#
> -# Use the following line to enable the security compiler and linker flags to your build
> -#require conf/distro/include/security_flags.inc
> -
>  # Image level user/group configuration.
>  # Inherit extrausers to make the setting of EXTRA_USERS_PARAMS effective.
>  #INHERIT += "extrausers"
> --
> 2.18.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [PATCH V2] defaultsetup.conf: Enable security flags+pie by default

[Richard Purdie]

On Fri, 2018-09-07 at 15:28 +0200, Andrea Adami wrote:
> What is holding back this patch?

I think there were concerns about changing the OE defaults like this so
Khem and I agreed to merge it into poky as a default there for now.
There are probably a few defaults in poky we should have in
defaultsetup but those changes tend to be disruptive and
controversial...

Cheers,

Richard