[PATCH] poky-lsb: security_flags.inc

[PATCH] poky-lsb: security_flags.inc

[Hongzhi.Song]

To fix the following error, we append '-O' to the defination of _FORTIFY_SOURCE

recipe-sysroot/usr/include/features.h:381:4: error: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Werror=cpp]
 #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
     ^~~~~~~

Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
---
 meta/conf/distro/include/security_flags.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index 6245e89ada..1c32fd3165 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -10,7 +10,7 @@ GCCPIE ?= "--enable-default-pie"
 
 # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
 # -O0 which then results in a compiler warning.
-lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
+lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2 -O',d)}"
 
 # Error on use of format strings that represent possible security problems
 SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
-- 
2.11.0

Re: [PATCH] poky-lsb: security_flags.inc

[Peter Kjellerstedt]

> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org <openembedded-
> core-bounces@lists.openembedded.org> On Behalf Of Hongzhi.Song
> Sent: den 31 juli 2018 13:07
> To: openembedded-core@lists.openembedded.org; raj.khem@gmail.com
> Subject: [OE-core] [oe-core][PATCH] poky-lsb: security_flags.inc

This is not only limited to poky-lsb. security_flags.inc is used 
by many directly.

> To fix the following error, we append '-O' to the defination of
> _FORTIFY_SOURCE
> 
> recipe-sysroot/usr/include/features.h:381:4: error: #warning
> _FORTIFY_SOURCE requires compiling with optimization (-O) [-Werror=cpp]
>  #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
>      ^~~~~~~
> 
> Signed-off-by: Hongzhi.Song <hongzhi.song@windriver.com>
> ---
>  meta/conf/distro/include/security_flags.inc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/conf/distro/include/security_flags.inc
> b/meta/conf/distro/include/security_flags.inc
> index 6245e89ada..1c32fd3165 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -10,7 +10,7 @@ GCCPIE ?= "--enable-default-pie"
> 
>  # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
>  # -O0 which then results in a compiler warning.
> -lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
> +lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2 -O',d)}"

This is not the correct way to solve this problem. It should be fixed on 
a per recipe basis. There is probably a reason why the code is being built 
with -O0, so then changing it here without an investigation of which is 
correct, to build with fortification and enabling optimization or to build 
without fortification and without enabling optimization.

Changing it as per above could also have an impact on some packages by 
actually lowering the optimization level.

>  # Error on use of format strings that represent possible security problems
>  SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
> --
> 2.11.0

//Peter