* [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
@ 2020-03-24 17:02 Tom Hochstein
2020-03-24 17:25 ` Antoine Manache
0 siblings, 1 reply; 8+ messages in thread
From: Tom Hochstein @ 2020-03-24 17:02 UTC (permalink / raw)
To: openembedded-core; +Cc: Tom Hochstein
The security flags were missing from the SDK toolchain
because they were added specifically to class-target.
Add them to class-cross-canadian as well.
Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
---
meta/conf/distro/include/security_flags.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index aaf04e9e59..568d03693c 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -57,6 +57,8 @@ SECURITY_STRINGFORMAT_pn-gcc = ""
TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
+TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
+TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
SECURITY_STACK_PROTECTOR_pn-glibc = ""
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
2020-03-24 17:02 [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain Tom Hochstein
@ 2020-03-24 17:25 ` Antoine Manache
2020-03-24 18:03 ` Richard Purdie
0 siblings, 1 reply; 8+ messages in thread
From: Antoine Manache @ 2020-03-24 17:25 UTC (permalink / raw)
To: Tom Hochstein; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2660 bytes --]
I've already sent this patch few months ago but not taken into account yet.
AM
From : Antoine Manache <a.manache@gmail.com>
Date: mer. 20 nov. 2019 at 16:44
Subject: [OE-core] [PATCH v2] sdk: environment script doesn't set security
options in CC and LDFLAGS variables
To: <openembedded-core@lists.openembedded.org>
When building a SDK from a DISTRO with security flags enabled, options
added to
CC and LDFLAGS are not replicated in the SDK environment script.
This could lead to some situations where an application compiled with
the SDK and having some security weaknesses correctly runs on target but
crashes once integrated to the core image built with the full Yocto
stack.
Signed-off-by: Antoine Manache <a.manache@gmail.com>
---
meta/conf/distro/include/security_flags.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/conf/distro/include/security_flags.inc
b/meta/conf/distro/include/security_flags.inc
index 620978a8ed..329482bfa3 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -56,7 +56,9 @@ SECURITY_STRINGFORMAT_pn-busybox = ""
SECURITY_STRINGFORMAT_pn-gcc = ""
TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
+TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
+TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
SECURITY_STACK_PROTECTOR_pn-glibc = ""
--
2.11.0
Le mar. 24 mars 2020 à 18:03, Tom Hochstein <tom.hochstein@nxp.com> a
écrit :
> The security flags were missing from the SDK toolchain
> because they were added specifically to class-target.
> Add them to class-cross-canadian as well.
>
> Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
> ---
> meta/conf/distro/include/security_flags.inc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta/conf/distro/include/security_flags.inc
> b/meta/conf/distro/include/security_flags.inc
> index aaf04e9e59..568d03693c 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -57,6 +57,8 @@ SECURITY_STRINGFORMAT_pn-gcc = ""
>
> TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> +TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
> +TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
>
> SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
> SECURITY_STACK_PROTECTOR_pn-glibc = ""
> --
> 2.17.1
>
>
>
[-- Attachment #2: Type: text/html, Size: 7761 bytes --]
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
2020-03-24 17:25 ` Antoine Manache
@ 2020-03-24 18:03 ` Richard Purdie
2020-03-24 18:34 ` Tom Hochstein
0 siblings, 1 reply; 8+ messages in thread
From: Richard Purdie @ 2020-03-24 18:03 UTC (permalink / raw)
To: Antoine Manache, Tom Hochstein; +Cc: openembedded-core
On Tue, 2020-03-24 at 18:25 +0100, Antoine Manache wrote:
> I've already sent this patch few months ago but not taken into
> account yet.
Can someone explain more about the issue here please?
Shouldn't these flags be added to the SDK toolchain environment files
rather than coded into the compiler? Why aren't they being coded in? or
is gcc being misconfigured?
Cheers,
Richard
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
2020-03-24 18:03 ` Richard Purdie
@ 2020-03-24 18:34 ` Tom Hochstein
2020-03-24 19:06 ` Antoine Manache
0 siblings, 1 reply; 8+ messages in thread
From: Tom Hochstein @ 2020-03-24 18:34 UTC (permalink / raw)
To: Richard Purdie, Antoine Manache; +Cc: openembedded-core
> -----Original Message-----
> From: Richard Purdie <richard.purdie@linuxfoundation.org>
> Sent: Tuesday, March 24, 2020 1:03 PM
> To: Antoine Manache <a.manache@gmail.com>; Tom Hochstein <tom.hochstein@nxp.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
>
> On Tue, 2020-03-24 at 18:25 +0100, Antoine Manache wrote:
> > I've already sent this patch few months ago but not taken into
> > account yet.
>
> Can someone explain more about the issue here please?
>
> Shouldn't these flags be added to the SDK toolchain environment files
> rather than coded into the compiler? Why aren't they being coded in? or
> is gcc being misconfigured?
The recipe meta-environment inherits cross-canadian and toolchain-scripts. The latter generates the SDK toolchain environment file using TARGET_CC_ARCH and TARGET_LDFLAGS like this:
echo 'export CC="${TARGET_PREFIX}gcc ${TARGET_CC_ARCH} --sysroot=$SDKTARGETSYSROOT"' >> $script
echo 'export LDFLAGS="${TARGET_LDFLAGS}"' >> $script
https://github.com/openembedded/openembedded-core/blob/master/meta/classes/toolchain-scripts.bbclass#L82
With class-cross-canadian as the applicable override, updating the security flags for class-target does nothing for the SDK toolchain, hence the proposed fix:
TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
+TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
+TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
Tom
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
2020-03-24 18:34 ` Tom Hochstein
@ 2020-03-24 19:06 ` Antoine Manache
2020-03-24 22:57 ` Richard Purdie
0 siblings, 1 reply; 8+ messages in thread
From: Antoine Manache @ 2020-03-24 19:06 UTC (permalink / raw)
To: Tom Hochstein, Richard Purdie; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2393 bytes --]
Absolutely.
I would add an example of issue I've seen in a software project.
Someone developing a new application and using the image-based SDK that I
provided got the right functional behaviour on target.
Once this application was integrated into the core image of our Yocto
project (new recipe), the same tests on target failed (application crash).
The root cause was : the two binaries produced were different because the
effective GCC options at compile time were different between both methods
(security flags not enabled when compiling with the SDK).
Antoine
Le mar. 24 mars 2020 à 19:34, Tom Hochstein <tom.hochstein@nxp.com> a
écrit :
>
>
> > -----Original Message-----
> > From: Richard Purdie <richard.purdie@linuxfoundation.org>
> > Sent: Tuesday, March 24, 2020 1:03 PM
> > To: Antoine Manache <a.manache@gmail.com>; Tom Hochstein <
> tom.hochstein@nxp.com>
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core][PATCH] security_flags.inc: fix flags missing from
> SDK toolchain
> >
> > On Tue, 2020-03-24 at 18:25 +0100, Antoine Manache wrote:
> > > I've already sent this patch few months ago but not taken into
> > > account yet.
> >
> > Can someone explain more about the issue here please?
> >
> > Shouldn't these flags be added to the SDK toolchain environment files
> > rather than coded into the compiler? Why aren't they being coded in? or
> > is gcc being misconfigured?
>
> The recipe meta-environment inherits cross-canadian and toolchain-scripts.
> The latter generates the SDK toolchain environment file using
> TARGET_CC_ARCH and TARGET_LDFLAGS like this:
>
> echo 'export CC="${TARGET_PREFIX}gcc ${TARGET_CC_ARCH}
> --sysroot=$SDKTARGETSYSROOT"' >> $script
> echo 'export LDFLAGS="${TARGET_LDFLAGS}"' >> $script
>
>
> https://github.com/openembedded/openembedded-core/blob/master/meta/classes/toolchain-scripts.bbclass#L82
>
> With class-cross-canadian as the applicable override, updating the
> security flags for class-target does nothing for the SDK toolchain, hence
> the proposed fix:
>
> TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
> +TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
> TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> +TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
>
> Tom
>
[-- Attachment #2: Type: text/html, Size: 3387 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
2020-03-24 19:06 ` Antoine Manache
@ 2020-03-24 22:57 ` Richard Purdie
2020-03-25 1:33 ` Tom Hochstein
0 siblings, 1 reply; 8+ messages in thread
From: Richard Purdie @ 2020-03-24 22:57 UTC (permalink / raw)
To: Antoine Manache, Tom Hochstein; +Cc: openembedded-core
On Tue, 2020-03-24 at 20:06 +0100, Antoine Manache wrote:
> Absolutely.
> I would add an example of issue I've seen in a software project.
> Someone developing a new application and using the image-based SDK
> that I provided got the right functional behaviour on target.
> Once this application was integrated into the core image of our Yocto
> project (new recipe), the same tests on target failed (application
> crash).
> The root cause was : the two binaries produced were different because
> the effective GCC options at compile time were different between both
> methods (security flags not enabled when compiling with the SDK).
> Antoine
Thanks. Antonine's emails/patches are coming through as html and hence
are mangled and I can't apply them which is probably where things got
lost previously.
I've therefore taken Tom's version with some tweaks to the commit
message.
Cheers,
Richard
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
2020-03-24 22:57 ` Richard Purdie
@ 2020-03-25 1:33 ` Tom Hochstein
2020-03-25 10:10 ` Richard Purdie
0 siblings, 1 reply; 8+ messages in thread
From: Tom Hochstein @ 2020-03-25 1:33 UTC (permalink / raw)
To: Richard Purdie, Antoine Manache; +Cc: openembedded-core
> -----Original Message-----
> From: Richard Purdie <richard.purdie@linuxfoundation.org>
> Sent: Tuesday, March 24, 2020 5:58 PM
> To: Antoine Manache <a.manache@gmail.com>; Tom Hochstein <tom.hochstein@nxp.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
>
> I've therefore taken Tom's version with some tweaks to the commit
> message.
Thanks. Can we get this on zeus? Do I need to cherry-pick and submit the patch?
Tom
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain
2020-03-25 1:33 ` Tom Hochstein
@ 2020-03-25 10:10 ` Richard Purdie
0 siblings, 0 replies; 8+ messages in thread
From: Richard Purdie @ 2020-03-25 10:10 UTC (permalink / raw)
To: Tom Hochstein, Antoine Manache; +Cc: openembedded-core
On Wed, 2020-03-25 at 01:33 +0000, Tom Hochstein wrote:
> > -----Original Message-----
> > From: Richard Purdie <richard.purdie@linuxfoundation.org>
> > Sent: Tuesday, March 24, 2020 5:58 PM
> > To: Antoine Manache <a.manache@gmail.com>; Tom Hochstein <
> > tom.hochstein@nxp.com>
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core][PATCH] security_flags.inc: fix flags missing
> > from SDK toolchain
> >
> > I've therefore taken Tom's version with some tweaks to the commit
> > message.
>
> Thanks. Can we get this on zeus? Do I need to cherry-pick and submit
> the patch?
Yes, please post it and then the stable maintainers can review it.
Cheers,
Richard
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-03-25 10:10 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-24 17:02 [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain Tom Hochstein
2020-03-24 17:25 ` Antoine Manache
2020-03-24 18:03 ` Richard Purdie
2020-03-24 18:34 ` Tom Hochstein
2020-03-24 19:06 ` Antoine Manache
2020-03-24 22:57 ` Richard Purdie
2020-03-25 1:33 ` Tom Hochstein
2020-03-25 10:10 ` Richard Purdie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.