binutils failing in FIDO branch

binutils failing in FIDO branch

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 822 bytes --]

Hi,

binutils is failing to compile.  I'm using tip of fido branch.  Error
message is:

|
/home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortexa9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/fibheap.c:
In function 'fibheap_replace_key_data':
|
/home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortexa9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/fibheap.c:38:24:
error: 'LONG_MIN' undeclared (first use in this function)
|  #define FIBHEAPKEY_MIN LONG_MIN

I've tracked it down to the fact that libiberty is the only component that
doesn't define HAVE_LIMITS in config.h, so I assume this part of the
configure is failing for some reason.

Anyone else seen this, or have an idea on how to fix this?

Cheers,
Martin.

[-- Attachment #2: Type: text/html, Size: 990 bytes --]

Re: binutils failing in FIDO branch

[Khem Raj]

On Mon, Nov 9, 2015 at 4:36 AM, Martin Townsend <mtownsend1973@gmail.com> wrote:
> Hi,
>
> binutils is failing to compile.  I'm using tip of fido branch.  Error
> message is:
>
> |
> /home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortexa9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/fibheap.c:
> In function 'fibheap_replace_key_data':
> |
> /home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortexa9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/fibheap.c:38:24:
> error: 'LONG_MIN' undeclared (first use in this function)
> |  #define FIBHEAPKEY_MIN LONG_MIN
>
> I've tracked it down to the fact that libiberty is the only component that
> doesn't define HAVE_LIMITS in config.h, so I assume this part of the
> configure is failing for some reason.
>
> Anyone else seen this, or have an idea on how to fix this?

whats your host distro ?

>
> Cheers,
> Martin.
>
>
>
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>

Re: binutils failing in FIDO branch

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 1392 bytes --]

Hi,

I'm running Ubuntu 14.04 LTS.

Could this be the problem?

Cheers,
Martin.


On Mon, Nov 9, 2015 at 5:56 PM, Khem Raj <raj.khem@gmail.com> wrote:

> On Mon, Nov 9, 2015 at 4:36 AM, Martin Townsend <mtownsend1973@gmail.com>
> wrote:
> > Hi,
> >
> > binutils is failing to compile.  I'm using tip of fido branch.  Error
> > message is:
> >
> > |
> >
> /home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortexa9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/fibheap.c:
> > In function 'fibheap_replace_key_data':
> > |
> >
> /home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortexa9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/fibheap.c:38:24:
> > error: 'LONG_MIN' undeclared (first use in this function)
> > |  #define FIBHEAPKEY_MIN LONG_MIN
> >
> > I've tracked it down to the fact that libiberty is the only component
> that
> > doesn't define HAVE_LIMITS in config.h, so I assume this part of the
> > configure is failing for some reason.
> >
> > Anyone else seen this, or have an idea on how to fix this?
>
> whats your host distro ?
>
> >
> > Cheers,
> > Martin.
> >
> >
> >
> >
> >
> > --
> > _______________________________________________
> > yocto mailing list
> > yocto@yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/yocto
> >
>

[-- Attachment #2: Type: text/html, Size: 2249 bytes --]

Re: binutils failing in FIDO branch

[Khem Raj]

[-- Attachment #1.1: Type: text/plain, Size: 1708 bytes --]

No it should be well supported. So now I wonder why no one else sees it


> On Nov 9, 2015, at 11:22 AM, Martin Townsend <mtownsend1973@gmail.com> wrote:
> 
> Hi,
> 
> I'm running Ubuntu 14.04 LTS.
> 
> Could this be the problem?
> 
> Cheers,
> Martin.
> 
> 
> On Mon, Nov 9, 2015 at 5:56 PM, Khem Raj <raj.khem@gmail.com <mailto:raj.khem@gmail.com>> wrote:
> On Mon, Nov 9, 2015 at 4:36 AM, Martin Townsend <mtownsend1973@gmail.com <mailto:mtownsend1973@gmail.com>> wrote:
> > Hi,
> >
> > binutils is failing to compile.  I'm using tip of fido branch.  Error
> > message is:
> >
> > |
> > /home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortexa9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/fibheap.c:
> > In function 'fibheap_replace_key_data':
> > |
> > /home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortexa9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/fibheap.c:38:24:
> > error: 'LONG_MIN' undeclared (first use in this function)
> > |  #define FIBHEAPKEY_MIN LONG_MIN
> >
> > I've tracked it down to the fact that libiberty is the only component that
> > doesn't define HAVE_LIMITS in config.h, so I assume this part of the
> > configure is failing for some reason.
> >
> > Anyone else seen this, or have an idea on how to fix this?
> 
> whats your host distro ?
> 
> >
> > Cheers,
> > Martin.
> >
> >
> >
> >
> >
> > --
> > _______________________________________________
> > yocto mailing list
> > yocto@yoctoproject.org <mailto:yocto@yoctoproject.org>
> > https://lists.yoctoproject.org/listinfo/yocto <https://lists.yoctoproject.org/listinfo/yocto>
> >
> 


[-- Attachment #1.2: Type: text/html, Size: 3435 bytes --]

[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]

Re: binutils failing in FIDO branch

[Paul Eggleton]

What I think Martin hasn't mentioned here (but did on IRC) is this is binutils 
for the target machine, not host/cross. I would assume it's somehow related to 
the target being built for. Martin, can you provide any details on that which 
might help others to reproduce the issue?

Cheers,
Paul

On Monday 09 November 2015 12:15:40 Khem Raj wrote:
> No it should be well supported. So now I wonder why no one else sees it
> 
> > On Nov 9, 2015, at 11:22 AM, Martin Townsend <mtownsend1973@gmail.com>
> > wrote:
> > 
> > Hi,
> > 
> > I'm running Ubuntu 14.04 LTS.
> > 
> > Could this be the problem?
> > 
> > Cheers,
> > Martin.
> > 
> > 
> > On Mon, Nov 9, 2015 at 5:56 PM, Khem Raj <raj.khem@gmail.com
> > <mailto:raj.khem@gmail.com>> wrote:> 
> > On Mon, Nov 9, 2015 at 4:36 AM, Martin Townsend <mtownsend1973@gmail.com 
<mailto:mtownsend1973@gmail.com>> wrote:
> > > Hi,
> > > 
> > > binutils is failing to compile.  I'm using tip of fido branch.  Error
> > > message is:
> > > 
> > > 
> > > /home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortex
> > > a9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/
> > > fibheap.c: In function 'fibheap_replace_key_data':
> > > 
> > > /home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortex
> > > a9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/
> > > fibheap.c:38:24: error: 'LONG_MIN' undeclared (first use in this
> > > function)
> > > 
> > > |  #define FIBHEAPKEY_MIN LONG_MIN
> > > 
> > > I've tracked it down to the fact that libiberty is the only component
> > > that
> > > doesn't define HAVE_LIMITS in config.h, so I assume this part of the
> > > configure is failing for some reason.
> > > 
> > > Anyone else seen this, or have an idea on how to fix this?
> > 
> > whats your host distro ?
> > 
> > > Cheers,
> > > Martin.
> > > 
> > > 
> > > 
> > > 
> > > 
> > > --
> > > _______________________________________________
> > > yocto mailing list
> > > yocto@yoctoproject.org <mailto:yocto@yoctoproject.org>
> > > https://lists.yoctoproject.org/listinfo/yocto
> > > <https://lists.yoctoproject.org/listinfo/yocto>

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: binutils failing in FIDO branch

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 3681 bytes --]

Hi,

My issue is particular to my distro, I tried changing to poky and all was
well.  The reason for our own distro was to migrate from Arago which we
were using.  So I copied Arago into a separate distro and then started
morphing it into something more akin to Poky over time.  Alas I left the
following line in the distro conf, one which should have removed :(

# Enable basic stack and buffer overflow protections
TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"

After commenting this out binutils for the target builds fine.  I'm
guesssing that for libiberty CPPFLAGS propogates into configure or makefile
in the binutils recipe which then fails one of it's config checks and
because of this fails to set HAVE_LIMITS and a few others no doubt.

Many apologies for leading you on a wild goose chase, I don't know if there
is anything you can do so others don't fall foul of this.  Is setting
TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in configuration
files??  If so, maybe making sure they are reverted for building binutils??

Thanks for all the help and maybe it's time we moved over to Poky :)

Cheers,
Martin.




On Mon, Nov 9, 2015 at 10:07 PM, Paul Eggleton <
paul.eggleton@linux.intel.com> wrote:

> What I think Martin hasn't mentioned here (but did on IRC) is this is
> binutils
> for the target machine, not host/cross. I would assume it's somehow
> related to
> the target being built for. Martin, can you provide any details on that
> which
> might help others to reproduce the issue?
>
> Cheers,
> Paul
>
> On Monday 09 November 2015 12:15:40 Khem Raj wrote:
> > No it should be well supported. So now I wonder why no one else sees it
> >
> > > On Nov 9, 2015, at 11:22 AM, Martin Townsend <mtownsend1973@gmail.com>
> > > wrote:
> > >
> > > Hi,
> > >
> > > I'm running Ubuntu 14.04 LTS.
> > >
> > > Could this be the problem?
> > >
> > > Cheers,
> > > Martin.
> > >
> > >
> > > On Mon, Nov 9, 2015 at 5:56 PM, Khem Raj <raj.khem@gmail.com
> > > <mailto:raj.khem@gmail.com>> wrote:>
> > > On Mon, Nov 9, 2015 at 4:36 AM, Martin Townsend <
> mtownsend1973@gmail.com
> <mailto:mtownsend1973@gmail.com>> wrote:
> > > > Hi,
> > > >
> > > > binutils is failing to compile.  I'm using tip of fido branch.  Error
> > > > message is:
> > > >
> > > >
> > > >
> /home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortex
> > > >
> a9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/
> > > > fibheap.c: In function 'fibheap_replace_key_data':
> > > >
> > > >
> /home/martint/yocto/build/am43-devboard-aquila/bia-tmp-glibc/work/cortex
> > > >
> a9hf-vfp-neon-oe-linux-gnueabi/binutils/2.24-r0/binutils-2.24/libiberty/
> > > > fibheap.c:38:24: error: 'LONG_MIN' undeclared (first use in this
> > > > function)
> > > >
> > > > |  #define FIBHEAPKEY_MIN LONG_MIN
> > > >
> > > > I've tracked it down to the fact that libiberty is the only component
> > > > that
> > > > doesn't define HAVE_LIMITS in config.h, so I assume this part of the
> > > > configure is failing for some reason.
> > > >
> > > > Anyone else seen this, or have an idea on how to fix this?
> > >
> > > whats your host distro ?
> > >
> > > > Cheers,
> > > > Martin.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > _______________________________________________
> > > > yocto mailing list
> > > > yocto@yoctoproject.org <mailto:yocto@yoctoproject.org>
> > > > https://lists.yoctoproject.org/listinfo/yocto
> > > > <https://lists.yoctoproject.org/listinfo/yocto>
>
> --
>
> Paul Eggleton
> Intel Open Source Technology Centre
>

[-- Attachment #2: Type: text/html, Size: 5450 bytes --]

Re: binutils failing in FIDO branch

[Paul Eggleton]

On Monday 09 November 2015 22:32:59 Martin Townsend wrote:
> My issue is particular to my distro, I tried changing to poky and all was
> well.  The reason for our own distro was to migrate from Arago which we
> were using.  So I copied Arago into a separate distro and then started
> morphing it into something more akin to Poky over time.  Alas I left the
> following line in the distro conf, one which should have removed :(
> 
> # Enable basic stack and buffer overflow protections
> TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"
> 
> After commenting this out binutils for the target builds fine.  I'm
> guesssing that for libiberty CPPFLAGS propogates into configure or makefile
> in the binutils recipe which then fails one of it's config checks and
> because of this fails to set HAVE_LIMITS and a few others no doubt.
> 
> Many apologies for leading you on a wild goose chase, I don't know if there
> is anything you can do so others don't fall foul of this.  Is setting
> TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in configuration
> files??  If so, maybe making sure they are reverted for building binutils??

I'm assuming you could do something like:

TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}"
MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1"
MY_EXTRAFLAGS_pn-binutils = ""

FYI we do have meta/conf/distro/include/security_flags.inc to apply these two 
flags, but interestingly there's no mention of binutils in there.

> Thanks for all the help and maybe it's time we moved over to Poky :)

Well, there's nothing forcing you to use poky - it's a reference distribution; 
the assumption is usually that you'll want to change something at the 
distribution level at which point you've effectively created your own distro.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: binutils failing in FIDO branch

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 2295 bytes --]

Hi Paul,

meta/conf/distro/include/security_flags.inc is much better than a blanket
change of compiler flags.  Thanks for the tip.  Are there any other
tips/web pages on Security or Linux hardening using Yocto?

Cheers,
Martin.


On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton <
paul.eggleton@linux.intel.com> wrote:

> On Monday 09 November 2015 22:32:59 Martin Townsend wrote:
> > My issue is particular to my distro, I tried changing to poky and all was
> > well.  The reason for our own distro was to migrate from Arago which we
> > were using.  So I copied Arago into a separate distro and then started
> > morphing it into something more akin to Poky over time.  Alas I left the
> > following line in the distro conf, one which should have removed :(
> >
> > # Enable basic stack and buffer overflow protections
> > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"
> >
> > After commenting this out binutils for the target builds fine.  I'm
> > guesssing that for libiberty CPPFLAGS propogates into configure or
> makefile
> > in the binutils recipe which then fails one of it's config checks and
> > because of this fails to set HAVE_LIMITS and a few others no doubt.
> >
> > Many apologies for leading you on a wild goose chase, I don't know if
> there
> > is anything you can do so others don't fall foul of this.  Is setting
> > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in configuration
> > files??  If so, maybe making sure they are reverted for building
> binutils??
>
> I'm assuming you could do something like:
>
> TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}"
> MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1"
> MY_EXTRAFLAGS_pn-binutils = ""
>
> FYI we do have meta/conf/distro/include/security_flags.inc to apply these
> two
> flags, but interestingly there's no mention of binutils in there.
>
> > Thanks for all the help and maybe it's time we moved over to Poky :)
>
> Well, there's nothing forcing you to use poky - it's a reference
> distribution;
> the assumption is usually that you'll want to change something at the
> distribution level at which point you've effectively created your own
> distro.
>
> Cheers,
> Paul
>
> --
>
> Paul Eggleton
> Intel Open Source Technology Centre
>

[-- Attachment #2: Type: text/html, Size: 2952 bytes --]

Re: binutils failing in FIDO branch

[Paul Eggleton]

About all I know that we do have (in the manual at least) is contained in this 
section:

http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure

It's not a lot but it's something. (If anyone has any ideas on how to extend 
this area we'd appreciate the input.)

Cheers,
Paul

On Tuesday 10 November 2015 11:17:31 Martin Townsend wrote:
> Hi Paul,
> 
> meta/conf/distro/include/security_flags.inc is much better than a blanket
> change of compiler flags.  Thanks for the tip.  Are there any other
> tips/web pages on Security or Linux hardening using Yocto?
> 
> Cheers,
> Martin.
> 
> 
> On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton <
> 
> paul.eggleton@linux.intel.com> wrote:
> > On Monday 09 November 2015 22:32:59 Martin Townsend wrote:
> > > My issue is particular to my distro, I tried changing to poky and all
> > > was
> > > well.  The reason for our own distro was to migrate from Arago which we
> > > were using.  So I copied Arago into a separate distro and then started
> > > morphing it into something more akin to Poky over time.  Alas I left the
> > > following line in the distro conf, one which should have removed :(
> > > 
> > > # Enable basic stack and buffer overflow protections
> > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"
> > > 
> > > After commenting this out binutils for the target builds fine.  I'm
> > > guesssing that for libiberty CPPFLAGS propogates into configure or
> > 
> > makefile
> > 
> > > in the binutils recipe which then fails one of it's config checks and
> > > because of this fails to set HAVE_LIMITS and a few others no doubt.
> > > 
> > > Many apologies for leading you on a wild goose chase, I don't know if
> > 
> > there
> > 
> > > is anything you can do so others don't fall foul of this.  Is setting
> > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in configuration
> > > files??  If so, maybe making sure they are reverted for building
> > 
> > binutils??
> > 
> > I'm assuming you could do something like:
> > 
> > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}"
> > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1"
> > MY_EXTRAFLAGS_pn-binutils = ""
> > 
> > FYI we do have meta/conf/distro/include/security_flags.inc to apply these
> > two
> > flags, but interestingly there's no mention of binutils in there.
> > 
> > > Thanks for all the help and maybe it's time we moved over to Poky :)
> > 
> > Well, there's nothing forcing you to use poky - it's a reference
> > distribution;
> > the assumption is usually that you'll want to change something at the
> > distribution level at which point you've effectively created your own
> > distro.
> > 
> > Cheers,
> > Paul
> > 
> > --
> > 
> > Paul Eggleton
> > Intel Open Source Technology Centre

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: binutils failing in FIDO branch

[Martin Townsend]

[-- Attachment #1: Type: text/plain, Size: 3312 bytes --]

And I also found this link
https://www.yoctoproject.org/blogs/andrei-dinu/2013/meta-security-layer-now-available
which looks promising. :)

On Tue, Nov 10, 2015 at 11:40 AM, Paul Eggleton <
paul.eggleton@linux.intel.com> wrote:

> About all I know that we do have (in the manual at least) is contained in
> this
> section:
>
>
> http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making-images-more-secure
>
> It's not a lot but it's something. (If anyone has any ideas on how to
> extend
> this area we'd appreciate the input.)
>
> Cheers,
> Paul
>
> On Tuesday 10 November 2015 11:17:31 Martin Townsend wrote:
> > Hi Paul,
> >
> > meta/conf/distro/include/security_flags.inc is much better than a blanket
> > change of compiler flags.  Thanks for the tip.  Are there any other
> > tips/web pages on Security or Linux hardening using Yocto?
> >
> > Cheers,
> > Martin.
> >
> >
> > On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton <
> >
> > paul.eggleton@linux.intel.com> wrote:
> > > On Monday 09 November 2015 22:32:59 Martin Townsend wrote:
> > > > My issue is particular to my distro, I tried changing to poky and all
> > > > was
> > > > well.  The reason for our own distro was to migrate from Arago which
> we
> > > > were using.  So I copied Arago into a separate distro and then
> started
> > > > morphing it into something more akin to Poky over time.  Alas I left
> the
> > > > following line in the distro conf, one which should have removed :(
> > > >
> > > > # Enable basic stack and buffer overflow protections
> > > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"
> > > >
> > > > After commenting this out binutils for the target builds fine.  I'm
> > > > guesssing that for libiberty CPPFLAGS propogates into configure or
> > >
> > > makefile
> > >
> > > > in the binutils recipe which then fails one of it's config checks and
> > > > because of this fails to set HAVE_LIMITS and a few others no doubt.
> > > >
> > > > Many apologies for leading you on a wild goose chase, I don't know if
> > >
> > > there
> > >
> > > > is anything you can do so others don't fall foul of this.  Is setting
> > > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in
> configuration
> > > > files??  If so, maybe making sure they are reverted for building
> > >
> > > binutils??
> > >
> > > I'm assuming you could do something like:
> > >
> > > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}"
> > > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1"
> > > MY_EXTRAFLAGS_pn-binutils = ""
> > >
> > > FYI we do have meta/conf/distro/include/security_flags.inc to apply
> these
> > > two
> > > flags, but interestingly there's no mention of binutils in there.
> > >
> > > > Thanks for all the help and maybe it's time we moved over to Poky :)
> > >
> > > Well, there's nothing forcing you to use poky - it's a reference
> > > distribution;
> > > the assumption is usually that you'll want to change something at the
> > > distribution level at which point you've effectively created your own
> > > distro.
> > >
> > > Cheers,
> > > Paul
> > >
> > > --
> > >
> > > Paul Eggleton
> > > Intel Open Source Technology Centre
>
> --
>
> Paul Eggleton
> Intel Open Source Technology Centre
>

[-- Attachment #2: Type: text/html, Size: 4649 bytes --]

Re: binutils failing in FIDO branch

[Paul Eggleton]

Right, there's a link to that layer in the manual section as well.

Cheers,
Paul

On Tuesday 10 November 2015 13:20:39 Martin Townsend wrote:
> And I also found this link
> https://www.yoctoproject.org/blogs/andrei-dinu/2013/meta-security-layer-now-> available which looks promising. :)
> 
> On Tue, Nov 10, 2015 at 11:40 AM, Paul Eggleton <
> 
> paul.eggleton@linux.intel.com> wrote:
> > About all I know that we do have (in the manual at least) is contained in
> > this
> > section:
> > 
> > 
> > http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#making
> > -images-more-secure
> > 
> > It's not a lot but it's something. (If anyone has any ideas on how to
> > extend
> > this area we'd appreciate the input.)
> > 
> > Cheers,
> > Paul
> > 
> > On Tuesday 10 November 2015 11:17:31 Martin Townsend wrote:
> > > Hi Paul,
> > > 
> > > meta/conf/distro/include/security_flags.inc is much better than a
> > > blanket
> > > change of compiler flags.  Thanks for the tip.  Are there any other
> > > tips/web pages on Security or Linux hardening using Yocto?
> > > 
> > > Cheers,
> > > Martin.
> > > 
> > > 
> > > On Mon, Nov 9, 2015 at 11:06 PM, Paul Eggleton <
> > > 
> > > paul.eggleton@linux.intel.com> wrote:
> > > > On Monday 09 November 2015 22:32:59 Martin Townsend wrote:
> > > > > My issue is particular to my distro, I tried changing to poky and
> > > > > all
> > > > > was
> > > > > well.  The reason for our own distro was to migrate from Arago which
> > 
> > we
> > 
> > > > > were using.  So I copied Arago into a separate distro and then
> > 
> > started
> > 
> > > > > morphing it into something more akin to Poky over time.  Alas I left
> > 
> > the
> > 
> > > > > following line in the distro conf, one which should have removed :(
> > > > > 
> > > > > # Enable basic stack and buffer overflow protections
> > > > > TARGET_CPPFLAGS += "-fstack-protector -D_FORTIFY_SOURCE=1"
> > > > > 
> > > > > After commenting this out binutils for the target builds fine.  I'm
> > > > > guesssing that for libiberty CPPFLAGS propogates into configure or
> > > > 
> > > > makefile
> > > > 
> > > > > in the binutils recipe which then fails one of it's config checks
> > > > > and
> > > > > because of this fails to set HAVE_LIMITS and a few others no doubt.
> > > > > 
> > > > > Many apologies for leading you on a wild goose chase, I don't know
> > > > > if
> > > > 
> > > > there
> > > > 
> > > > > is anything you can do so others don't fall foul of this.  Is
> > > > > setting
> > > > > TARGET_CPPFLAGS or TARGET_CFLAGS for that matter useful in
> > 
> > configuration
> > 
> > > > > files??  If so, maybe making sure they are reverted for building
> > > > 
> > > > binutils??
> > > > 
> > > > I'm assuming you could do something like:
> > > > 
> > > > TARGET_CPPFLAGS += "${MY_EXTRAFLAGS}"
> > > > MY_EXTRAFLAGS = "-fstack-protector -D_FORTIFY_SOURCE=1"
> > > > MY_EXTRAFLAGS_pn-binutils = ""
> > > > 
> > > > FYI we do have meta/conf/distro/include/security_flags.inc to apply
> > 
> > these
> > 
> > > > two
> > > > flags, but interestingly there's no mention of binutils in there.
> > > > 
> > > > > Thanks for all the help and maybe it's time we moved over to Poky :)
> > > > 
> > > > Well, there's nothing forcing you to use poky - it's a reference
> > > > distribution;
> > > > the assumption is usually that you'll want to change something at the
> > > > distribution level at which point you've effectively created your own
> > > > distro.
> > > > 
> > > > Cheers,
> > > > Paul
> > > > 
> > > > --
> > > > 
> > > > Paul Eggleton
> > > > Intel Open Source Technology Centre
> > 
> > --
> > 
> > Paul Eggleton
> > Intel Open Source Technology Centre

-- 

Paul Eggleton
Intel Open Source Technology Centre