Re: [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS

From: Hongxu Jia <hongxu.jia@windriver.com>
To: Khem Raj <raj.khem@gmail.com>
Cc: Patches and discussions about the oe-core layer
	<openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS
Date: Tue, 4 Sep 2018 09:35:27 +0800	[thread overview]
Message-ID: <63520b28-0bbe-5304-7722-8b44d571e969@windriver.com> (raw)
In-Reply-To: <CAMKF1sqgV3LvMF7c17QzE4WP=+wA67S1hpNTC6W9WThGSx5Qzg@mail.gmail.com>

On 2018年09月04日 00:30, Khem Raj wrote:
> On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> The `-fstack-protector-***' should be passed to gcc rather than linker,
>> since `4ca946c security_flags: use -fstack-protector-strong', it was
>> added to LDFLAGS, although there is no extra build failure introduced,
>> but it is still unnecessary.(-Wl,** is for linker)
>>
> There are cases where CFLAGS is not combined into LDFLAGS by package
> component builds
> which creates the disjoint, If we remove this here then that will
> start to show up. remember we do
> not configure toolchains to provide the hardening flags by default as
> yet, so we have to be explicit.
> Do you see issues with current settings ?

Yes, I know a recipe (libsign in meta-secure-core) check LDFLAGS with 
`-Wl,***'
and it failed with `-fstack-protector-strong', and our Wind River Linux
had to maintain a list of `SECURITY_LDFLAGS_remove_pn-*** = 
"-fstack-protector-strong"'
for non oe-core layers.

I know some recipes may not combine CFLAGS to their build, but
we should investigate some way like `-Wl,--hash-style=gnu'
to check LDFALGS for CFLAGS, and mention a warning to figure it out.

//Hongxu

>> Reported-by: Lans Zhang <https://github.com/jiazhang0>
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>>   meta/conf/distro/include/security_flags.inc | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
>> index 620978a..362b1db 100644
>> --- a/meta/conf/distro/include/security_flags.inc
>> +++ b/meta/conf/distro/include/security_flags.inc
>> @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong"
>>   SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>>   SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>>
>> -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now"
>> -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro"
>> +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
>> +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
>>
>>   # powerpc does not get on with pie for reasons not looked into as yet
>>   GCCPIE_powerpc = ""
>> --
>> 2.7.4
>>