The `-fstack-protector-***' should be passed to gcc rather than linker, since `4ca946c security_flags: use -fstack-protector-strong', it was added to LDFLAGS, although there is no extra build failure introduced, but it is still unnecessary.(-Wl,** is for linker) Reported-by: Lans Zhang <https://github.com/jiazhang0> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- meta/conf/distro/include/security_flags.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index 620978a..362b1db 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong" SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now" -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro" +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now" +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro" # powerpc does not get on with pie for reasons not looked into as yet GCCPIE_powerpc = "" -- 2.7.4
== Series Details == Series: security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS Revision: 1 URL : https://patchwork.openembedded.org/series/13868/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Issue Series does not apply on top of target branch [test_series_merge_on_head] Suggested fix Rebase your series on top of targeted branch Targeted branch master (currently at 853e0499be) If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
On 2018年09月03日 22:02, Patchwork wrote: > == Series Details == > > Series: security_flags.inc: Remove `-fstack-protector-strong' from LDFLAGS > Revision: 1 > URL : https://patchwork.openembedded.org/series/13868/ > State : failure > > == Summary == > > > Thank you for submitting this patch series to OpenEmbedded Core. This is > an automated response. Several tests have been executed on the proposed > series by patchtest resulting in the following failures: > > > > * Issue Series does not apply on top of target branch [test_series_merge_on_head] The patch is based on `0ed4a62 security_flags.inc: add var-SECURITY_STACK_PROTECTOR to improve variable OVERRIDES' which is on master-next //Hongxu > Suggested fix Rebase your series on top of targeted branch > Targeted branch master (currently at 853e0499be) > > > > If you believe any of these test results are incorrect, please reply to the > mailing list (openembedded-core@lists.openembedded.org) raising your concerns. > Otherwise we would appreciate you correcting the issues and submitting a new > version of the patchset if applicable. Please ensure you add/increment the > version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> > [PATCH v3] -> ...). > > --- > Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines > Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest > Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe >
On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <hongxu.jia@windriver.com> wrote: > > The `-fstack-protector-***' should be passed to gcc rather than linker, > since `4ca946c security_flags: use -fstack-protector-strong', it was > added to LDFLAGS, although there is no extra build failure introduced, > but it is still unnecessary.(-Wl,** is for linker) > There are cases where CFLAGS is not combined into LDFLAGS by package component builds which creates the disjoint, If we remove this here then that will start to show up. remember we do not configure toolchains to provide the hardening flags by default as yet, so we have to be explicit. Do you see issues with current settings ? > Reported-by: Lans Zhang <https://github.com/jiazhang0> > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > meta/conf/distro/include/security_flags.inc | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc > index 620978a..362b1db 100644 > --- a/meta/conf/distro/include/security_flags.inc > +++ b/meta/conf/distro/include/security_flags.inc > @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong" > SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" > > -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now" > -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro" > +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now" > +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro" > > # powerpc does not get on with pie for reasons not looked into as yet > GCCPIE_powerpc = "" > -- > 2.7.4 >
On 2018年09月04日 00:30, Khem Raj wrote: > On Mon, Sep 3, 2018 at 6:31 AM Hongxu Jia <hongxu.jia@windriver.com> wrote: >> The `-fstack-protector-***' should be passed to gcc rather than linker, >> since `4ca946c security_flags: use -fstack-protector-strong', it was >> added to LDFLAGS, although there is no extra build failure introduced, >> but it is still unnecessary.(-Wl,** is for linker) >> > There are cases where CFLAGS is not combined into LDFLAGS by package > component builds > which creates the disjoint, If we remove this here then that will > start to show up. remember we do > not configure toolchains to provide the hardening flags by default as > yet, so we have to be explicit. > Do you see issues with current settings ? Yes, I know a recipe (libsign in meta-secure-core) check LDFLAGS with `-Wl,***' and it failed with `-fstack-protector-strong', and our Wind River Linux had to maintain a list of `SECURITY_LDFLAGS_remove_pn-*** = "-fstack-protector-strong"' for non oe-core layers. I know some recipes may not combine CFLAGS to their build, but we should investigate some way like `-Wl,--hash-style=gnu' to check LDFALGS for CFLAGS, and mention a warning to figure it out. //Hongxu >> Reported-by: Lans Zhang <https://github.com/jiazhang0> >> >> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> >> --- >> meta/conf/distro/include/security_flags.inc | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc >> index 620978a..362b1db 100644 >> --- a/meta/conf/distro/include/security_flags.inc >> +++ b/meta/conf/distro/include/security_flags.inc >> @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong" >> SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" >> SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}" >> >> -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now" >> -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro" >> +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now" >> +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro" >> >> # powerpc does not get on with pie for reasons not looked into as yet >> GCCPIE_powerpc = "" >> -- >> 2.7.4 >>