From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ed1-f65.google.com (mail-ed1-f65.google.com [209.85.208.65]) by mx.groups.io with SMTP id smtpd.web11.822.1585070765096808371 for ; Tue, 24 Mar 2020 10:26:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20161025 header.b=elLjW6SB; spf=pass (domain: gmail.com, ip: 209.85.208.65, mailfrom: a.manache@gmail.com) Received: by mail-ed1-f65.google.com with SMTP id i24so21679361eds.1 for ; Tue, 24 Mar 2020 10:26:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FqRFi0iwgc3BTolorvK/VSFfH3zid7MATZF/dinvlFg=; b=elLjW6SBZK5MgdKaKrSCIBirG8mv01vqMUEQ4QW0ubVoPA1n+f3MfzcU5gT499mCtw rnJUeFkHveyVtsJDCWtHV+YIUE+cqrdgOhOfXKo1T1La4uG4b8tah96Yb+l9qdCRqSxH fbPsjoqfWvWEgtc0VbRMp8ZLdNUYnP6fBHPU1lmOweqF0g0WapE3/LYh0NTJ1/go2+GW RYdmFmaNm6EYMDu3PgD5DNmc+fHoi1czOgREXziS3cNMyH2AX70A0NDGE39/BYlvrK6e cQH87sIEMVjt3uczyfJ65q2GEu7dAqtN5U8p/fHR58SuKVu4YknJtgF6YE3UEncZ2sCm Fp5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FqRFi0iwgc3BTolorvK/VSFfH3zid7MATZF/dinvlFg=; b=giXodrZGWgJYs8ABaVNwtLL68NF2RW98JpD/l6MtmP9CCr0xCSl4reR/wjJpwW/WTW C9OGo4eZ5AZ2q2xJQsvr+U6sLClELIEuD6EleiAYkPpF1VKFDeIsauW5wMundcSeZDyY 84J01y7ro4c2JOZ/l5pnzNOnbsgdYJaQTEP909fs22Q7D8/jLzccUIswanYBVQhL6zCV BEkIMfp/v68+PQARyWeoMQVRd/w5WfFdB9qCCFBk+1Kqpn2HQb7Iyv992GSlIMc45DRc CTI8Ggc+95dMyrjbTSA5NcnGQWTiDPnp1I1znveMKSRNCCCBqWLhwcGDnaAL9qWq+qA2 InXw== X-Gm-Message-State: ANhLgQ0UAP5BSMJgpwMRV8cb8sIdIC7Clxy3jOaqI0G+7cNTwOJe88vH 5tUlE4SuWvB9Pk6Ima4ADjPiTcQ55MWkYQFsN2I= X-Google-Smtp-Source: ADFU+vvd8wdwoviTWEHFYgNwenhodLcPZ73Yt4k+Uw1Hyf0/yfP7wi7SwEHZAZn3lwgx1mP4cfLK0doIvZL8pvzXgjM= X-Received: by 2002:a17:906:aac3:: with SMTP id kt3mr7274498ejb.16.1585070763463; Tue, 24 Mar 2020 10:26:03 -0700 (PDT) MIME-Version: 1.0 References: <20200324170259.3206-1-tom.hochstein@nxp.com> In-Reply-To: <20200324170259.3206-1-tom.hochstein@nxp.com> From: "Antoine Manache" Date: Tue, 24 Mar 2020 18:25:46 +0100 Message-ID: Subject: Re: [OE-core][PATCH] security_flags.inc: fix flags missing from SDK toolchain To: Tom Hochstein Cc: openembedded-core@lists.openembedded.org Content-Type: multipart/alternative; boundary="000000000000ccd80405a19d0bcd" --000000000000ccd80405a19d0bcd Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I've already sent this patch few months ago but not taken into account yet. AM >From : Antoine Manache Date: mer. 20 nov. 2019 at 16:44 Subject: [OE-core] [PATCH v2] sdk: environment script doesn't set security options in CC and LDFLAGS variables To: When building a SDK from a DISTRO with security flags enabled, options added to CC and LDFLAGS are not replicated in the SDK environment script. This could lead to some situations where an application compiled with the SDK and having some security weaknesses correctly runs on target but crashes once integrated to the core image built with the full Yocto stack. Signed-off-by: Antoine Manache --- meta/conf/distro/include/security_flags.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index 620978a8ed..329482bfa3 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc @@ -56,7 +56,9 @@ SECURITY_STRINGFORMAT_pn-busybox =3D "" SECURITY_STRINGFORMAT_pn-gcc =3D "" TARGET_CC_ARCH_append_class-target =3D " ${SECURITY_CFLAGS}" +TARGET_CC_ARCH_append_class-cross-canadian =3D " ${SECURITY_CFLAGS}" TARGET_LDFLAGS_append_class-target =3D " ${SECURITY_LDFLAGS}" +TARGET_LDFLAGS_append_class-cross-canadian =3D " ${SECURITY_LDFLAGS}" SECURITY_STACK_PROTECTOR_pn-gcc-runtime =3D "" SECURITY_STACK_PROTECTOR_pn-glibc =3D "" -- 2.11.0 Le mar. 24 mars 2020 =C3=A0 18:03, Tom Hochstein a =C3=A9crit : > The security flags were missing from the SDK toolchain > because they were added specifically to class-target. > Add them to class-cross-canadian as well. > > Signed-off-by: Tom Hochstein > --- > meta/conf/distro/include/security_flags.inc | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/conf/distro/include/security_flags.inc > b/meta/conf/distro/include/security_flags.inc > index aaf04e9e59..568d03693c 100644 > --- a/meta/conf/distro/include/security_flags.inc > +++ b/meta/conf/distro/include/security_flags.inc > @@ -57,6 +57,8 @@ SECURITY_STRINGFORMAT_pn-gcc =3D "" > > TARGET_CC_ARCH_append_class-target =3D " ${SECURITY_CFLAGS}" > TARGET_LDFLAGS_append_class-target =3D " ${SECURITY_LDFLAGS}" > +TARGET_CC_ARCH_append_class-cross-canadian =3D " ${SECURITY_CFLAGS}" > +TARGET_LDFLAGS_append_class-cross-canadian =3D " ${SECURITY_LDFLAGS}" > > SECURITY_STACK_PROTECTOR_pn-gcc-runtime =3D "" > SECURITY_STACK_PROTECTOR_pn-glibc =3D "" > -- > 2.17.1 > >=20 > --000000000000ccd80405a19d0bcd Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I've already sent this patch few months ago but n= ot taken into account yet.
AM

From : Antoine Manache <a.manache@gmail.com>
Date: mer. 20 nov. 2019 at= 16:44
Subject: [OE-core] [PATCH v2] sdk: environment script doesn't= set security options in CC and LDFLAGS variables
To: <openembedded-core@lists.ope= nembedded.org>

When building a SDK from a DISTRO with security flags enabled, op= tions added to
CC and LDFLAGS are not replicated in the SDK environment s= cript.
This could lead to some situations where an application compiled w= ith
the SDK and having some security weaknesses correctly runs on target = but
crashes once integrated to the core image built with the full Yocto
stack.

Signed-off-by: Antoine Manache <a.manache@gmail.com>
---
=C2=A0meta/conf/distro/include/s= ecurity_flags.inc | 2 ++
=C2=A01 file changed, 2 insertions(+)

diff --git = a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/se= curity_flags.inc
index 620978a8ed..329482bfa3 100644
--- a/meta/conf/di= stro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_f= lags.inc
@@ -56,7 +56,9 @@ SECURITY_STRINGFORMAT_pn-busybox =3D "&qu= ot;
=C2=A0SECURITY_STRINGFORMAT_pn-gcc =3D ""
=C2=A0
<= span style=3D"font-family:"consolas",monospace;font-size:10pt">= =C2=A0TARGET_CC_ARCH_append_class-target =3D " ${SECURITY_CFLAGS}&quo= t;
+TARGET_CC_ARCH_append_class-cross-canadian =3D " ${SECURITY_CFLA= GS}"
=C2=A0TARGET_LDFLAGS_append_class-target =3D " ${SECURITY_= LDFLAGS}"
+TARGET_LDFLAGS_append_class-cross-canadian =3D " ${S= ECURITY_LDFLAGS}"
=C2=A0
=C2=A0SECURITY_STACK_PROTECTOR_pn-gcc-run= time =3D ""
=C2=A0SECURITY_STACK_PROTECTOR_pn-glibc =3D "&= quot;


--
2.11.0
<= /div>

Le=C2=A0mar. 24 mars 2020 =C3=A0=C2=A018:03, Tom Hochstein <tom.hochstein@nxp.com> a =C3=A9cr= it=C2=A0:
The se= curity flags were missing from the SDK toolchain
because they were added specifically to class-target.
Add them to class-cross-canadian as well.

Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
---
=C2=A0meta/conf/distro/include/security_flags.inc | 2 ++
=C2=A01 file changed, 2 insertions(+)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distr= o/include/security_flags.inc
index aaf04e9e59..568d03693c 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -57,6 +57,8 @@ SECURITY_STRINGFORMAT_pn-gcc =3D ""

=C2=A0TARGET_CC_ARCH_append_class-target =3D " ${SECURITY_CFLAGS}&quo= t;
=C2=A0TARGET_LDFLAGS_append_class-target =3D " ${SECURITY_LDFLAGS}&qu= ot;
+TARGET_CC_ARCH_append_class-cross-canadian =3D " ${SECURITY_CFLAGS}&= quot;
+TARGET_LDFLAGS_append_class-cross-canadian =3D " ${SECURITY_LDFLAGS}= "

=C2=A0SECURITY_STACK_PROTECTOR_pn-gcc-runtime =3D ""
=C2=A0SECURITY_STACK_PROTECTOR_pn-glibc =3D ""
--
2.17.1


--000000000000ccd80405a19d0bcd--