* [Buildroot] [PATCH 1/1] Config.in: enable PIC/PIE, RELRO and SSP by default
@ 2019-10-25 19:54 Fabrice Fontaine
2019-10-25 20:04 ` Thomas Petazzoni
2019-10-26 13:07 ` Thomas Petazzoni
0 siblings, 2 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2019-10-25 19:54 UTC (permalink / raw)
To: buildroot
Enhance security by enabling PIC/PIE, RELRO and SSP by default.
This could help making IoT more secure and fight againt the assumption
that buildroot does not support binary hardening (see
https://cyber-itl.org/2019/08/26/iot-data-writeup.html)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
Config.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/Config.in b/Config.in
index a6e280b885..0a74079ef6 100644
--- a/Config.in
+++ b/Config.in
@@ -717,6 +717,7 @@ comment "Security Hardening Options"
config BR2_PIC_PIE
bool "Build code with PIC/PIE"
+ default y
depends on BR2_SHARED_LIBS
help
Generate Position-Independent Code (PIC) and link
@@ -724,7 +725,7 @@ config BR2_PIC_PIE
choice
bool "Stack Smashing Protection"
- default BR2_SSP_ALL if BR2_ENABLE_SSP # legacy
+ default BR2_SSP_ALL
depends on BR2_TOOLCHAIN_HAS_SSP
help
Enable stack smashing protection support using GCC's
@@ -785,6 +786,7 @@ comment "Stack Smashing Protection needs a toolchain w/ SSP"
choice
bool "RELRO Protection"
+ default BR2_RELRO_FULL
depends on BR2_SHARED_LIBS
help
Enable a link-time protection know as RELRO (RELocation Read
--
2.23.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] Config.in: enable PIC/PIE, RELRO and SSP by default
2019-10-25 19:54 [Buildroot] [PATCH 1/1] Config.in: enable PIC/PIE, RELRO and SSP by default Fabrice Fontaine
@ 2019-10-25 20:04 ` Thomas Petazzoni
2019-10-26 6:49 ` Peter Korsgaard
2019-10-26 13:07 ` Thomas Petazzoni
1 sibling, 1 reply; 5+ messages in thread
From: Thomas Petazzoni @ 2019-10-25 20:04 UTC (permalink / raw)
To: buildroot
On Fri, 25 Oct 2019 21:54:56 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> Enhance security by enabling PIC/PIE, RELRO and SSP by default.
>
> This could help making IoT more secure and fight againt the assumption
> that buildroot does not support binary hardening (see
> https://cyber-itl.org/2019/08/26/iot-data-writeup.html)
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
I'm not sure we're ready to do that. A first step would be to add some
randomization in the autobuilders to test those features (by improving
./utils/genrandconfig). This will allow us to test that enabling those
features doesn't break too many packages. Then we can discuss at
enabling it by default, even though I find that it kind of breaks the
logic that Buildroot does something minimal/basic by default.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] Config.in: enable PIC/PIE, RELRO and SSP by default
2019-10-25 20:04 ` Thomas Petazzoni
@ 2019-10-26 6:49 ` Peter Korsgaard
2019-10-26 8:44 ` Fabrice Fontaine
0 siblings, 1 reply; 5+ messages in thread
From: Peter Korsgaard @ 2019-10-26 6:49 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
> On Fri, 25 Oct 2019 21:54:56 +0200
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>> Enhance security by enabling PIC/PIE, RELRO and SSP by default.
>>
>> This could help making IoT more secure and fight againt the assumption
>> that buildroot does not support binary hardening (see
>> https://cyber-itl.org/2019/08/26/iot-data-writeup.html)
>>
>> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> I'm not sure we're ready to do that. A first step would be to add some
> randomization in the autobuilders to test those features (by improving
> ./utils/genrandconfig). This will allow us to test that enabling those
> features doesn't break too many packages. Then we can discuss at
> enabling it by default, even though I find that it kind of breaks the
> logic that Buildroot does something minimal/basic by default.
I agree that it makes sense to do some more testing first, but as a data
point, I do enable SSP_REGULAR / RELRO_PARTIAL / FORTIFY_SOURCE_1
without issues on the project I'm currently working on.
And yes, Buildroot normally does the most minimal thing out of the box,
but defaults also matter when we talk about these "complicated" security
related things.
We have done similar things in the past, E.G. the change of password
encoding algorithm:
commit 9cf2280846b60ba081ed21339b407e2c761b599d
Author: Matt Weber <matthew.weber@rockwellcollins.com>
Date: Wed Dec 5 20:06:28 2018 -0600
system cfg: set mkpasswd default to SHA256
This patch changes the default mkpasswd method to SHA256 from MD5.
The change both improves the quality of the hash used and prepares
for eventually removing MD5 as a option.
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
But lets not rush things.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] Config.in: enable PIC/PIE, RELRO and SSP by default
2019-10-26 6:49 ` Peter Korsgaard
@ 2019-10-26 8:44 ` Fabrice Fontaine
0 siblings, 0 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2019-10-26 8:44 UTC (permalink / raw)
To: buildroot
Dear all,
Le sam. 26 oct. 2019 ? 09:41, Peter Korsgaard <peter@korsgaard.com> a ?crit :
>
> >>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
>
> > On Fri, 25 Oct 2019 21:54:56 +0200
> > Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> >> Enhance security by enabling PIC/PIE, RELRO and SSP by default.
> >>
> >> This could help making IoT more secure and fight againt the assumption
> >> that buildroot does not support binary hardening (see
> >> https://cyber-itl.org/2019/08/26/iot-data-writeup.html)
> >>
> >> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> > I'm not sure we're ready to do that. A first step would be to add some
> > randomization in the autobuilders to test those features (by improving
> > ./utils/genrandconfig). This will allow us to test that enabling those
> > features doesn't break too many packages. Then we can discuss at
> > enabling it by default, even though I find that it kind of breaks the
> > logic that Buildroot does something minimal/basic by default.
>
> I agree that it makes sense to do some more testing first, but as a data
> point, I do enable SSP_REGULAR / RELRO_PARTIAL / FORTIFY_SOURCE_1
> without issues on the project I'm currently working on.
>
> And yes, Buildroot normally does the most minimal thing out of the box,
> but defaults also matter when we talk about these "complicated" security
> related things.
>
> We have done similar things in the past, E.G. the change of password
> encoding algorithm:
>
> commit 9cf2280846b60ba081ed21339b407e2c761b599d
> Author: Matt Weber <matthew.weber@rockwellcollins.com>
> Date: Wed Dec 5 20:06:28 2018 -0600
>
> system cfg: set mkpasswd default to SHA256
>
> This patch changes the default mkpasswd method to SHA256 from MD5.
> The change both improves the quality of the hash used and prepares
> for eventually removing MD5 as a option.
>
> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>
> But lets not rush things.
OK, I'll take care of sending patches to update utils/genrandconfig
and fix the autobuilder failiures. Hopefully, we could then enable
these options by default.
>
> --
> Bye, Peter Korsgaard
Best Regards,
Fabrice
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] Config.in: enable PIC/PIE, RELRO and SSP by default
2019-10-25 19:54 [Buildroot] [PATCH 1/1] Config.in: enable PIC/PIE, RELRO and SSP by default Fabrice Fontaine
2019-10-25 20:04 ` Thomas Petazzoni
@ 2019-10-26 13:07 ` Thomas Petazzoni
1 sibling, 0 replies; 5+ messages in thread
From: Thomas Petazzoni @ 2019-10-26 13:07 UTC (permalink / raw)
To: buildroot
Hello Fabrice,
On Fri, 25 Oct 2019 21:54:56 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> Enhance security by enabling PIC/PIE, RELRO and SSP by default.
>
> This could help making IoT more secure and fight againt the assumption
> that buildroot does not support binary hardening (see
> https://cyber-itl.org/2019/08/26/iot-data-writeup.html)
We briefly discussed this article at the Buildroot meeting (you should
have been there!), and one thing that came up is that the authors of
this article say that the binaries were built by Buildroot, but
considering the products that are all WiFi routers, most likely they
were in fact built by OpenWRT, not Buildroot.
Some people confuse OpenWRT with Buildroot, because OpenWRT was forked
long time ago from Buildroot, and it is still sometimes called "OpenWRT
Buildroot". However, OpenWRT is a completely separate project from
Buildroot, and therefore whatever we (Buildroot community) will change
in terms of default values for hardening features, will not change what
OpenWRT will do, and therefore will not have any effect on what most
WiFi routers are using.
Could you perhaps contact the author of the article, and ask them how
they concluded that Buildroot had been used, and whether it wasn't in
fact OpenWRT ?
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-10-26 13:07 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-25 19:54 [Buildroot] [PATCH 1/1] Config.in: enable PIC/PIE, RELRO and SSP by default Fabrice Fontaine
2019-10-25 20:04 ` Thomas Petazzoni
2019-10-26 6:49 ` Peter Korsgaard
2019-10-26 8:44 ` Fabrice Fontaine
2019-10-26 13:07 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.