Sunday, October 16, 2022

Yocto security feature to harden the build

Can use poky/meta/conf/distro/include/security_flags.inc to harden the build.

How to use it

According to poky/documentation/dev-manual/common-tasks.rst, you should add

require conf/distro/include/security_flags.inc

to your

    • local.conf, or

    • distribution config file

to enable it.

On Hardknott, this file is included and tested in the DISTRO="poky" configuration. That means

poky/meta-poky/conf/distro/poky.conf

adds

require conf/distro/include/security_flags.inc

Therefore, if you have meta-poky in your bblayers.conf, you are already using it.

What it does

Quoting from security_flags.inc:

Setup extra CFLAGS and LDFLAGS which have 'security' benefits.

What are the security features?

You will see these SECURITY_CFLAGS and SECURITY_LDFLAGS in security_flags.inc, like

SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"

SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"

See security_flags.inc for details.

For example, it can add following for the compiler:

    • stack protection (-fstack-protector-strong)

    • position independence (-pie -fPIE)

    • fortification depending on optimization level (-D_FORTIFY_SOURCE=2)

    • format string security (-Wformat -Wformat-security -Werror=format-security)

and

Relocation Read-Only support for the linker:

    • partial RELRO (-Wl,-z,relro)

    • full RELRO (-Wl,-z,now)

How these flags get propagated to recipes or the toolchain

Using TARGET_CC_ARCH and TARGET_LDFLAGS (look them up in poky/documentation/ref-manual/variables.rst).

In security_flags.inc, you will see the following:

TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"

TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"

TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"

TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"

Exceptions

See how security_flags.inc disables or modifies the flags for certain recipes. For example,

SECURITY_CFLAGS_pn-glibc = ""

SECURITY_LDFLAGS_pn-xserver-xorg = "${SECURITY_X_LDFLAGS}"

How to check binaries for some of these flags

You can use https://github.com/slimm609/checksec.sh 

If you are running this on the target, it will look for several dependencies including readelf(1).

Either you will have to add them to the build, or tweak checksec.sh and simply copy readelf and any dependency from the target binaries of the SDK.

e.g.

$checksec --file=/usr/bin/lsusb
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols        Yes   6               13              /usr/bin/lsusb

$checksec --file=/usr/sbin/syslogd
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   No Symbols        No    0               15              /usr/sbin/syslogd

Posted by at No comments:

Saturday, September 24, 2022

Some useful Linux command line tools for handling processes and threads

Listing down some command line tools I have found useful for monitoring/experimenting for later reference.

CPU and memory utilization

Use top(1) to see the CPU and memory utilization of the threads in a process

top -H -p <pid>


cpusets

Use https://github.com/SUSE/cpuset to easily try out cpusets (refer https://github.com/SUSE/cpuset/blob/master/INSTALL for building and installing from source)

e.g. 

Cores 1,2, and 3 in user group

cset shield -c 1-3

Move the specified process and all its threads to user group

cset shield --shield --pid=<pid> --threads


CPU affinity

taskset(1)

e.g.

Set CPU affinity of all threads of the specified process to cores 0 and 1

taskset -a -pc 0,1 <pid>


Scheduling policies, priorities

See sched(7) for scheduling details.

Linux scheduler makes decisions based on scheduling policy and priority of threads.

Use chrt(1) to manipulate policy/priority of a process.

e.g.

Set all threads of the specified process to have policy SCHED_RR and priority 30

chrt -a -p -r 30 <pid>


e.g.

Show minimum and maximum valid priorities

$ chrt -m SCHED_OTHER min/max priority : 0/0 SCHED_FIFO min/max priority : 1/99 SCHED_RR min/max priority : 1/99 SCHED_BATCH min/max priority : 0/0 SCHED_IDLE min/max priority : 0/0 SCHED_DEADLINE min/max priority : 0/0


Change a thread's policy to fifo and priority to max

$ chrt -p -f 99 4296


Verify it's set properly

$ chrt -p 4296

pid 4296's current scheduling policy: SCHED_FIFO

pid 4296's current scheduling priority: 99


Naming pthreads

Not related to command line, but very useful for debugging/monitoring purposes, for example

top -H -p <pid>

will show us the thread name.

You can use

pthread_setname_np(3) or

prctl(2) with option PR_SET_NAME: this will set the name of the calling thread
Posted by at No comments:
Subscribe to: Posts (Atom)