Can use poky/meta/conf/distro/include/security_flags.inc to harden the build.
How to use it
According to poky/documentation/dev-manual/common-tasks.rst, you should add
require conf/distro/include/security_flags.inc
to your
• local.conf, or
• distribution config file
to enable it.
On Hardknott, this file is included and tested in the DISTRO="poky" configuration. That means
poky/meta-poky/conf/distro/poky.conf
adds
require conf/distro/include/security_flags.inc
Therefore, if you have meta-poky in your bblayers.conf, you are already using it.
What it does
Quoting from security_flags.inc:
Setup extra CFLAGS and LDFLAGS which have 'security' benefits.
What are the security features?
You will see these SECURITY_CFLAGS and SECURITY_LDFLAGS in security_flags.inc, like
SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
See security_flags.inc for details.
For example, it can add following for the compiler:
• stack protection (-fstack-protector-strong)
• position independence (-pie -fPIE)
• fortification depending on optimization level (-D_FORTIFY_SOURCE=2)
• format string security (-Wformat -Wformat-security -Werror=format-security)
and
Relocation Read-Only support for the linker:
• partial RELRO (-Wl,-z,relro)
• full RELRO (-Wl,-z,now)
How these flags get propagated to recipes or the toolchain
Using TARGET_CC_ARCH and TARGET_LDFLAGS (look them up in poky/documentation/ref-manual/variables.rst).
In security_flags.inc, you will see the following:
TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
Exceptions
See how security_flags.inc disables or modifies the flags for certain recipes. For example,
SECURITY_CFLAGS_pn-glibc = ""
SECURITY_LDFLAGS_pn-xserver-xorg = "${SECURITY_X_LDFLAGS}"
How to check binaries for some of these flags
You can use https://github.com/slimm609/checksec.sh
If you are running this on the target, it will look for several dependencies including readelf(1).
Either you will have to add them to the build, or tweak checksec.sh and simply copy readelf and any dependency from the target binaries of the SDK.
e.g.
$checksec --file=/usr/bin/lsusb
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols Yes 6 13 /usr/bin/lsusb
$checksec --file=/usr/sbin/syslogd
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No Symbols No 0 15 /usr/sbin/syslogd