Sunday, October 16, 2022

Yocto security feature to harden the build

Can use poky/meta/conf/distro/include/security_flags.inc to harden the build.

How to use it

According to poky/documentation/dev-manual/common-tasks.rst, you should add

require conf/distro/include/security_flags.inc

to your

    • local.conf, or

    • distribution config file

to enable it.

On Hardknott, this file is included and tested in the DISTRO="poky" configuration. That means

poky/meta-poky/conf/distro/poky.conf

adds

require conf/distro/include/security_flags.inc

Therefore, if you have meta-poky in your bblayers.conf, you are already using it.

What it does

Quoting from security_flags.inc:

Setup extra CFLAGS and LDFLAGS which have 'security' benefits.

What are the security features?

You will see these SECURITY_CFLAGS and SECURITY_LDFLAGS in security_flags.inc, like

SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS} ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"

SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"

See security_flags.inc for details.

For example, it can add following for the compiler:

    • stack protection (-fstack-protector-strong)

    • position independence (-pie -fPIE)

    • fortification depending on optimization level (-D_FORTIFY_SOURCE=2)

    • format string security (-Wformat -Wformat-security -Werror=format-security)

and

Relocation Read-Only support for the linker:

    • partial RELRO (-Wl,-z,relro)

    • full RELRO (-Wl,-z,now)

How these flags get propagated to recipes or the toolchain

Using TARGET_CC_ARCH and TARGET_LDFLAGS (look them up in poky/documentation/ref-manual/variables.rst).

In security_flags.inc, you will see the following:

TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"

TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"

TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"

TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"

Exceptions

See how security_flags.inc disables or modifies the flags for certain recipes. For example,

SECURITY_CFLAGS_pn-glibc = ""

SECURITY_LDFLAGS_pn-xserver-xorg = "${SECURITY_X_LDFLAGS}"

How to check binaries for some of these flags

You can use https://github.com/slimm609/checksec.sh 

If you are running this on the target, it will look for several dependencies including readelf(1).

Either you will have to add them to the build, or tweak checksec.sh and simply copy readelf and any dependency from the target binaries of the SDK.

e.g.

$checksec --file=/usr/bin/lsusb
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols        Yes   6               13              /usr/bin/lsusb

$checksec --file=/usr/sbin/syslogd
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   No Symbols        No    0               15              /usr/sbin/syslogd

No comments: