summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Rifenbark <scott.m.rifenbark@intel.com>2014-05-28 15:23:04 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-05-30 16:32:16 +0100
commit28d5925bdf60da538ecf0cb4a95df5282bb1cf18 (patch)
tree12576de761fa5e6dd793d7628ac4d47e8a0c83c4
parent8e9bfa5210bc187961917910e8b56a56ea6a26ca (diff)
downloadpoky-28d5925bdf60da538ecf0cb4a95df5282bb1cf18.tar.gz
dev-manual: Updated the "Making Images More Secure" section.
Fixes [YOCTO #5482] I did some significant re-writing and re-organization of this section. It now includes a bit about securing an image in general, provides general considerations, considerations specific to the OpenEmbedded build system, pointers to some tools in meta-security layer, and some other items. (From yocto-docs rev: a900286992e781f451b3c180726965f5c7172bb9) Signed-off-by: Scott Rifenbark <scott.m.rifenbark@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--documentation/dev-manual/dev-manual-common-tasks.xml180
1 files changed, 157 insertions, 23 deletions
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml
index aad8fb7787..d9fb9e2f4a 100644
--- a/documentation/dev-manual/dev-manual-common-tasks.xml
+++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -3841,32 +3841,166 @@
3841 <title>Making Images More Secure</title> 3841 <title>Making Images More Secure</title>
3842 3842
3843 <para> 3843 <para>
3844 The Yocto Project has security flags that you can enable that 3844 If securing your image is of concern, there are steps, tools,
3845 help make your build output more secure. 3845 and variables that you can consider to help you reach the
3846 The security flags are in the 3846 security goals you need for your particular device.
3847 <filename>meta/conf/distro/include/security_flags.inc</filename> 3847 Not all situations are identical when it comes to making an
3848 file in your 3848 image secure.
3849 <link linkend='source-directory'>Source Directory</link> 3849 Consequently, this section provides some guidance and suggestions
3850 (e.g. <filename>poky</filename>). 3850 for consideration when you want to make your image more secure.
3851 The section does not offer a complete solution.
3851 </para> 3852 </para>
3852 3853
3853 <para> 3854 <section id='general-considerations'>
3854 These GCC/LD flags enable more secure code generation. 3855 <title>General Considerations</title>
3855 By including the <filename>security_flags.inc</filename> 3856
3856 file, you enable flags to the compiler and linker that cause 3857 <para>
3857 them to generate more secure code. 3858 General considerations exist that help you create more
3858 <note> 3859 secure images.
3859 These flags are enabled by default in the 3860 You should consider the following suggestions to help
3860 <filename>poky-lsb</filename> distribution. 3861 make your device more secure:
3861 </note> 3862 <itemizedlist>
3862 Use the following line in your 3863 <listitem><para>
3863 <filename>local.conf</filename> file 3864 Scan additional code you are adding to the system
3864 to enable the security compiler and 3865 (e.g. application code) by using static analysis
3865 linker flags to your build: 3866 tools.
3866 <literallayout class='monospaced'> 3867 Look for buffer overflows and other potential
3868 security problems.
3869 </para></listitem>
3870 <listitem><para>
3871 Pay particular attention to to the security for
3872 any web-based administration interface.
3873 </para>
3874 <para>Web interfaces typically need to perform
3875 administrative functions and tend to need to run with
3876 elevated privileges.
3877 Thus, the consequences resulting from the interface's
3878 security becoming compromised can be serious.
3879 Look for common web vulnerabilities such as
3880 cross-site-scripting (XSS), unvalidated inputs,
3881 and so forth.</para>
3882 <para>As with system passwords, the default credentials
3883 for accessing a web-based interface should not be the
3884 same across all devices.
3885 This is particularly true if the interface is enabled
3886 by default as it can be assumed that many end-users
3887 will not change the credentials.
3888 </para></listitem>
3889 <listitem><para>
3890 Ensure you can update the software on the device to
3891 mitigate vulnerabilities discovered in the future.
3892 This consideration especially applies when your
3893 device is network-enabled.
3894 </para></listitem>
3895 <listitem><para>
3896 Ensure you remove or disable debugging functionality
3897 before producing the final image.
3898 </para></listitem>
3899 <listitem><para>
3900 Ensure you have no network services listening that
3901 are not needed.
3902 </para></listitem>
3903 <listitem><para>
3904 Remove any software from the image that is not needed.
3905 </para></listitem>
3906 <listitem><para>
3907 Enable hardware support for secure boot functionality
3908 when your device supports this functionality.
3909 </para></listitem>
3910 </itemizedlist>
3911 </para>
3912 </section>
3913
3914 <section id='security-flags'>
3915 <title>Security Flags</title>
3916
3917 <para>
3918 The Yocto Project has security flags that you can enable that
3919 help make your build output more secure.
3920 The security flags are in the
3921 <filename>meta/conf/distro/include/security_flags.inc</filename>
3922 file in your
3923 <link linkend='source-directory'>Source Directory</link>
3924 (e.g. <filename>poky</filename>).
3925 <note>
3926 Depending on the recipe, certain security flags are enabled
3927 and disabled by default.
3928 </note>
3929 </para>
3930
3931 <para>
3932 The GCC/LD flags in <filename>security_flags.inc</filename>
3933 enable more secure code generation.
3934 By including the <filename>security_flags.inc</filename>
3935 file, you enable flags to the compiler and linker that cause
3936 them to generate more secure code.
3937 <note>
3938 The GCC/LD flags are enabled by default in the
3939 <filename>poky-lsb</filename> distribution.
3940 </note>
3941 Use the following line in your
3942 <filename>local.conf</filename> file
3943 to enable the security compiler and
3944 linker flags to your build:
3945 <literallayout class='monospaced'>
3867 require conf/distro/include/security_flags.inc 3946 require conf/distro/include/security_flags.inc
3868 </literallayout> 3947 </literallayout>
3869 </para> 3948 </para>
3949 </section>
3950
3951 <section id='considerations-specific-to-the-openembedded-build-system'>
3952 <title>Considerations Specific to the OpenEmbedded Build System</title>
3953
3954 <para>
3955 You can take some steps that are specific to the
3956 OpenEmbedded build system to make your images more secure:
3957 <itemizedlist>
3958 <listitem><para>
3959 Ensure "debug-tweaks" is not listed with
3960 <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>.
3961 The default is to enable "debug-tweaks" by adding it
3962 to
3963 <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>
3964 in <filename>local.conf</filename>.
3965 However, you should comment out the variable or be
3966 sure that it does not have "debug-tweaks" before
3967 producing your final image.
3968 Among other things, leaving this in place sets the
3969 root password as blank.
3970 </para></listitem>
3971 <listitem><para>
3972 It is possible to set a root password or to add
3973 some additional user account for later administrative
3974 or service access using the
3975 <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink>
3976 class or the
3977 <ulink url='&YOCTO_DOCS_REF_URL;#var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></ulink>
3978 variable.
3979 If you do this, be cautious about setting
3980 the same password for every device.
3981 If you want the device to remain secure
3982 from unauthorized access, and the password set on
3983 all devices becomes compromised, then every device
3984 becomes compromised.
3985 If you need this access but want to ensure security,
3986 consider setting a different, random password for each
3987 device.
3988 </para></listitem>
3989 </itemizedlist>
3990 </para>
3991 </section>
3992
3993 <section id='tools-for-hardening-your-image'>
3994 <title>Tools for Hardening Your Image</title>
3995
3996 <para>
3997 The Yocto Project provides tools for making your image
3998 more secure.
3999 You can find these tools in the
4000 <filename>meta-security</filename> layer of the
4001 <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi'>Yocto Project Source Repositories</ulink>.
4002 </para>
4003 </section>
3870 </section> 4004 </section>
3871 4005
3872 <section id='creating-your-own-distribution'> 4006 <section id='creating-your-own-distribution'>