security_flags.inc: Use -O with -D_FORTIFY_SOURCE

compiler can only use fortify options when some level of optimization is on, otherwise it ends up sending some warnings. warning: _FORTIFY_SOURCE requires compiling with optimization (-O) [-W#warnings] this is usually OK, since -O<level> would be added via CFLAGS to compiler cmdline in normal compile stages, however during configure there are problems when CC,CPP,CXX are probed alone in configure tests which results in above warning, which confuses the configure results and autotools 2.70+ detects it as error e.g. configure:17292: error: C preprocessor "riscv32-yoe-linux-clang -target riscv32-yoe-linux -mlittle-endian -mno-relax -Qunused-arguments -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/mnt/b/yoe/master/build/tmp/work/riscv32-yoe-linux/ndpi/3.4-r0/recipe-sysroot -E" fails sanity check See `config.log' for more details therefore adding a -O ( which actually is -O1 ) to lcl_maybe_fortify means we can properly test these configure tests and real -O<level> will still override -O added here, so overrall behavior improves (From OE-Core rev: b6113dd68caa46d56cf3c8293119f2b9d8b137fd) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Khem Raj <raj.khem@gmail.com> 2021-02-05 22:31:38 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-02-08 14:47:16 +0000
commit: 525493e3efc9480a671dd0cd848923725961fc12 (patch)
tree: 4aad073ae5bb9633703cf58da243c5fc44ad9dc5
parent: 88cb39cc3cf55ff39c8913e93f497c3c07e9e862 (diff)
download: poky-525493e3efc9480a671dd0cd848923725961fc12.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index 4e64eb99f9..05253b2df9 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -10,7 +10,7 @@ GCCPIE ?= "--enable-default-pie"
 # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
 # -O0 which then results in a compiler warning.
-lcl_maybe_fortify ?= "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"
+lcl_maybe_fortify ?= "${@oe.utils.conditional('DEBUG_BUILD','1','','-O -D_FORTIFY_SOURCE=2',d)}"
 # Error on use of format strings that represent possible security problems
 SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
author	Khem Raj <raj.khem@gmail.com>	2021-02-05 22:31:38 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-02-08 14:47:16 +0000
commit	525493e3efc9480a671dd0cd848923725961fc12 (patch)
tree	4aad073ae5bb9633703cf58da243c5fc44ad9dc5
parent	88cb39cc3cf55ff39c8913e93f497c3c07e9e862 (diff)
download	poky-525493e3efc9480a671dd0cd848923725961fc12.tar.gz

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index 4e64eb99f9..05253b2df9 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc
@@ -10,7 +10,7 @@ GCCPIE ?= "--enable-default-pie"
10		10
11	# _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use	11	# _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use
12	# -O0 which then results in a compiler warning.	12	# -O0 which then results in a compiler warning.
13	lcl_maybe_fortify ?= "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=2',d)}"	13	lcl_maybe_fortify ?= "${@oe.utils.conditional('DEBUG_BUILD','1','','-O -D_FORTIFY_SOURCE=2',d)}"
14		14
15	# Error on use of format strings that represent possible security problems	15	# Error on use of format strings that represent possible security problems
16	SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"	16	SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"