dev-manual: Updated the "Making Images More Secure" section.

Fixes [YOCTO #5482] I did some significant re-writing and re-organization of this section. It now includes a bit about securing an image in general, provides general considerations, considerations specific to the OpenEmbedded build system, pointers to some tools in meta-security layer, and some other items. (From yocto-docs rev: a900286992e781f451b3c180726965f5c7172bb9) Signed-off-by: Scott Rifenbark <scott.m.rifenbark@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Scott Rifenbark <scott.m.rifenbark@intel.com> 2014-05-28 15:23:04 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-05-30 16:32:16 +0100
commit: 28d5925bdf60da538ecf0cb4a95df5282bb1cf18 (patch)
tree: 12576de761fa5e6dd793d7628ac4d47e8a0c83c4 /documentation/dev-manual
parent: 8e9bfa5210bc187961917910e8b56a56ea6a26ca (diff)
download: poky-28d5925bdf60da538ecf0cb4a95df5282bb1cf18.tar.gz
1 files changed, 157 insertions, 23 deletions
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml
index aad8fb7787..d9fb9e2f4a 100644
--- a/documentation/dev-manual/dev-manual-common-tasks.xml
+++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -3841,32 +3841,166 @@
        <title>Making Images More Secure</title>
        <para>
-            The Yocto Project has security flags that you can enable that
+            If securing your image is of concern, there are steps, tools,
-            help make your build output more secure.
+            and variables that you can consider to help you reach the
-            The security flags are in the
+            security goals you need for your particular device.
-            <filename>meta/conf/distro/include/security_flags.inc</filename>
+            Not all situations are identical when it comes to making an
-            file in your
+            image secure.
-            <link linkend='source-directory'>Source Directory</link>
+            Consequently, this section provides some guidance and suggestions
-            (e.g. <filename>poky</filename>).
+            for consideration when you want to make your image more secure.
+            The section does not offer a complete solution.
        </para>
-        <para>
+        <section id='general-considerations'>
-            These GCC/LD flags enable more secure code generation.
+            <title>General Considerations</title>
-            By including the <filename>security_flags.inc</filename>
-            file, you enable flags to the compiler and linker that cause
+            <para>
-            them to generate more secure code.
+                General considerations exist that help you create more
-            <note>
+                secure images.
-                These flags are enabled by default in the
+                You should consider the following suggestions to help
-                <filename>poky-lsb</filename> distribution.
+                make your device more secure:
-            </note>
+                <itemizedlist>
-            Use the following line in your
+                    <listitem><para>
-            <filename>local.conf</filename> file
+                        Scan additional code you are adding to the system
-            to enable the security compiler and
+                        (e.g. application code) by using static analysis
-            linker flags to your build:
+                        tools.
-            <literallayout class='monospaced'>
+                        Look for buffer overflows and other potential
+                        security problems.
+                    </para></listitem>
+                    <listitem><para>
+                        Pay particular attention to to the security for
+                        any web-based administration interface.
+                        </para>
+                        <para>Web interfaces typically need to perform
+                        administrative functions and tend to need to run with
+                        elevated privileges.
+                        Thus, the consequences resulting from the interface's
+                        security becoming compromised can be serious.
+                        Look for common web vulnerabilities such as
+                        cross-site-scripting (XSS), unvalidated inputs,
+                        and so forth.</para>
+                        <para>As with system passwords, the default credentials
+                        for accessing a web-based interface should not be the
+                        same across all devices.
+                        This is particularly true if the interface is enabled
+                        by default as it can be assumed that many end-users
+                        will not change the credentials.
+                    </para></listitem>
+                    <listitem><para>
+                        Ensure you can update the software on the device to
+                        mitigate vulnerabilities discovered in the future.
+                        This consideration especially applies when your
+                        device is network-enabled.
+                    </para></listitem>
+                    <listitem><para>
+                        Ensure you remove or disable debugging functionality
+                        before producing the final image.
+                    </para></listitem>
+                    <listitem><para>
+                        Ensure you have no network services listening that
+                        are not needed.
+                    </para></listitem>
+                    <listitem><para>
+                        Remove any software from the image that is not needed.
+                    </para></listitem>
+                    <listitem><para>
+                        Enable hardware support for secure boot functionality
+                        when your device supports this functionality.
+                    </para></listitem>
+                </itemizedlist>
+            </para>
+        </section>
+        <section id='security-flags'>
+            <title>Security Flags</title>
+            <para>
+                The Yocto Project has security flags that you can enable that
+                help make your build output more secure.
+                The security flags are in the
+                <filename>meta/conf/distro/include/security_flags.inc</filename>
+                file in your
+                <link linkend='source-directory'>Source Directory</link>
+                (e.g. <filename>poky</filename>).
+                <note>
+                    Depending on the recipe, certain security flags are enabled
+                    and disabled by default.
+                </note>
+            </para>
+            <para>
+                The GCC/LD flags in <filename>security_flags.inc</filename>
+                enable more secure code generation.
+                By including the <filename>security_flags.inc</filename>
+                file, you enable flags to the compiler and linker that cause
+                them to generate more secure code.
+                <note>
+                    The GCC/LD flags are enabled by default in the
+                    <filename>poky-lsb</filename> distribution.
+                </note>
+                Use the following line in your
+                <filename>local.conf</filename> file
+                to enable the security compiler and
+                linker flags to your build:
+                <literallayout class='monospaced'>
     require conf/distro/include/security_flags.inc
-            </literallayout>
+                </literallayout>
-        </para>
+            </para>
+        </section>
+        <section id='considerations-specific-to-the-openembedded-build-system'>
+            <title>Considerations Specific to the OpenEmbedded Build System</title>
+            <para>
+                You can take some steps that are specific to the
+                OpenEmbedded build system to make your images more secure:
+                <itemizedlist>
+                    <listitem><para>
+                        Ensure "debug-tweaks" is not listed with
+                        <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>.
+                        The default is to enable "debug-tweaks" by adding it
+                        to
+                        <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>
+                        in <filename>local.conf</filename>.
+                        However, you should comment out the variable or be
+                        sure that it does not have "debug-tweaks" before
+                        producing your final image.
+                        Among other things, leaving this in place sets the
+                        root password as blank.
+                    </para></listitem>
+                    <listitem><para>
+                        It is possible to set a root password or to add
+                        some additional user account for later administrative
+                        or service access using the
+                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink>
+                        class or the
+                        <ulink url='&YOCTO_DOCS_REF_URL;#var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></ulink>
+                        variable.
+                        If you do this, be cautious about setting
+                        the same password for every device.
+                        If you want the device to remain secure
+                        from unauthorized access, and the password set on
+                        all devices becomes compromised, then every device
+                        becomes compromised.
+                        If you need this access but want to ensure security,
+                        consider setting a different, random password for each
+                        device.
+                    </para></listitem>
+                </itemizedlist>
+            </para>
+        </section>
+        <section id='tools-for-hardening-your-image'>
+            <title>Tools for Hardening Your Image</title>
+            <para>
+                The Yocto Project provides tools for making your image
+                more secure.
+                You can find these tools in the
+                <filename>meta-security</filename> layer of the
+                <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi'>Yocto Project Source Repositories</ulink>.
+            </para>
+        </section>
    </section>
    <section id='creating-your-own-distribution'>
author	Scott Rifenbark <scott.m.rifenbark@intel.com>	2014-05-28 15:23:04 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-05-30 16:32:16 +0100
commit	28d5925bdf60da538ecf0cb4a95df5282bb1cf18 (patch)
tree	12576de761fa5e6dd793d7628ac4d47e8a0c83c4 /documentation/dev-manual
parent	8e9bfa5210bc187961917910e8b56a56ea6a26ca (diff)
download	poky-28d5925bdf60da538ecf0cb4a95df5282bb1cf18.tar.gz

diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml index aad8fb7787..d9fb9e2f4a 100644 --- a/documentation/dev-manual/dev-manual-common-tasks.xml +++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -3841,32 +3841,166 @@
3841	<title>Making Images More Secure</title>	3841	<title>Making Images More Secure</title>
3842		3842
3843	<para>	3843	<para>
3844	The Yocto Project has security flags that you can enable that	3844	If securing your image is of concern, there are steps, tools,
3845	help make your build output more secure.	3845	and variables that you can consider to help you reach the
3846	The security flags are in the	3846	security goals you need for your particular device.
3847	<filename>meta/conf/distro/include/security_flags.inc</filename>	3847	Not all situations are identical when it comes to making an
3848	file in your	3848	image secure.
3849	<link linkend='source-directory'>Source Directory</link>	3849	Consequently, this section provides some guidance and suggestions
3850	(e.g. <filename>poky</filename>).	3850	for consideration when you want to make your image more secure.
		3851	The section does not offer a complete solution.
3851	</para>	3852	</para>
3852		3853
3853	<para>	3854	<section id='general-considerations'>
3854	These GCC/LD flags enable more secure code generation.	3855	<title>General Considerations</title>
3855	By including the <filename>security_flags.inc</filename>	3856
3856	file, you enable flags to the compiler and linker that cause	3857	<para>
3857	them to generate more secure code.	3858	General considerations exist that help you create more
3858	<note>	3859	secure images.
3859	These flags are enabled by default in the	3860	You should consider the following suggestions to help
3860	<filename>poky-lsb</filename> distribution.	3861	make your device more secure:
3861	</note>	3862	<itemizedlist>
3862	Use the following line in your	3863	<listitem><para>
3863	<filename>local.conf</filename> file	3864	Scan additional code you are adding to the system
3864	to enable the security compiler and	3865	(e.g. application code) by using static analysis
3865	linker flags to your build:	3866	tools.
3866	<literallayout class='monospaced'>	3867	Look for buffer overflows and other potential
		3868	security problems.
		3869	</para></listitem>
		3870	<listitem><para>
		3871	Pay particular attention to to the security for
		3872	any web-based administration interface.
		3873	</para>
		3874	<para>Web interfaces typically need to perform
		3875	administrative functions and tend to need to run with
		3876	elevated privileges.
		3877	Thus, the consequences resulting from the interface's
		3878	security becoming compromised can be serious.
		3879	Look for common web vulnerabilities such as
		3880	cross-site-scripting (XSS), unvalidated inputs,
		3881	and so forth.</para>
		3882	<para>As with system passwords, the default credentials
		3883	for accessing a web-based interface should not be the
		3884	same across all devices.
		3885	This is particularly true if the interface is enabled
		3886	by default as it can be assumed that many end-users
		3887	will not change the credentials.
		3888	</para></listitem>
		3889	<listitem><para>
		3890	Ensure you can update the software on the device to
		3891	mitigate vulnerabilities discovered in the future.
		3892	This consideration especially applies when your
		3893	device is network-enabled.
		3894	</para></listitem>
		3895	<listitem><para>
		3896	Ensure you remove or disable debugging functionality
		3897	before producing the final image.
		3898	</para></listitem>
		3899	<listitem><para>
		3900	Ensure you have no network services listening that
		3901	are not needed.
		3902	</para></listitem>
		3903	<listitem><para>
		3904	Remove any software from the image that is not needed.
		3905	</para></listitem>
		3906	<listitem><para>
		3907	Enable hardware support for secure boot functionality
		3908	when your device supports this functionality.
		3909	</para></listitem>
		3910	</itemizedlist>
		3911	</para>
		3912	</section>
		3913
		3914	<section id='security-flags'>
		3915	<title>Security Flags</title>
		3916
		3917	<para>
		3918	The Yocto Project has security flags that you can enable that
		3919	help make your build output more secure.
		3920	The security flags are in the
		3921	<filename>meta/conf/distro/include/security_flags.inc</filename>
		3922	file in your
		3923	<link linkend='source-directory'>Source Directory</link>
		3924	(e.g. <filename>poky</filename>).
		3925	<note>
		3926	Depending on the recipe, certain security flags are enabled
		3927	and disabled by default.
		3928	</note>
		3929	</para>
		3930
		3931	<para>
		3932	The GCC/LD flags in <filename>security_flags.inc</filename>
		3933	enable more secure code generation.
		3934	By including the <filename>security_flags.inc</filename>
		3935	file, you enable flags to the compiler and linker that cause
		3936	them to generate more secure code.
		3937	<note>
		3938	The GCC/LD flags are enabled by default in the
		3939	<filename>poky-lsb</filename> distribution.
		3940	</note>
		3941	Use the following line in your
		3942	<filename>local.conf</filename> file
		3943	to enable the security compiler and
		3944	linker flags to your build:
		3945	<literallayout class='monospaced'>
3867	require conf/distro/include/security_flags.inc	3946	require conf/distro/include/security_flags.inc
3868	</literallayout>	3947	</literallayout>
3869	</para>	3948	</para>
		3949	</section>
		3950
		3951	<section id='considerations-specific-to-the-openembedded-build-system'>
		3952	<title>Considerations Specific to the OpenEmbedded Build System</title>
		3953
		3954	<para>
		3955	You can take some steps that are specific to the
		3956	OpenEmbedded build system to make your images more secure:
		3957	<itemizedlist>
		3958	<listitem><para>
		3959	Ensure "debug-tweaks" is not listed with
		3960	<ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>.
		3961	The default is to enable "debug-tweaks" by adding it
		3962	to
		3963	<ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>
		3964	in <filename>local.conf</filename>.
		3965	However, you should comment out the variable or be
		3966	sure that it does not have "debug-tweaks" before
		3967	producing your final image.
		3968	Among other things, leaving this in place sets the
		3969	root password as blank.
		3970	</para></listitem>
		3971	<listitem><para>
		3972	It is possible to set a root password or to add
		3973	some additional user account for later administrative
		3974	or service access using the
		3975	<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink>
		3976	class or the
		3977	<ulink url='&YOCTO_DOCS_REF_URL;#var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></ulink>
		3978	variable.
		3979	If you do this, be cautious about setting
		3980	the same password for every device.
		3981	If you want the device to remain secure
		3982	from unauthorized access, and the password set on
		3983	all devices becomes compromised, then every device
		3984	becomes compromised.
		3985	If you need this access but want to ensure security,
		3986	consider setting a different, random password for each
		3987	device.
		3988	</para></listitem>
		3989	</itemizedlist>
		3990	</para>
		3991	</section>
		3992
		3993	<section id='tools-for-hardening-your-image'>
		3994	<title>Tools for Hardening Your Image</title>
		3995
		3996	<para>
		3997	The Yocto Project provides tools for making your image
		3998	more secure.
		3999	You can find these tools in the
		4000	<filename>meta-security</filename> layer of the
		4001	<ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi'>Yocto Project Source Repositories</ulink>.
		4002	</para>
		4003	</section>
3870	</section>	4004	</section>
3871		4005
3872	<section id='creating-your-own-distribution'>	4006	<section id='creating-your-own-distribution'>