diff options
| author | Scott Rifenbark <scott.m.rifenbark@intel.com> | 2014-05-30 17:09:05 +0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-05-30 16:32:19 +0100 |
| commit | 5d14f3c03a628f72fca05bb8e0434a91cdf50e94 (patch) | |
| tree | b43f95febc941610aeae24652b80b7afeb59568a /documentation/dev-manual | |
| parent | 8beca348c17158ece30341cc1c24cadf7dbf657c (diff) | |
| download | poky-5d14f3c03a628f72fca05bb8e0434a91cdf50e94.tar.gz | |
dev-manual: Updates to the "Making Images More Secure" section.
Fixes [YOCTO #5482]
Applied extensive review edist from Paul Eggleton throughout
this section.
(From yocto-docs rev: aa0bcd9199c83b43bad2390ff2292a8c2abe7455)
Signed-off-by: Scott Rifenbark <scott.m.rifenbark@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/dev-manual')
| -rw-r--r-- | documentation/dev-manual/dev-manual-common-tasks.xml | 120 |
1 files changed, 92 insertions, 28 deletions
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml index 89437f7764..dffba96e7d 100644 --- a/documentation/dev-manual/dev-manual-common-tasks.xml +++ b/documentation/dev-manual/dev-manual-common-tasks.xml | |||
| @@ -3841,14 +3841,46 @@ | |||
| 3841 | <title>Making Images More Secure</title> | 3841 | <title>Making Images More Secure</title> |
| 3842 | 3842 | ||
| 3843 | <para> | 3843 | <para> |
| 3844 | If securing your image is of concern, there are steps, tools, | 3844 | Security for a device is always a concern. |
| 3845 | Consider the issues and problems discussed in just this | ||
| 3846 | sampling of work found across the Internet: | ||
| 3847 | <itemizedlist> | ||
| 3848 | <listitem><para><emphasis> | ||
| 3849 | "<ulink url='https://www.schneier.com/blog/archives/2014/01/security_risks_9.html'>Security Risks of Embedded Systems</ulink>"</emphasis> | ||
| 3850 | by Bruce Schneier | ||
| 3851 | </para></listitem> | ||
| 3852 | <listitem><para><emphasis> | ||
| 3853 | "<ulink url='http://internetcensus2012.bitbucket.org/paper.html'>Internet Census 2012</ulink>"</emphasis> | ||
| 3854 | by Carna Botnet</para></listitem> | ||
| 3855 | <listitem><para><emphasis> | ||
| 3856 | "<ulink url='http://elinux.org/images/6/6f/Security-issues.pdf'>Security Issues for Embedded Devices</ulink>"</emphasis> | ||
| 3857 | by Jake Edge | ||
| 3858 | </para></listitem> | ||
| 3859 | <listitem><para><emphasis> | ||
| 3860 | "<ulink url='https://www.nccgroup.com/media/18475/exploiting_security_gateways_via_their_web_interfaces.pdf'>They ought to know better: Exploiting Security | ||
| 3861 | Gateways via their Web Interfaces</ulink>"</emphasis> | ||
| 3862 | by Ben Williams | ||
| 3863 | </para></listitem> | ||
| 3864 | </itemizedlist> | ||
| 3865 | </para> | ||
| 3866 | |||
| 3867 | <para> | ||
| 3868 | When securing your image is of concern, there are steps, tools, | ||
| 3845 | and variables that you can consider to help you reach the | 3869 | and variables that you can consider to help you reach the |
| 3846 | security goals you need for your particular device. | 3870 | security goals you need for your particular device. |
| 3847 | Not all situations are identical when it comes to making an | 3871 | Not all situations are identical when it comes to making an |
| 3848 | image secure. | 3872 | image secure. |
| 3849 | Consequently, this section provides some guidance and suggestions | 3873 | Consequently, this section provides some guidance and suggestions |
| 3850 | for consideration when you want to make your image more secure. | 3874 | for consideration when you want to make your image more secure. |
| 3851 | The section does not offer a complete solution. | 3875 | </para> |
| 3876 | |||
| 3877 | <para> | ||
| 3878 | Because the security requirements and risks are | ||
| 3879 | different for every type of device, this section cannot | ||
| 3880 | provide a complete reference on securing your custom OS. | ||
| 3881 | It is strongly recommended that you also consult other sources | ||
| 3882 | of information on embedded Linux system hardening and on | ||
| 3883 | security. | ||
| 3852 | </para> | 3884 | </para> |
| 3853 | 3885 | ||
| 3854 | <section id='general-considerations'> | 3886 | <section id='general-considerations'> |
| @@ -3895,7 +3927,10 @@ | |||
| 3895 | <listitem><para> | 3927 | <listitem><para> |
| 3896 | Ensure you remove or disable debugging functionality | 3928 | Ensure you remove or disable debugging functionality |
| 3897 | before producing the final image. | 3929 | before producing the final image. |
| 3898 | </para></listitem> | 3930 | For information on how to do this, see the |
| 3931 | "<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link> | ||
| 3932 | section. | ||
| 3933 | </para></listitem> | ||
| 3899 | <listitem><para> | 3934 | <listitem><para> |
| 3900 | Ensure you have no network services listening that | 3935 | Ensure you have no network services listening that |
| 3901 | are not needed. | 3936 | are not needed. |
| @@ -3929,6 +3964,7 @@ | |||
| 3929 | </para> | 3964 | </para> |
| 3930 | 3965 | ||
| 3931 | <para> | 3966 | <para> |
| 3967 | <!-- | ||
| 3932 | The GCC/LD flags in <filename>security_flags.inc</filename> | 3968 | The GCC/LD flags in <filename>security_flags.inc</filename> |
| 3933 | enable more secure code generation. | 3969 | enable more secure code generation. |
| 3934 | By including the <filename>security_flags.inc</filename> | 3970 | By including the <filename>security_flags.inc</filename> |
| @@ -3938,10 +3974,11 @@ | |||
| 3938 | The GCC/LD flags are enabled by default in the | 3974 | The GCC/LD flags are enabled by default in the |
| 3939 | <filename>poky-lsb</filename> distribution. | 3975 | <filename>poky-lsb</filename> distribution. |
| 3940 | </note> | 3976 | </note> |
| 3977 | --> | ||
| 3941 | Use the following line in your | 3978 | Use the following line in your |
| 3942 | <filename>local.conf</filename> file | 3979 | <filename>local.conf</filename> file or in your custom |
| 3943 | to enable the security compiler and | 3980 | distribution configuration file to enable the security |
| 3944 | linker flags to your build: | 3981 | compiler and linker flags to your build: |
| 3945 | <literallayout class='monospaced'> | 3982 | <literallayout class='monospaced'> |
| 3946 | require conf/distro/include/security_flags.inc | 3983 | require conf/distro/include/security_flags.inc |
| 3947 | </literallayout> | 3984 | </literallayout> |
| @@ -3966,38 +4003,65 @@ | |||
| 3966 | sure that it does not have "debug-tweaks" before | 4003 | sure that it does not have "debug-tweaks" before |
| 3967 | producing your final image. | 4004 | producing your final image. |
| 3968 | Among other things, leaving this in place sets the | 4005 | Among other things, leaving this in place sets the |
| 3969 | root password as blank. | 4006 | root password as blank, which makes logging in for |
| 4007 | debugging or inspection easy during | ||
| 4008 | development but also means anyone can easily log in | ||
| 4009 | during production. | ||
| 3970 | </para></listitem> | 4010 | </para></listitem> |
| 3971 | <listitem><para> | 4011 | <listitem><para> |
| 3972 | It is possible to set a root password for the image. | 4012 | It is possible to set a root password for the image. |
| 3973 | For information on how to do that, see the | 4013 | When you set up root passwords for multiple images, |
| 3974 | <ulink url='https://wiki.yoctoproject.org/wiki/FAQ:How_do_I_set_or_change_the_root_password'>How do I set or change the root password</ulink> | 4014 | you should not duplicate them. |
| 3975 | Wiki page. | 4015 | See the note on passwords at the end of this list. |
| 4016 | </para> | ||
| 4017 | <para> | ||
| 4018 | To set up a root password, | ||
| 4019 | use the <filename>extrausers</filename> | ||
| 4020 | class, which is the preferred method. | ||
| 4021 | For an example on how to set up the root password, | ||
| 4022 | see the | ||
| 4023 | "<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>" | ||
| 4024 | section. | ||
| 4025 | <note> | ||
| 4026 | You can also see the the example in the | ||
| 4027 | <ulink url='https://wiki.yoctoproject.org/wiki/FAQ:How_do_I_set_or_change_the_root_password'>How do I set or change the root password Wiki</ulink> | ||
| 4028 | page as an alternative method. | ||
| 4029 | </note> | ||
| 3976 | </para></listitem> | 4030 | </para></listitem> |
| 3977 | <listitem><para> | 4031 | <listitem><para> |
| 3978 | It is possible to add an additional user account | 4032 | It is possible to add an additional user account |
| 3979 | for later administrative or service access using the | 4033 | for later administrative or service access. |
| 3980 | <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink> | 4034 | As with root passwords, be sure to not duplicate |
| 3981 | class or the | 4035 | passwords for generic users (e.g. tester, qa, and |
| 3982 | <ulink url='&YOCTO_DOCS_REF_URL;#var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></ulink> | 4036 | so forth) across multiple devices. |
| 3983 | variable. | 4037 | See the note on passwords following this list. |
| 3984 | For an example on how to add users, see the | ||
| 3985 | "<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>" | ||
| 3986 | section. | ||
| 3987 | </para> | 4038 | </para> |
| 3988 | <para>If you do add extra user accounts, | 4039 | <para> |
| 3989 | be cautious about setting | 4040 | As with the root password, you also use the |
| 3990 | the same password for every device. | 4041 | <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink> |
| 3991 | If you want the device to remain secure | 4042 | class. |
| 3992 | from unauthorized access, and the password set on | 4043 | </para></listitem> |
| 3993 | all devices becomes compromised, then every device | 4044 | <listitem><para> |
| 3994 | becomes compromised. | 4045 | Consider enabling a Mandatory Access Control (MAC) |
| 3995 | If you need this access but want to ensure security, | 4046 | framework (such as SMACK or SELinux) and tuning it |
| 3996 | consider setting a different, random password for each | 4047 | appropriately for your device's usage. |
| 3997 | device. | ||
| 3998 | </para></listitem> | 4048 | </para></listitem> |
| 3999 | </itemizedlist> | 4049 | </itemizedlist> |
| 4000 | </para> | 4050 | </para> |
| 4051 | |||
| 4052 | <para> | ||
| 4053 | <note><title>A Note about Passwords</title> | ||
| 4054 | When adding extra user accounts or deciding on root | ||
| 4055 | passwords for multiple devices, be cautious about setting | ||
| 4056 | the same passwords for multiple users or devices. | ||
| 4057 | If you want the device to remain secure from unauthorized | ||
| 4058 | access, and the password set on all devices becomes | ||
| 4059 | compromised, then every device becomes compromised. | ||
| 4060 | If you need this access but want to ensure security, | ||
| 4061 | consider setting a different, random passwords for each | ||
| 4062 | user or device. | ||
| 4063 | </note> | ||
| 4064 | </para> | ||
| 4001 | </section> | 4065 | </section> |
| 4002 | 4066 | ||
| 4003 | <section id='tools-for-hardening-your-image'> | 4067 | <section id='tools-for-hardening-your-image'> |