diff options
author | Scott Rifenbark <scott.m.rifenbark@intel.com> | 2014-05-28 15:23:04 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-05-30 16:32:16 +0100 |
commit | 28d5925bdf60da538ecf0cb4a95df5282bb1cf18 (patch) | |
tree | 12576de761fa5e6dd793d7628ac4d47e8a0c83c4 /documentation/dev-manual | |
parent | 8e9bfa5210bc187961917910e8b56a56ea6a26ca (diff) | |
download | poky-28d5925bdf60da538ecf0cb4a95df5282bb1cf18.tar.gz |
dev-manual: Updated the "Making Images More Secure" section.
Fixes [YOCTO #5482]
I did some significant re-writing and re-organization of this
section. It now includes a bit about securing an image in general,
provides general considerations, considerations specific to the
OpenEmbedded build system, pointers to some tools in meta-security
layer, and some other items.
(From yocto-docs rev: a900286992e781f451b3c180726965f5c7172bb9)
Signed-off-by: Scott Rifenbark <scott.m.rifenbark@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/dev-manual')
-rw-r--r-- | documentation/dev-manual/dev-manual-common-tasks.xml | 180 |
1 files changed, 157 insertions, 23 deletions
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml index aad8fb7787..d9fb9e2f4a 100644 --- a/documentation/dev-manual/dev-manual-common-tasks.xml +++ b/documentation/dev-manual/dev-manual-common-tasks.xml | |||
@@ -3841,32 +3841,166 @@ | |||
3841 | <title>Making Images More Secure</title> | 3841 | <title>Making Images More Secure</title> |
3842 | 3842 | ||
3843 | <para> | 3843 | <para> |
3844 | The Yocto Project has security flags that you can enable that | 3844 | If securing your image is of concern, there are steps, tools, |
3845 | help make your build output more secure. | 3845 | and variables that you can consider to help you reach the |
3846 | The security flags are in the | 3846 | security goals you need for your particular device. |
3847 | <filename>meta/conf/distro/include/security_flags.inc</filename> | 3847 | Not all situations are identical when it comes to making an |
3848 | file in your | 3848 | image secure. |
3849 | <link linkend='source-directory'>Source Directory</link> | 3849 | Consequently, this section provides some guidance and suggestions |
3850 | (e.g. <filename>poky</filename>). | 3850 | for consideration when you want to make your image more secure. |
3851 | The section does not offer a complete solution. | ||
3851 | </para> | 3852 | </para> |
3852 | 3853 | ||
3853 | <para> | 3854 | <section id='general-considerations'> |
3854 | These GCC/LD flags enable more secure code generation. | 3855 | <title>General Considerations</title> |
3855 | By including the <filename>security_flags.inc</filename> | 3856 | |
3856 | file, you enable flags to the compiler and linker that cause | 3857 | <para> |
3857 | them to generate more secure code. | 3858 | General considerations exist that help you create more |
3858 | <note> | 3859 | secure images. |
3859 | These flags are enabled by default in the | 3860 | You should consider the following suggestions to help |
3860 | <filename>poky-lsb</filename> distribution. | 3861 | make your device more secure: |
3861 | </note> | 3862 | <itemizedlist> |
3862 | Use the following line in your | 3863 | <listitem><para> |
3863 | <filename>local.conf</filename> file | 3864 | Scan additional code you are adding to the system |
3864 | to enable the security compiler and | 3865 | (e.g. application code) by using static analysis |
3865 | linker flags to your build: | 3866 | tools. |
3866 | <literallayout class='monospaced'> | 3867 | Look for buffer overflows and other potential |
3868 | security problems. | ||
3869 | </para></listitem> | ||
3870 | <listitem><para> | ||
3871 | Pay particular attention to to the security for | ||
3872 | any web-based administration interface. | ||
3873 | </para> | ||
3874 | <para>Web interfaces typically need to perform | ||
3875 | administrative functions and tend to need to run with | ||
3876 | elevated privileges. | ||
3877 | Thus, the consequences resulting from the interface's | ||
3878 | security becoming compromised can be serious. | ||
3879 | Look for common web vulnerabilities such as | ||
3880 | cross-site-scripting (XSS), unvalidated inputs, | ||
3881 | and so forth.</para> | ||
3882 | <para>As with system passwords, the default credentials | ||
3883 | for accessing a web-based interface should not be the | ||
3884 | same across all devices. | ||
3885 | This is particularly true if the interface is enabled | ||
3886 | by default as it can be assumed that many end-users | ||
3887 | will not change the credentials. | ||
3888 | </para></listitem> | ||
3889 | <listitem><para> | ||
3890 | Ensure you can update the software on the device to | ||
3891 | mitigate vulnerabilities discovered in the future. | ||
3892 | This consideration especially applies when your | ||
3893 | device is network-enabled. | ||
3894 | </para></listitem> | ||
3895 | <listitem><para> | ||
3896 | Ensure you remove or disable debugging functionality | ||
3897 | before producing the final image. | ||
3898 | </para></listitem> | ||
3899 | <listitem><para> | ||
3900 | Ensure you have no network services listening that | ||
3901 | are not needed. | ||
3902 | </para></listitem> | ||
3903 | <listitem><para> | ||
3904 | Remove any software from the image that is not needed. | ||
3905 | </para></listitem> | ||
3906 | <listitem><para> | ||
3907 | Enable hardware support for secure boot functionality | ||
3908 | when your device supports this functionality. | ||
3909 | </para></listitem> | ||
3910 | </itemizedlist> | ||
3911 | </para> | ||
3912 | </section> | ||
3913 | |||
3914 | <section id='security-flags'> | ||
3915 | <title>Security Flags</title> | ||
3916 | |||
3917 | <para> | ||
3918 | The Yocto Project has security flags that you can enable that | ||
3919 | help make your build output more secure. | ||
3920 | The security flags are in the | ||
3921 | <filename>meta/conf/distro/include/security_flags.inc</filename> | ||
3922 | file in your | ||
3923 | <link linkend='source-directory'>Source Directory</link> | ||
3924 | (e.g. <filename>poky</filename>). | ||
3925 | <note> | ||
3926 | Depending on the recipe, certain security flags are enabled | ||
3927 | and disabled by default. | ||
3928 | </note> | ||
3929 | </para> | ||
3930 | |||
3931 | <para> | ||
3932 | The GCC/LD flags in <filename>security_flags.inc</filename> | ||
3933 | enable more secure code generation. | ||
3934 | By including the <filename>security_flags.inc</filename> | ||
3935 | file, you enable flags to the compiler and linker that cause | ||
3936 | them to generate more secure code. | ||
3937 | <note> | ||
3938 | The GCC/LD flags are enabled by default in the | ||
3939 | <filename>poky-lsb</filename> distribution. | ||
3940 | </note> | ||
3941 | Use the following line in your | ||
3942 | <filename>local.conf</filename> file | ||
3943 | to enable the security compiler and | ||
3944 | linker flags to your build: | ||
3945 | <literallayout class='monospaced'> | ||
3867 | require conf/distro/include/security_flags.inc | 3946 | require conf/distro/include/security_flags.inc |
3868 | </literallayout> | 3947 | </literallayout> |
3869 | </para> | 3948 | </para> |
3949 | </section> | ||
3950 | |||
3951 | <section id='considerations-specific-to-the-openembedded-build-system'> | ||
3952 | <title>Considerations Specific to the OpenEmbedded Build System</title> | ||
3953 | |||
3954 | <para> | ||
3955 | You can take some steps that are specific to the | ||
3956 | OpenEmbedded build system to make your images more secure: | ||
3957 | <itemizedlist> | ||
3958 | <listitem><para> | ||
3959 | Ensure "debug-tweaks" is not listed with | ||
3960 | <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>. | ||
3961 | The default is to enable "debug-tweaks" by adding it | ||
3962 | to | ||
3963 | <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink> | ||
3964 | in <filename>local.conf</filename>. | ||
3965 | However, you should comment out the variable or be | ||
3966 | sure that it does not have "debug-tweaks" before | ||
3967 | producing your final image. | ||
3968 | Among other things, leaving this in place sets the | ||
3969 | root password as blank. | ||
3970 | </para></listitem> | ||
3971 | <listitem><para> | ||
3972 | It is possible to set a root password or to add | ||
3973 | some additional user account for later administrative | ||
3974 | or service access using the | ||
3975 | <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink> | ||
3976 | class or the | ||
3977 | <ulink url='&YOCTO_DOCS_REF_URL;#var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></ulink> | ||
3978 | variable. | ||
3979 | If you do this, be cautious about setting | ||
3980 | the same password for every device. | ||
3981 | If you want the device to remain secure | ||
3982 | from unauthorized access, and the password set on | ||
3983 | all devices becomes compromised, then every device | ||
3984 | becomes compromised. | ||
3985 | If you need this access but want to ensure security, | ||
3986 | consider setting a different, random password for each | ||
3987 | device. | ||
3988 | </para></listitem> | ||
3989 | </itemizedlist> | ||
3990 | </para> | ||
3991 | </section> | ||
3992 | |||
3993 | <section id='tools-for-hardening-your-image'> | ||
3994 | <title>Tools for Hardening Your Image</title> | ||
3995 | |||
3996 | <para> | ||
3997 | The Yocto Project provides tools for making your image | ||
3998 | more secure. | ||
3999 | You can find these tools in the | ||
4000 | <filename>meta-security</filename> layer of the | ||
4001 | <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi'>Yocto Project Source Repositories</ulink>. | ||
4002 | </para> | ||
4003 | </section> | ||
3870 | </section> | 4004 | </section> |
3871 | 4005 | ||
3872 | <section id='creating-your-own-distribution'> | 4006 | <section id='creating-your-own-distribution'> |