diff options
author | Khem Raj <raj.khem@gmail.com> | 2021-02-09 23:40:44 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-02-12 23:32:16 +0000 |
commit | fa7db243672ec7d8e1a1f45341ceadb0bc212794 (patch) | |
tree | c0182c4e014ac28539b71f00fa78de7d204b02e2 /meta/conf/distro/include/security_flags.inc | |
parent | 3c0919821bea44ce6c5337871a1e796b6c7489aa (diff) | |
download | poky-fa7db243672ec7d8e1a1f45341ceadb0bc212794.tar.gz |
security_flags.inc: Add same O<level> as in SELECTED_OPTIMIZATION
Adding -O can be troublesome in some packages where it may override the
O<n> specified by CFLAGS, this can be due to configure processing of
CFLAGS and munging them into new values in Makefiles, which is
contructed from CC and CFLAGS passed by bitbake environment. Problem
arises if the sequence is altered, which seems to be the case in some
packages e.g. ncurses, where the value from CC variable is added last
and thus overrides -O<n> coming from CFLAGS,
Therefore grok the value from SELECTED_OPTIMIZATION and append the
appropriate -O<level> flag to lcl_maybe_fortify so the level does not
change inaderdantly.
Since we do not use -O0 anymore there is no point of checking for
DEBUG_BUILD since it uses -Og now which works fine with
-D_FORTIFY_SOURCE=2, so check for optlevel O0 instead
(From OE-Core rev: 9571a18f7d15b3bffafc2e277ab90a21d6763697)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/conf/distro/include/security_flags.inc')
-rw-r--r-- | meta/conf/distro/include/security_flags.inc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc index 05253b2df9..f996ca9be2 100644 --- a/meta/conf/distro/include/security_flags.inc +++ b/meta/conf/distro/include/security_flags.inc | |||
@@ -10,7 +10,9 @@ GCCPIE ?= "--enable-default-pie" | |||
10 | 10 | ||
11 | # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use | 11 | # _FORTIFY_SOURCE requires -O1 or higher, so disable in debug builds as they use |
12 | # -O0 which then results in a compiler warning. | 12 | # -O0 which then results in a compiler warning. |
13 | lcl_maybe_fortify ?= "${@oe.utils.conditional('DEBUG_BUILD','1','','-O -D_FORTIFY_SOURCE=2',d)}" | 13 | OPTLEVEL = "${@bb.utils.filter('SELECTED_OPTIMIZATION', '-O0 -O1 -O2 -O3 -Ofast -Og -Os -Oz -O', d)}" |
14 | |||
15 | lcl_maybe_fortify ?= "${@oe.utils.conditional('OPTLEVEL','-O0','','${OPTLEVEL} -D_FORTIFY_SOURCE=2',d)}" | ||
14 | 16 | ||
15 | # Error on use of format strings that represent possible security problems | 17 | # Error on use of format strings that represent possible security problems |
16 | SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security" | 18 | SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security" |