diff options
Diffstat (limited to 'documentation/dev-manual/securing-images.rst')
-rw-r--r-- | documentation/dev-manual/securing-images.rst | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/documentation/dev-manual/securing-images.rst b/documentation/dev-manual/securing-images.rst new file mode 100644 index 0000000000..e5791d3d6d --- /dev/null +++ b/documentation/dev-manual/securing-images.rst | |||
@@ -0,0 +1,156 @@ | |||
1 | .. SPDX-License-Identifier: CC-BY-SA-2.0-UK | ||
2 | |||
3 | Making Images More Secure | ||
4 | ************************* | ||
5 | |||
6 | Security is of increasing concern for embedded devices. Consider the | ||
7 | issues and problems discussed in just this sampling of work found across | ||
8 | the Internet: | ||
9 | |||
10 | - *"*\ `Security Risks of Embedded | ||
11 | Systems <https://www.schneier.com/blog/archives/2014/01/security_risks_9.html>`__\ *"* | ||
12 | by Bruce Schneier | ||
13 | |||
14 | - *"*\ `Internet Census | ||
15 | 2012 <http://census2012.sourceforge.net/paper.html>`__\ *"* by Carna | ||
16 | Botnet | ||
17 | |||
18 | - *"*\ `Security Issues for Embedded | ||
19 | Devices <https://elinux.org/images/6/6f/Security-issues.pdf>`__\ *"* | ||
20 | by Jake Edge | ||
21 | |||
22 | When securing your image is of concern, there are steps, tools, and | ||
23 | variables that you can consider to help you reach the security goals you | ||
24 | need for your particular device. Not all situations are identical when | ||
25 | it comes to making an image secure. Consequently, this section provides | ||
26 | some guidance and suggestions for consideration when you want to make | ||
27 | your image more secure. | ||
28 | |||
29 | .. note:: | ||
30 | |||
31 | Because the security requirements and risks are different for every | ||
32 | type of device, this section cannot provide a complete reference on | ||
33 | securing your custom OS. It is strongly recommended that you also | ||
34 | consult other sources of information on embedded Linux system | ||
35 | hardening and on security. | ||
36 | |||
37 | General Considerations | ||
38 | ====================== | ||
39 | |||
40 | There are general considerations that help you create more secure images. | ||
41 | You should consider the following suggestions to make your device | ||
42 | more secure: | ||
43 | |||
44 | - Scan additional code you are adding to the system (e.g. application | ||
45 | code) by using static analysis tools. Look for buffer overflows and | ||
46 | other potential security problems. | ||
47 | |||
48 | - Pay particular attention to the security for any web-based | ||
49 | administration interface. | ||
50 | |||
51 | Web interfaces typically need to perform administrative functions and | ||
52 | tend to need to run with elevated privileges. Thus, the consequences | ||
53 | resulting from the interface's security becoming compromised can be | ||
54 | serious. Look for common web vulnerabilities such as | ||
55 | cross-site-scripting (XSS), unvalidated inputs, and so forth. | ||
56 | |||
57 | As with system passwords, the default credentials for accessing a | ||
58 | web-based interface should not be the same across all devices. This | ||
59 | is particularly true if the interface is enabled by default as it can | ||
60 | be assumed that many end-users will not change the credentials. | ||
61 | |||
62 | - Ensure you can update the software on the device to mitigate | ||
63 | vulnerabilities discovered in the future. This consideration | ||
64 | especially applies when your device is network-enabled. | ||
65 | |||
66 | - Regularly scan and apply fixes for CVE security issues affecting | ||
67 | all software components in the product, see ":ref:`dev-manual/vulnerabilities:checking for vulnerabilities`". | ||
68 | |||
69 | - Regularly update your version of Poky and OE-Core from their upstream | ||
70 | developers, e.g. to apply updates and security fixes from stable | ||
71 | and :term:`LTS` branches. | ||
72 | |||
73 | - Ensure you remove or disable debugging functionality before producing | ||
74 | the final image. For information on how to do this, see the | ||
75 | ":ref:`dev-manual/securing-images:considerations specific to the openembedded build system`" | ||
76 | section. | ||
77 | |||
78 | - Ensure you have no network services listening that are not needed. | ||
79 | |||
80 | - Remove any software from the image that is not needed. | ||
81 | |||
82 | - Enable hardware support for secure boot functionality when your | ||
83 | device supports this functionality. | ||
84 | |||
85 | Security Flags | ||
86 | ============== | ||
87 | |||
88 | The Yocto Project has security flags that you can enable that help make | ||
89 | your build output more secure. The security flags are in the | ||
90 | ``meta/conf/distro/include/security_flags.inc`` file in your | ||
91 | :term:`Source Directory` (e.g. ``poky``). | ||
92 | |||
93 | .. note:: | ||
94 | |||
95 | Depending on the recipe, certain security flags are enabled and | ||
96 | disabled by default. | ||
97 | |||
98 | Use the following line in your ``local.conf`` file or in your custom | ||
99 | distribution configuration file to enable the security compiler and | ||
100 | linker flags for your build:: | ||
101 | |||
102 | require conf/distro/include/security_flags.inc | ||
103 | |||
104 | Considerations Specific to the OpenEmbedded Build System | ||
105 | ======================================================== | ||
106 | |||
107 | You can take some steps that are specific to the OpenEmbedded build | ||
108 | system to make your images more secure: | ||
109 | |||
110 | - Ensure "debug-tweaks" is not one of your selected | ||
111 | :term:`IMAGE_FEATURES`. | ||
112 | When creating a new project, the default is to provide you with an | ||
113 | initial ``local.conf`` file that enables this feature using the | ||
114 | :term:`EXTRA_IMAGE_FEATURES` | ||
115 | variable with the line:: | ||
116 | |||
117 | EXTRA_IMAGE_FEATURES = "debug-tweaks" | ||
118 | |||
119 | To disable that feature, simply comment out that line in your | ||
120 | ``local.conf`` file, or make sure :term:`IMAGE_FEATURES` does not contain | ||
121 | "debug-tweaks" before producing your final image. Among other things, | ||
122 | leaving this in place sets the root password as blank, which makes | ||
123 | logging in for debugging or inspection easy during development but | ||
124 | also means anyone can easily log in during production. | ||
125 | |||
126 | - It is possible to set a root password for the image and also to set | ||
127 | passwords for any extra users you might add (e.g. administrative or | ||
128 | service type users). When you set up passwords for multiple images or | ||
129 | users, you should not duplicate passwords. | ||
130 | |||
131 | To set up passwords, use the :ref:`ref-classes-extrausers` class, which | ||
132 | is the preferred method. For an example on how to set up both root and | ||
133 | user passwords, see the ":ref:`ref-classes-extrausers`" section. | ||
134 | |||
135 | .. note:: | ||
136 | |||
137 | When adding extra user accounts or setting a root password, be | ||
138 | cautious about setting the same password on every device. If you | ||
139 | do this, and the password you have set is exposed, then every | ||
140 | device is now potentially compromised. If you need this access but | ||
141 | want to ensure security, consider setting a different, random | ||
142 | password for each device. Typically, you do this as a separate | ||
143 | step after you deploy the image onto the device. | ||
144 | |||
145 | - Consider enabling a Mandatory Access Control (MAC) framework such as | ||
146 | SMACK or SELinux and tuning it appropriately for your device's usage. | ||
147 | You can find more information in the | ||
148 | :yocto_git:`meta-selinux </meta-selinux/>` layer. | ||
149 | |||
150 | Tools for Hardening Your Image | ||
151 | ============================== | ||
152 | |||
153 | The Yocto Project provides tools for making your image more secure. You | ||
154 | can find these tools in the ``meta-security`` layer of the | ||
155 | :yocto_git:`Yocto Project Source Repositories <>`. | ||
156 | |||