1 files changed, 215 insertions, 20 deletions
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml
index bead56c978..27e1b52fc7 100644
--- a/documentation/dev-manual/dev-manual-common-tasks.xml
+++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -3577,32 +3577,227 @@
        <title>Making Images More Secure</title>
        <para>
-            The Yocto Project has security flags that you can enable that
+            Security is of increasing concern for embedded devices.
-            help make your build output more secure.
+            Consider the issues and problems discussed in just this
-            The security flags are in the
+            sampling of work found across the Internet:
-            <filename>meta/conf/distro/include/security_flags.inc</filename>
+            <itemizedlist>
-            file in your
+                <listitem><para><emphasis>
-            <link linkend='source-directory'>Source Directory</link>
+                    "<ulink url='https://www.schneier.com/blog/archives/2014/01/security_risks_9.html'>Security Risks of Embedded Systems</ulink>"</emphasis>
-            (e.g. <filename>poky</filename>).
+                    by Bruce Schneier
+                    </para></listitem>
+                <listitem><para><emphasis>
+                    "<ulink url='http://internetcensus2012.bitbucket.org/paper.html'>Internet Census 2012</ulink>"</emphasis>
+                    by Carna Botnet</para></listitem>
+                <listitem><para><emphasis>
+                    "<ulink url='http://elinux.org/images/6/6f/Security-issues.pdf'>Security Issues for Embedded Devices</ulink>"</emphasis>
+                    by Jake Edge
+                    </para></listitem>
+                <listitem><para><emphasis>
+                    "<ulink url='https://www.nccgroup.com/media/18475/exploiting_security_gateways_via_their_web_interfaces.pdf'>They ought to know better: Exploiting Security
+Gateways via their Web Interfaces</ulink>"</emphasis>
+                    by Ben Williams
+                    </para></listitem>
+            </itemizedlist>
        </para>
        <para>
-            These GCC/LD flags enable more secure code generation.
+            When securing your image is of concern, there are steps, tools,
-            By including the <filename>security_flags.inc</filename>
+            and variables that you can consider to help you reach the
-            file, you enable flags to the compiler and linker that cause
+            security goals you need for your particular device.
-            them to generate more secure code.
+            Not all situations are identical when it comes to making an
+            image secure.
+            Consequently, this section provides some guidance and suggestions
+            for consideration when you want to make your image more secure.
            <note>
-                These flags are enabled by default in the
+                Because the security requirements and risks are
-                <filename>poky-lsb</filename> distribution.
+                different for every type of device, this section cannot
+                provide a complete reference on securing your custom OS.
+                It is strongly recommended that you also consult other sources
+                of information on embedded Linux system hardening and on
+                security.
            </note>
-            Use the following line in your
-            <filename>local.conf</filename> file
-            to enable the security compiler and
-            linker flags to your build:
-            <literallayout class='monospaced'>
-     require conf/distro/include/security_flags.inc
-            </literallayout>
        </para>
+        <section id='general-considerations'>
+            <title>General Considerations</title>
+            <para>
+                General considerations exist that help you create more
+                secure images.
+                You should consider the following suggestions to help
+                make your device more secure:
+                <itemizedlist>
+                    <listitem><para>
+                        Scan additional code you are adding to the system
+                        (e.g. application code) by using static analysis
+                        tools.
+                        Look for buffer overflows and other potential
+                        security problems.
+                    </para></listitem>
+                    <listitem><para>
+                        Pay particular attention to to the security for
+                        any web-based administration interface.
+                        </para>
+                        <para>Web interfaces typically need to perform
+                        administrative functions and tend to need to run with
+                        elevated privileges.
+                        Thus, the consequences resulting from the interface's
+                        security becoming compromised can be serious.
+                        Look for common web vulnerabilities such as
+                        cross-site-scripting (XSS), unvalidated inputs,
+                        and so forth.</para>
+                        <para>As with system passwords, the default credentials
+                        for accessing a web-based interface should not be the
+                        same across all devices.
+                        This is particularly true if the interface is enabled
+                        by default as it can be assumed that many end-users
+                        will not change the credentials.
+                    </para></listitem>
+                    <listitem><para>
+                        Ensure you can update the software on the device to
+                        mitigate vulnerabilities discovered in the future.
+                        This consideration especially applies when your
+                        device is network-enabled.
+                    </para></listitem>
+                    <listitem><para>
+                        Ensure you remove or disable debugging functionality
+                        before producing the final image.
+                        For information on how to do this, see the
+                        "<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link>"
+                        section.
+                        </para></listitem>
+                    <listitem><para>
+                        Ensure you have no network services listening that
+                        are not needed.
+                    </para></listitem>
+                    <listitem><para>
+                        Remove any software from the image that is not needed.
+                    </para></listitem>
+                    <listitem><para>
+                        Enable hardware support for secure boot functionality
+                        when your device supports this functionality.
+                    </para></listitem>
+                </itemizedlist>
+            </para>
+        </section>
+        <section id='security-flags'>
+            <title>Security Flags</title>
+            <para>
+                The Yocto Project has security flags that you can enable that
+                help make your build output more secure.
+                The security flags are in the
+                <filename>meta/conf/distro/include/security_flags.inc</filename>
+                file in your
+                <link linkend='source-directory'>Source Directory</link>
+                (e.g. <filename>poky</filename>).
+                <note>
+                    Depending on the recipe, certain security flags are enabled
+                    and disabled by default.
+                </note>
+            </para>
+            <para>
+<!--
+                The GCC/LD flags in <filename>security_flags.inc</filename>
+                enable more secure code generation.
+                By including the <filename>security_flags.inc</filename>
+                file, you enable flags to the compiler and linker that cause
+                them to generate more secure code.
+                <note>
+                    The GCC/LD flags are enabled by default in the
+                    <filename>poky-lsb</filename> distribution.
+                </note>
+-->
+                Use the following line in your
+                <filename>local.conf</filename> file or in your custom
+                distribution configuration file to enable the security
+                compiler and linker flags to your build:
+                <literallayout class='monospaced'>
+     require conf/distro/include/security_flags.inc
+                </literallayout>
+            </para>
+        </section>
+        <section id='considerations-specific-to-the-openembedded-build-system'>
+            <title>Considerations Specific to the OpenEmbedded Build System</title>
+            <para>
+                You can take some steps that are specific to the
+                OpenEmbedded build system to make your images more secure:
+                <itemizedlist>
+                    <listitem><para>
+                        Ensure "debug-tweaks" is not listed with
+                        <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>.
+                        The default is to enable "debug-tweaks" by adding it
+                        to
+                        <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>
+                        in <filename>local.conf</filename>.
+                        However, you should comment out the variable or be
+                        sure that it does not have "debug-tweaks" before
+                        producing your final image.
+                        Among other things, leaving this in place sets the
+                        root password as blank, which makes logging in for
+                        debugging or inspection easy during
+                        development but also means anyone can easily log in
+                        during production.
+                        </para></listitem>
+                    <listitem><para>
+                        It is possible to set a root password for the image
+                        and also to set passwords for any extra users you might
+                        add (e.g. administrative or service type users).
+                        When you set up passwords for multiple images or
+                        users, you should not duplicate passwords.
+                        </para>
+                        <para>
+                        To set up passwords, use the
+                        <filename>extrausers</filename> class, which is the
+                        preferred method.
+                        For an example on how to set up both root and user
+                        passwords, see the
+                        "<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>"
+                        section.
+                        <note>
+                            When adding extra user accounts or setting a
+                            root password, be cautious about setting the
+                            same password on every device.
+                            If you do this, and the password you have set
+                            is exposed, then every device is now potentially
+                            compromised.
+                            If you need this access but want to ensure
+                            security, consider setting a different,
+                            random password for each device.
+                            Typically, you do this as a separate step after
+                            you deploy the image onto the device.
+                        </note>
+                        </para></listitem>
+                    <listitem><para>
+                        Consider enabling a Mandatory Access Control (MAC)
+                        framework (such as SMACK or SELinux) and tuning it
+                        appropriately for your device's usage.
+                        You can find more information in the
+                        <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/'><filename>meta-selinux</filename></ulink>
+                        layer.
+                        </para></listitem>
+                </itemizedlist>
+            </para>
+            <para>
+            </para>
+        </section>
+        <section id='tools-for-hardening-your-image'>
+            <title>Tools for Hardening Your Image</title>
+            <para>
+                The Yocto Project provides tools for making your image
+                more secure.
+                You can find these tools in the
+                <filename>meta-security</filename> layer of the
+                <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi'>Yocto Project Source Repositories</ulink>.
+            </para>
+        </section>
    </section>
    <section id='creating-your-own-distribution'>

diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml index bead56c978..27e1b52fc7 100644 --- a/documentation/dev-manual/dev-manual-common-tasks.xml +++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -3577,32 +3577,227 @@
3577	<title>Making Images More Secure</title>	3577	<title>Making Images More Secure</title>
3578		3578
3579	<para>	3579	<para>
3580	The Yocto Project has security flags that you can enable that	3580	Security is of increasing concern for embedded devices.
3581	help make your build output more secure.	3581	Consider the issues and problems discussed in just this
3582	The security flags are in the	3582	sampling of work found across the Internet:
3583	<filename>meta/conf/distro/include/security_flags.inc</filename>	3583	<itemizedlist>
3584	file in your	3584	<listitem><para><emphasis>
3585	<link linkend='source-directory'>Source Directory</link>	3585	"<ulink url='https://www.schneier.com/blog/archives/2014/01/security_risks_9.html'>Security Risks of Embedded Systems</ulink>"</emphasis>
3586	(e.g. <filename>poky</filename>).	3586	by Bruce Schneier
		3587	</para></listitem>
		3588	<listitem><para><emphasis>
		3589	"<ulink url='http://internetcensus2012.bitbucket.org/paper.html'>Internet Census 2012</ulink>"</emphasis>
		3590	by Carna Botnet</para></listitem>
		3591	<listitem><para><emphasis>
		3592	"<ulink url='http://elinux.org/images/6/6f/Security-issues.pdf'>Security Issues for Embedded Devices</ulink>"</emphasis>
		3593	by Jake Edge
		3594	</para></listitem>
		3595	<listitem><para><emphasis>
		3596	"<ulink url='https://www.nccgroup.com/media/18475/exploiting_security_gateways_via_their_web_interfaces.pdf'>They ought to know better: Exploiting Security
		3597	Gateways via their Web Interfaces</ulink>"</emphasis>
		3598	by Ben Williams
		3599	</para></listitem>
		3600	</itemizedlist>
3587	</para>	3601	</para>
3588		3602
3589	<para>	3603	<para>
3590	These GCC/LD flags enable more secure code generation.	3604	When securing your image is of concern, there are steps, tools,
3591	By including the <filename>security_flags.inc</filename>	3605	and variables that you can consider to help you reach the
3592	file, you enable flags to the compiler and linker that cause	3606	security goals you need for your particular device.
3593	them to generate more secure code.	3607	Not all situations are identical when it comes to making an
		3608	image secure.
		3609	Consequently, this section provides some guidance and suggestions
		3610	for consideration when you want to make your image more secure.
3594	<note>	3611	<note>
3595	These flags are enabled by default in the	3612	Because the security requirements and risks are
3596	<filename>poky-lsb</filename> distribution.	3613	different for every type of device, this section cannot
		3614	provide a complete reference on securing your custom OS.
		3615	It is strongly recommended that you also consult other sources
		3616	of information on embedded Linux system hardening and on
		3617	security.
3597	</note>	3618	</note>
3598	Use the following line in your
3599	<filename>local.conf</filename> file
3600	to enable the security compiler and
3601	linker flags to your build:
3602	<literallayout class='monospaced'>
3603	require conf/distro/include/security_flags.inc
3604	</literallayout>
3605	</para>	3619	</para>
		3620
		3621	<section id='general-considerations'>
		3622	<title>General Considerations</title>
		3623
		3624	<para>
		3625	General considerations exist that help you create more
		3626	secure images.
		3627	You should consider the following suggestions to help
		3628	make your device more secure:
		3629	<itemizedlist>
		3630	<listitem><para>
		3631	Scan additional code you are adding to the system
		3632	(e.g. application code) by using static analysis
		3633	tools.
		3634	Look for buffer overflows and other potential
		3635	security problems.
		3636	</para></listitem>
		3637	<listitem><para>
		3638	Pay particular attention to to the security for
		3639	any web-based administration interface.
		3640	</para>
		3641	<para>Web interfaces typically need to perform
		3642	administrative functions and tend to need to run with
		3643	elevated privileges.
		3644	Thus, the consequences resulting from the interface's
		3645	security becoming compromised can be serious.
		3646	Look for common web vulnerabilities such as
		3647	cross-site-scripting (XSS), unvalidated inputs,
		3648	and so forth.</para>
		3649	<para>As with system passwords, the default credentials
		3650	for accessing a web-based interface should not be the
		3651	same across all devices.
		3652	This is particularly true if the interface is enabled
		3653	by default as it can be assumed that many end-users
		3654	will not change the credentials.
		3655	</para></listitem>
		3656	<listitem><para>
		3657	Ensure you can update the software on the device to
		3658	mitigate vulnerabilities discovered in the future.
		3659	This consideration especially applies when your
		3660	device is network-enabled.
		3661	</para></listitem>
		3662	<listitem><para>
		3663	Ensure you remove or disable debugging functionality
		3664	before producing the final image.
		3665	For information on how to do this, see the
		3666	"<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link>"
		3667	section.
		3668	</para></listitem>
		3669	<listitem><para>
		3670	Ensure you have no network services listening that
		3671	are not needed.
		3672	</para></listitem>
		3673	<listitem><para>
		3674	Remove any software from the image that is not needed.
		3675	</para></listitem>
		3676	<listitem><para>
		3677	Enable hardware support for secure boot functionality
		3678	when your device supports this functionality.
		3679	</para></listitem>
		3680	</itemizedlist>
		3681	</para>
		3682	</section>
		3683
		3684	<section id='security-flags'>
		3685	<title>Security Flags</title>
		3686
		3687	<para>
		3688	The Yocto Project has security flags that you can enable that
		3689	help make your build output more secure.
		3690	The security flags are in the
		3691	<filename>meta/conf/distro/include/security_flags.inc</filename>
		3692	file in your
		3693	<link linkend='source-directory'>Source Directory</link>
		3694	(e.g. <filename>poky</filename>).
		3695	<note>
		3696	Depending on the recipe, certain security flags are enabled
		3697	and disabled by default.
		3698	</note>
		3699	</para>
		3700
		3701	<para>
		3702	<!--
		3703	The GCC/LD flags in <filename>security_flags.inc</filename>
		3704	enable more secure code generation.
		3705	By including the <filename>security_flags.inc</filename>
		3706	file, you enable flags to the compiler and linker that cause
		3707	them to generate more secure code.
		3708	<note>
		3709	The GCC/LD flags are enabled by default in the
		3710	<filename>poky-lsb</filename> distribution.
		3711	</note>
		3712	-->
		3713	Use the following line in your
		3714	<filename>local.conf</filename> file or in your custom
		3715	distribution configuration file to enable the security
		3716	compiler and linker flags to your build:
		3717	<literallayout class='monospaced'>
		3718	require conf/distro/include/security_flags.inc
		3719	</literallayout>
		3720	</para>
		3721	</section>
		3722
		3723	<section id='considerations-specific-to-the-openembedded-build-system'>
		3724	<title>Considerations Specific to the OpenEmbedded Build System</title>
		3725
		3726	<para>
		3727	You can take some steps that are specific to the
		3728	OpenEmbedded build system to make your images more secure:
		3729	<itemizedlist>
		3730	<listitem><para>
		3731	Ensure "debug-tweaks" is not listed with
		3732	<ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>.
		3733	The default is to enable "debug-tweaks" by adding it
		3734	to
		3735	<ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>
		3736	in <filename>local.conf</filename>.
		3737	However, you should comment out the variable or be
		3738	sure that it does not have "debug-tweaks" before
		3739	producing your final image.
		3740	Among other things, leaving this in place sets the
		3741	root password as blank, which makes logging in for
		3742	debugging or inspection easy during
		3743	development but also means anyone can easily log in
		3744	during production.
		3745	</para></listitem>
		3746	<listitem><para>
		3747	It is possible to set a root password for the image
		3748	and also to set passwords for any extra users you might
		3749	add (e.g. administrative or service type users).
		3750	When you set up passwords for multiple images or
		3751	users, you should not duplicate passwords.
		3752	</para>
		3753	<para>
		3754	To set up passwords, use the
		3755	<filename>extrausers</filename> class, which is the
		3756	preferred method.
		3757	For an example on how to set up both root and user
		3758	passwords, see the
		3759	"<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>"
		3760	section.
		3761	<note>
		3762	When adding extra user accounts or setting a
		3763	root password, be cautious about setting the
		3764	same password on every device.
		3765	If you do this, and the password you have set
		3766	is exposed, then every device is now potentially
		3767	compromised.
		3768	If you need this access but want to ensure
		3769	security, consider setting a different,
		3770	random password for each device.
		3771	Typically, you do this as a separate step after
		3772	you deploy the image onto the device.
		3773	</note>
		3774	</para></listitem>
		3775	<listitem><para>
		3776	Consider enabling a Mandatory Access Control (MAC)
		3777	framework (such as SMACK or SELinux) and tuning it
		3778	appropriately for your device's usage.
		3779	You can find more information in the
		3780	<ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/'><filename>meta-selinux</filename></ulink>
		3781	layer.
		3782	</para></listitem>
		3783	</itemizedlist>
		3784	</para>
		3785
		3786	<para>
		3787	</para>
		3788	</section>
		3789
		3790	<section id='tools-for-hardening-your-image'>
		3791	<title>Tools for Hardening Your Image</title>
		3792
		3793	<para>
		3794	The Yocto Project provides tools for making your image
		3795	more secure.
		3796	You can find these tools in the
		3797	<filename>meta-security</filename> layer of the
		3798	<ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi'>Yocto Project Source Repositories</ulink>.
		3799	</para>
		3800	</section>
3606	</section>	3801	</section>
3607		3802
3608	<section id='creating-your-own-distribution'>	3803	<section id='creating-your-own-distribution'>