dev-manual: Updated the "Making Images More Secure" section.

Fixes [YOCTO #5482]

I did some significant re-writing and re-organization of this
section.  It now includes a bit about securing an image in general,
provides general considerations, considerations specific to the
OpenEmbedded build system, pointers to some tools in meta-security
layer, and some other items.

(From yocto-docs rev: a900286992e781f451b3c180726965f5c7172bb9)

Signed-off-by: Scott Rifenbark <scott.m.rifenbark@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Scott Rifenbark 2014-05-28 15:23:04 +03:00 committed by Richard Purdie
parent 8e9bfa5210
commit 28d5925bdf
1 changed files with 157 additions and 23 deletions

View File

@ -3841,32 +3841,166 @@
<title>Making Images More Secure</title>
<para>
The Yocto Project has security flags that you can enable that
help make your build output more secure.
The security flags are in the
<filename>meta/conf/distro/include/security_flags.inc</filename>
file in your
<link linkend='source-directory'>Source Directory</link>
(e.g. <filename>poky</filename>).
If securing your image is of concern, there are steps, tools,
and variables that you can consider to help you reach the
security goals you need for your particular device.
Not all situations are identical when it comes to making an
image secure.
Consequently, this section provides some guidance and suggestions
for consideration when you want to make your image more secure.
The section does not offer a complete solution.
</para>
<para>
These GCC/LD flags enable more secure code generation.
By including the <filename>security_flags.inc</filename>
file, you enable flags to the compiler and linker that cause
them to generate more secure code.
<note>
These flags are enabled by default in the
<filename>poky-lsb</filename> distribution.
</note>
Use the following line in your
<filename>local.conf</filename> file
to enable the security compiler and
linker flags to your build:
<literallayout class='monospaced'>
<section id='general-considerations'>
<title>General Considerations</title>
<para>
General considerations exist that help you create more
secure images.
You should consider the following suggestions to help
make your device more secure:
<itemizedlist>
<listitem><para>
Scan additional code you are adding to the system
(e.g. application code) by using static analysis
tools.
Look for buffer overflows and other potential
security problems.
</para></listitem>
<listitem><para>
Pay particular attention to to the security for
any web-based administration interface.
</para>
<para>Web interfaces typically need to perform
administrative functions and tend to need to run with
elevated privileges.
Thus, the consequences resulting from the interface's
security becoming compromised can be serious.
Look for common web vulnerabilities such as
cross-site-scripting (XSS), unvalidated inputs,
and so forth.</para>
<para>As with system passwords, the default credentials
for accessing a web-based interface should not be the
same across all devices.
This is particularly true if the interface is enabled
by default as it can be assumed that many end-users
will not change the credentials.
</para></listitem>
<listitem><para>
Ensure you can update the software on the device to
mitigate vulnerabilities discovered in the future.
This consideration especially applies when your
device is network-enabled.
</para></listitem>
<listitem><para>
Ensure you remove or disable debugging functionality
before producing the final image.
</para></listitem>
<listitem><para>
Ensure you have no network services listening that
are not needed.
</para></listitem>
<listitem><para>
Remove any software from the image that is not needed.
</para></listitem>
<listitem><para>
Enable hardware support for secure boot functionality
when your device supports this functionality.
</para></listitem>
</itemizedlist>
</para>
</section>
<section id='security-flags'>
<title>Security Flags</title>
<para>
The Yocto Project has security flags that you can enable that
help make your build output more secure.
The security flags are in the
<filename>meta/conf/distro/include/security_flags.inc</filename>
file in your
<link linkend='source-directory'>Source Directory</link>
(e.g. <filename>poky</filename>).
<note>
Depending on the recipe, certain security flags are enabled
and disabled by default.
</note>
</para>
<para>
The GCC/LD flags in <filename>security_flags.inc</filename>
enable more secure code generation.
By including the <filename>security_flags.inc</filename>
file, you enable flags to the compiler and linker that cause
them to generate more secure code.
<note>
The GCC/LD flags are enabled by default in the
<filename>poky-lsb</filename> distribution.
</note>
Use the following line in your
<filename>local.conf</filename> file
to enable the security compiler and
linker flags to your build:
<literallayout class='monospaced'>
require conf/distro/include/security_flags.inc
</literallayout>
</para>
</literallayout>
</para>
</section>
<section id='considerations-specific-to-the-openembedded-build-system'>
<title>Considerations Specific to the OpenEmbedded Build System</title>
<para>
You can take some steps that are specific to the
OpenEmbedded build system to make your images more secure:
<itemizedlist>
<listitem><para>
Ensure "debug-tweaks" is not listed with
<ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>.
The default is to enable "debug-tweaks" by adding it
to
<ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>
in <filename>local.conf</filename>.
However, you should comment out the variable or be
sure that it does not have "debug-tweaks" before
producing your final image.
Among other things, leaving this in place sets the
root password as blank.
</para></listitem>
<listitem><para>
It is possible to set a root password or to add
some additional user account for later administrative
or service access using the
<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink>
class or the
<ulink url='&YOCTO_DOCS_REF_URL;#var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></ulink>
variable.
If you do this, be cautious about setting
the same password for every device.
If you want the device to remain secure
from unauthorized access, and the password set on
all devices becomes compromised, then every device
becomes compromised.
If you need this access but want to ensure security,
consider setting a different, random password for each
device.
</para></listitem>
</itemizedlist>
</para>
</section>
<section id='tools-for-hardening-your-image'>
<title>Tools for Hardening Your Image</title>
<para>
The Yocto Project provides tools for making your image
more secure.
You can find these tools in the
<filename>meta-security</filename> layer of the
<ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi'>Yocto Project Source Repositories</ulink>.
</para>
</section>
</section>
<section id='creating-your-own-distribution'>