Making Images More Secure
- The Yocto Project has security flags that you can enable that
- help make your build output more secure.
- The security flags are in the
- meta/conf/distro/include/security_flags.inc
- file in your
- Source Directory
- (e.g. poky).
+ If securing your image is of concern, there are steps, tools,
+ and variables that you can consider to help you reach the
+ security goals you need for your particular device.
+ Not all situations are identical when it comes to making an
+ image secure.
+ Consequently, this section provides some guidance and suggestions
+ for consideration when you want to make your image more secure.
+ The section does not offer a complete solution.
-
- These GCC/LD flags enable more secure code generation.
- By including the security_flags.inc
- file, you enable flags to the compiler and linker that cause
- them to generate more secure code.
-
- These flags are enabled by default in the
- poky-lsb distribution.
-
- Use the following line in your
- local.conf file
- to enable the security compiler and
- linker flags to your build:
-
+
+ General Considerations
+
+
+ General considerations exist that help you create more
+ secure images.
+ You should consider the following suggestions to help
+ make your device more secure:
+
+
+ Scan additional code you are adding to the system
+ (e.g. application code) by using static analysis
+ tools.
+ Look for buffer overflows and other potential
+ security problems.
+
+
+ Pay particular attention to to the security for
+ any web-based administration interface.
+
+ Web interfaces typically need to perform
+ administrative functions and tend to need to run with
+ elevated privileges.
+ Thus, the consequences resulting from the interface's
+ security becoming compromised can be serious.
+ Look for common web vulnerabilities such as
+ cross-site-scripting (XSS), unvalidated inputs,
+ and so forth.
+ As with system passwords, the default credentials
+ for accessing a web-based interface should not be the
+ same across all devices.
+ This is particularly true if the interface is enabled
+ by default as it can be assumed that many end-users
+ will not change the credentials.
+
+
+ Ensure you can update the software on the device to
+ mitigate vulnerabilities discovered in the future.
+ This consideration especially applies when your
+ device is network-enabled.
+
+
+ Ensure you remove or disable debugging functionality
+ before producing the final image.
+
+
+ Ensure you have no network services listening that
+ are not needed.
+
+
+ Remove any software from the image that is not needed.
+
+
+ Enable hardware support for secure boot functionality
+ when your device supports this functionality.
+
+
+
+
+
+
+ Security Flags
+
+
+ The Yocto Project has security flags that you can enable that
+ help make your build output more secure.
+ The security flags are in the
+ meta/conf/distro/include/security_flags.inc
+ file in your
+ Source Directory
+ (e.g. poky).
+
+ Depending on the recipe, certain security flags are enabled
+ and disabled by default.
+
+
+
+
+ The GCC/LD flags in security_flags.inc
+ enable more secure code generation.
+ By including the security_flags.inc
+ file, you enable flags to the compiler and linker that cause
+ them to generate more secure code.
+
+ The GCC/LD flags are enabled by default in the
+ poky-lsb distribution.
+
+ Use the following line in your
+ local.conf file
+ to enable the security compiler and
+ linker flags to your build:
+
require conf/distro/include/security_flags.inc
-
-
+
+
+
+
+
+ Considerations Specific to the OpenEmbedded Build System
+
+
+ You can take some steps that are specific to the
+ OpenEmbedded build system to make your images more secure:
+
+
+ Ensure "debug-tweaks" is not listed with
+ IMAGE_FEATURES.
+ The default is to enable "debug-tweaks" by adding it
+ to
+ EXTRA_IMAGE_FEATURES
+ in local.conf.
+ However, you should comment out the variable or be
+ sure that it does not have "debug-tweaks" before
+ producing your final image.
+ Among other things, leaving this in place sets the
+ root password as blank.
+
+
+ It is possible to set a root password or to add
+ some additional user account for later administrative
+ or service access using the
+ extrausers
+ class or the
+ ROOTFS_POSTPROCESS_COMMAND
+ variable.
+ If you do this, be cautious about setting
+ the same password for every device.
+ If you want the device to remain secure
+ from unauthorized access, and the password set on
+ all devices becomes compromised, then every device
+ becomes compromised.
+ If you need this access but want to ensure security,
+ consider setting a different, random password for each
+ device.
+
+
+
+
+
+
+ Tools for Hardening Your Image
+
+
+ The Yocto Project provides tools for making your image
+ more secure.
+ You can find these tools in the
+ meta-security layer of the
+ Yocto Project Source Repositories.
+
+