1.. SPDX-License-Identifier: CC-BY-SA-2.0-UK 2 3Making Images More Secure 4************************* 5 6Security is of increasing concern for embedded devices. Consider the 7issues and problems discussed in just this sampling of work found across 8the Internet: 9 10- *"*\ `Security Risks of Embedded 11 Systems <https://www.schneier.com/blog/archives/2014/01/security_risks_9.html>`__\ *"* 12 by Bruce Schneier 13 14- *"*\ `Internet Census 15 2012 <http://census2012.sourceforge.net/paper.html>`__\ *"* by Carna 16 Botnet 17 18- *"*\ `Security Issues for Embedded 19 Devices <https://elinux.org/images/6/6f/Security-issues.pdf>`__\ *"* 20 by Jake Edge 21 22When securing your image is of concern, there are steps, tools, and 23variables that you can consider to help you reach the security goals you 24need for your particular device. Not all situations are identical when 25it comes to making an image secure. Consequently, this section provides 26some guidance and suggestions for consideration when you want to make 27your image more secure. 28 29.. note:: 30 31 Because the security requirements and risks are different for every 32 type of device, this section cannot provide a complete reference on 33 securing your custom OS. It is strongly recommended that you also 34 consult other sources of information on embedded Linux system 35 hardening and on security. 36 37General Considerations 38====================== 39 40There are general considerations that help you create more secure images. 41You should consider the following suggestions to make your device 42more secure: 43 44- Scan additional code you are adding to the system (e.g. application 45 code) by using static analysis tools. Look for buffer overflows and 46 other potential security problems. 47 48- Pay particular attention to the security for any web-based 49 administration interface. 50 51 Web interfaces typically need to perform administrative functions and 52 tend to need to run with elevated privileges. Thus, the consequences 53 resulting from the interface's security becoming compromised can be 54 serious. Look for common web vulnerabilities such as 55 cross-site-scripting (XSS), unvalidated inputs, and so forth. 56 57 As with system passwords, the default credentials for accessing a 58 web-based interface should not be the same across all devices. This 59 is particularly true if the interface is enabled by default as it can 60 be assumed that many end-users will not change the credentials. 61 62- Ensure you can update the software on the device to mitigate 63 vulnerabilities discovered in the future. This consideration 64 especially applies when your device is network-enabled. 65 66- Regularly scan and apply fixes for CVE security issues affecting 67 all software components in the product, see ":ref:`dev-manual/vulnerabilities:checking for vulnerabilities`". 68 69- Regularly update your version of Poky and OE-Core from their upstream 70 developers, e.g. to apply updates and security fixes from stable 71 and LTS branches. 72 73- Ensure you remove or disable debugging functionality before producing 74 the final image. For information on how to do this, see the 75 ":ref:`dev-manual/securing-images:considerations specific to the openembedded build system`" 76 section. 77 78- Ensure you have no network services listening that are not needed. 79 80- Remove any software from the image that is not needed. 81 82- Enable hardware support for secure boot functionality when your 83 device supports this functionality. 84 85Security Flags 86============== 87 88The Yocto Project has security flags that you can enable that help make 89your build output more secure. The security flags are in the 90``meta/conf/distro/include/security_flags.inc`` file in your 91:term:`Source Directory` (e.g. ``poky``). 92 93.. note:: 94 95 Depending on the recipe, certain security flags are enabled and 96 disabled by default. 97 98Use the following line in your ``local.conf`` file or in your custom 99distribution configuration file to enable the security compiler and 100linker flags for your build:: 101 102 require conf/distro/include/security_flags.inc 103 104Considerations Specific to the OpenEmbedded Build System 105======================================================== 106 107You can take some steps that are specific to the OpenEmbedded build 108system to make your images more secure: 109 110- Ensure "debug-tweaks" is not one of your selected 111 :term:`IMAGE_FEATURES`. 112 When creating a new project, the default is to provide you with an 113 initial ``local.conf`` file that enables this feature using the 114 :term:`EXTRA_IMAGE_FEATURES` 115 variable with the line:: 116 117 EXTRA_IMAGE_FEATURES = "debug-tweaks" 118 119 To disable that feature, simply comment out that line in your 120 ``local.conf`` file, or make sure :term:`IMAGE_FEATURES` does not contain 121 "debug-tweaks" before producing your final image. Among other things, 122 leaving this in place sets the root password as blank, which makes 123 logging in for debugging or inspection easy during development but 124 also means anyone can easily log in during production. 125 126- It is possible to set a root password for the image and also to set 127 passwords for any extra users you might add (e.g. administrative or 128 service type users). When you set up passwords for multiple images or 129 users, you should not duplicate passwords. 130 131 To set up passwords, use the :ref:`ref-classes-extrausers` class, which 132 is the preferred method. For an example on how to set up both root and 133 user passwords, see the ":ref:`ref-classes-extrausers`" section. 134 135 .. note:: 136 137 When adding extra user accounts or setting a root password, be 138 cautious about setting the same password on every device. If you 139 do this, and the password you have set is exposed, then every 140 device is now potentially compromised. If you need this access but 141 want to ensure security, consider setting a different, random 142 password for each device. Typically, you do this as a separate 143 step after you deploy the image onto the device. 144 145- Consider enabling a Mandatory Access Control (MAC) framework such as 146 SMACK or SELinux and tuning it appropriately for your device's usage. 147 You can find more information in the 148 :yocto_git:`meta-selinux </meta-selinux/>` layer. 149 150Tools for Hardening Your Image 151============================== 152 153The Yocto Project provides tools for making your image more secure. You 154can find these tools in the ``meta-security`` layer of the 155:yocto_git:`Yocto Project Source Repositories <>`. 156 157