xref: /openbmc/openbmc/poky/documentation/dev-manual/securing-images.rst (revision edff49234e31f23dc79f823473c9e286a21596c1)
1.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
2
3Making Images More Secure
4*************************
5
6Security is of increasing concern for embedded devices. Consider the
7issues and problems discussed in just this sampling of work found across
8the Internet:
9
10-  *"*\ `Security Risks of Embedded
11   Systems <https://www.schneier.com/blog/archives/2014/01/security_risks_9.html>`__\ *"*
12   by Bruce Schneier
13
14-  *"*\ `Internet Census
15   2012 <http://census2012.sourceforge.net/paper.html>`__\ *"* by Carna
16   Botnet
17
18-  *"*\ `Security Issues for Embedded
19   Devices <https://elinux.org/images/6/6f/Security-issues.pdf>`__\ *"*
20   by Jake Edge
21
22When securing your image is of concern, there are steps, tools, and
23variables that you can consider to help you reach the security goals you
24need for your particular device. Not all situations are identical when
25it comes to making an image secure. Consequently, this section provides
26some guidance and suggestions for consideration when you want to make
27your image more secure.
28
29.. note::
30
31   Because the security requirements and risks are different for every
32   type of device, this section cannot provide a complete reference on
33   securing your custom OS. It is strongly recommended that you also
34   consult other sources of information on embedded Linux system
35   hardening and on security.
36
37General Considerations
38======================
39
40There are general considerations that help you create more secure images.
41You should consider the following suggestions to make your device
42more secure:
43
44-  Scan additional code you are adding to the system (e.g. application
45   code) by using static analysis tools. Look for buffer overflows and
46   other potential security problems.
47
48-  Pay particular attention to the security for any web-based
49   administration interface.
50
51   Web interfaces typically need to perform administrative functions and
52   tend to need to run with elevated privileges. Thus, the consequences
53   resulting from the interface's security becoming compromised can be
54   serious. Look for common web vulnerabilities such as
55   cross-site-scripting (XSS), unvalidated inputs, and so forth.
56
57   As with system passwords, the default credentials for accessing a
58   web-based interface should not be the same across all devices. This
59   is particularly true if the interface is enabled by default as it can
60   be assumed that many end-users will not change the credentials.
61
62-  Ensure you can update the software on the device to mitigate
63   vulnerabilities discovered in the future. This consideration
64   especially applies when your device is network-enabled.
65
66-  Regularly scan and apply fixes for CVE security issues affecting
67   all software components in the product, see ":ref:`dev-manual/vulnerabilities:checking for vulnerabilities`".
68
69-  Regularly update your version of Poky and OE-Core from their upstream
70   developers, e.g. to apply updates and security fixes from stable
71   and :term:`LTS` branches.
72
73-  Ensure you remove or disable debugging functionality before producing
74   the final image. For information on how to do this, see the
75   ":ref:`dev-manual/securing-images:considerations specific to the openembedded build system`"
76   section.
77
78-  Ensure you have no network services listening that are not needed.
79
80-  Remove any software from the image that is not needed.
81
82-  Enable hardware support for secure boot functionality when your
83   device supports this functionality.
84
85Security Flags
86==============
87
88The Yocto Project has security flags that you can enable that help make
89your build output more secure. The security flags are in the
90``meta/conf/distro/include/security_flags.inc`` file in your
91:term:`Source Directory` (e.g. ``poky``).
92
93.. note::
94
95   Depending on the recipe, certain security flags are enabled and
96   disabled by default.
97
98Use the following line in your ``local.conf`` file or in your custom
99distribution configuration file to enable the security compiler and
100linker flags for your build::
101
102   require conf/distro/include/security_flags.inc
103
104Considerations Specific to the OpenEmbedded Build System
105========================================================
106
107You can take some steps that are specific to the OpenEmbedded build
108system to make your images more secure:
109
110-  Ensure "debug-tweaks" is not one of your selected
111   :term:`IMAGE_FEATURES`.
112   When creating a new project, the default is to provide you with an
113   initial ``local.conf`` file that enables this feature using the
114   :term:`EXTRA_IMAGE_FEATURES`
115   variable with the line::
116
117      EXTRA_IMAGE_FEATURES = "debug-tweaks"
118
119   To disable that feature, simply comment out that line in your
120   ``local.conf`` file, or make sure :term:`IMAGE_FEATURES` does not contain
121   "debug-tweaks" before producing your final image. Among other things,
122   leaving this in place sets the root password as blank, which makes
123   logging in for debugging or inspection easy during development but
124   also means anyone can easily log in during production.
125
126-  It is possible to set a root password for the image and also to set
127   passwords for any extra users you might add (e.g. administrative or
128   service type users). When you set up passwords for multiple images or
129   users, you should not duplicate passwords.
130
131   To set up passwords, use the :ref:`ref-classes-extrausers` class, which
132   is the preferred method. For an example on how to set up both root and
133   user passwords, see the ":ref:`ref-classes-extrausers`" section.
134
135   .. note::
136
137      When adding extra user accounts or setting a root password, be
138      cautious about setting the same password on every device. If you
139      do this, and the password you have set is exposed, then every
140      device is now potentially compromised. If you need this access but
141      want to ensure security, consider setting a different, random
142      password for each device. Typically, you do this as a separate
143      step after you deploy the image onto the device.
144
145-  Consider enabling a Mandatory Access Control (MAC) framework such as
146   SMACK or SELinux and tuning it appropriately for your device's usage.
147   You can find more information in the
148   :yocto_git:`meta-selinux </meta-selinux/>` layer.
149
150Tools for Hardening Your Image
151==============================
152
153The Yocto Project provides tools for making your image more secure. You
154can find these tools in the ``meta-security`` layer of the
155:yocto_git:`Yocto Project Source Repositories <>`.
156
157