# Security hardening

Source: [https://docs.qualcomm.com/doc/80-70014-11/topic/security-hardening.html](https://docs.qualcomm.com/doc/80-70014-11/topic/security-hardening.html)

Security hardening is a process that minimizes the risk of system attacks by making
        it more difficult an attacker to exploit the system vulnerabilities.

Kernel security hardening aligns with upstream kernel guidelines. Key kernel flags like
            KASLR, hardened user copy, stack protector, permissions (RWX) are enabled.

## User space hardening

The [security_flags.inc](https://git.yoctoproject.org/poky/tree/meta/conf/distro/include/security_flags.inc) file, part of
                    the [Yocto Project](https://www.thegoodpenguin.co.uk/blog/yocto-security-hardening-security-flags/) is used to enable security
                compiler and linker flags for a build.

To extend this to Qualcomm modules, add the following command to
                    `qcom-security_flags.inc` (file path: [layers/meta-qcom-distro/conf/distro/include/qcom-security_flags.inc](https://github.com/quic-yocto/meta-qcom-distro/blob/kirkstone/conf/distro/include/qcom-security_flags.inc)):

    require conf/distro/include/security_flags.incCopy to clipboard

Adding these flags may result in warnings or errors that can disrupt a build.
                However, Yocto provides a way to disable certain compiler flags for problematic
                packages. Modern compilers such as GCC and clang offer a wide range of compiler
                flags that can make it more difficult for an attacker to exploit certain types of
                vulnerabilities.

The following are the example flags with GCC:
- The `Wformat` flag adds compile-time checks to detect issues
                        related to the format of string arguments in common library functions such
                        as `printf`, `scanf`, and
                            `strftime`.
- The `D_FORTIFY_SOURCE` flag adds compile and runtime checks
                        to detect buffer overflows in memory and string functions
- The `Fstack-protector` flag adds runtime checks to detect
                        buffer overflows and stack smashing.
- The `Fpie` flag enables position-independent code, which
                        allows for loading the binary at randomized locations, thus making certain
                        types of attacks (like return-oriented programming) more difficult.
- The `Wl,-z,relro,-z,now` flag makes it harder to abuse a
                        binary global offset table.

If there are warnings and errors, customizing these flags for some modules can break
                a build. The binaries in a file system can be verified if the compiler exploit
                mitigation features are applied using a tool like Checksec.

For more information, see [The Yocto Project ® dev documentation - Making
                    images more secure](https://docs.yoctoproject.org/dev/dev-manual/securing-images.html).

**Parent Topic:** [Features](https://docs.qualcomm.com/doc/80-70014-11/topic/features.html)

Last Published: Aug 06, 2024

[Previous Topic
Qualcomm WES](https://docs.qualcomm.com/bundle/publicresource/80-70014-11/topics/qwes.md) [Next Topic
Architecture](https://docs.qualcomm.com/bundle/publicresource/80-70014-11/topics/architecture.md)