# Security hardening Security hardening is a process that minimizes the risk of system attacks by making it more challenging for attackers to exploit the system vulnerabilities. Kernel security hardening aligns with upstream kernel guidelines. Key kernel flags like KASLR, hardened user copy, stack protector, and permissions (RWX) are enabled. ## User space hardening The [security_flags.inc](https://git.yoctoproject.org/poky/tree/meta/conf/distro/include/security_flags.inc) file, a part of the [Yocto Project](https://www.thegoodpenguin.co.uk/blog/yocto-security-hardening-security-flags/) is used to enable security compiler and linker flags for a build. To extend this feature to the Qualcomm modules, add the following command to `qcom-security_flags.inc` (file path: [layers/meta-qcom-distro/conf/distro/include/qcom-security_flags.inc](https://github.com/quic-yocto/meta-qcom-distro/blob/kirkstone/conf/distro/include/qcom-security_flags.inc)): require conf/distro/include/security_flags.inc Copy to clipboard Adding these flags may result in warnings or errors that can disrupt a build. However, Yocto provides a way to disable certain compiler flags for problematic packages. Modern compilers such as GCC and Clang offer a wide range of compiler flags that can make it more difficult for an attacker to exploit certain types of vulnerabilities. The following are the example flags with GCC: - The `Wformat` flag adds compile-time checks to detect issues related to the format of string arguments in common library functions such as `printf`, `scanf`, and `strftime`. - The `D_FORTIFY_SOURCE` flag adds compile and runtime checks to detect buffer overflows in memory and string functions - The `Fstack-protector` flag adds runtime checks to detect buffer overflows and stack smashing. - The `Fpie` flag enables position-independent code, which allows for loading the binary at randomized locations, thus making certain types of attacks (like return-oriented programming) more difficult. - The `Wl,-z,relro,-z,now` flag makes it harder to abuse a binary global offset table. If there are warnings and errors, customizing these flags for some modules can break a build. The binaries in a file system can be verified if the compiler exploit mitigation features are applied using the Checksec tool. For more information on making images more secure, see [The Yocto Project Documentation](https://docs.yoctoproject.org/dev/dev-manual/securing-images.html). Last Published: Jan 30, 2025 [Previous Topic Qualcomm WES](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/qwes.md) [Next Topic Architecture](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/architecture.md)