# Security hardening

Security hardening is a process that minimizes the risk of system attacks by making it more challenging for attackers to exploit the system vulnerabilities.

Kernel security hardening aligns with upstream kernel guidelines. Key kernel flags like KASLR, hardened user copy, stack protector, and permissions (RWX) are enabled.

## User space hardening

The [security_flags.inc](https://git.yoctoproject.org/poky/tree/meta/conf/distro/include/security_flags.inc) file, a part of the [Yocto Project](https://www.thegoodpenguin.co.uk/blog/yocto-security-hardening-security-flags/) is used to enable security compiler and linker flags for a build.

To extend this feature to the Qualcomm modules, add the following command to `qcom-security_flags.inc` (file path: [qcom-security_flags.inc](https://github.com/quic-yocto/meta-qcom-distro/blob/kirkstone/conf/distro/include/qcom-security_flags.inc)):

require conf/distro/include/security_flags.inc
    Copy to clipboard

Adding these flags may result in warnings or errors that can disrupt a build. However, Yocto provides a way to disable certain compiler flags for problematic packages. Modern compilers such as GCC and Clang offer a wide range of compiler flags that can make it more difficult for an
attacker to exploit certain types of vulnerabilities.

The following are the example flags with GCC:

- The `Wformat` flag adds compile-time checks to detect issues related to the format of string arguments in common library functions such as `printf`, `scanf`, and `strftime`.
- The `D_FORTIFY_SOURCE` flag adds compile and runtime checks to detect buffer overflows in memory and string functions.
- The `Fstack-protector` flag adds runtime checks to detect buffer overflows and stack smashing.
- The `Fpie` flag enables position-independent code, which allows for loading the binary at randomized locations, thus making certain types of attacks (like return-oriented programming) more difficult.
- The `Wl,-z,relro,-z,now` flag makes it harder to abuse a binary global offset table.

If there are warnings and errors, customizing these flags for some modules can break a build. The binaries in a file system can be verified if the compiler exploit mitigation features are applied using the Checksec tool.

For information about making images more secure, see [The Yocto Project Documentation](https://docs.yoctoproject.org/dev/dev-manual/securing-images.html).

## Next steps

- To learn about the next security feature, see [Qualcomm WES](https://docs.qualcomm.com/doc/80-70018-11/topic/qwes.html#qwes).
- To learn about TrustZone and security framework, see [Security architecture](https://docs.qualcomm.com/doc/80-70018-11/topic/architecture.html#architecture).
- To learn about APIs that can be used to interact with Linux and hardware, see [Security APIs](https://docs.qualcomm.com/doc/80-70018-11/topic/interfaces.html#interfaces).

Last Published: Apr 10, 2025

[Previous Topic
Qualcomm Hypervisor](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/hypervisor.md) [Next Topic
Qualcomm WES](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/qwes.md)