Choose which install method you would like to see instructions for. Debs work for any debian-based OS such as Debian, Ubuntu, and Mint. RPMS work for any Fedora-based OS such as Fedora, centOS, RHEL, and Rocky Linux.
Need to know your distribution? Run this command in a terminal: cat /etc/centos-release
The RunSafe-maintained meta-lfr layer contains all of the neccessary configuration files to integrate Code' Load-time Function Randomization (LFR) into a yocto build environment.
The LFR_PACKAGE contains pre-built binaries cross-compiled for different CPU targets. Currently supported is 32-bit ARM with support for 32- and 64-bit Intel and 64-bit ARM coming soon.
Sourcing oe-init-build-env prepares the environment for building yocto recipes and images. Adding meta-lfr to the list of layers will result in all recipes being built with Code protections in place.
The binaries contained in the package provided from LFR_PACKAGE in the step 3 cooridinate with the qemuarm MACHINE target.
This command will build the core-image-minimal image with Code protections. The resulting image can be run using runqemu qemuarm
.
The bitbake
command can be run to build other images, or individual recipes with Code protection using bitbake <recipe/image>
.
This shows how to confirm that Code has been applied to a given binary using the readelf
tool from the binutils
package. You must have binutils
on your system for it to work, but it is commonly available.