add build note to assembler sources

When distros use the annobin compiler plugin [1], they have complete overview what compiler flags were used for compilation and they are able to perform security checks on the produced binaries. Compiling assembler source can't provide this kind of information by default, so we need the explicit -Wa,--generate-missing-build-notes=yes option during build. When the option is missing, then the annocheck tool reports "GAPS" in the resulting binary. binutils >= 2.31 or older with backport is needed [1] https://fedoraproject.org/wiki/Changes/Annobin Signed-off-by: Dan Horák <[email protected]>
opencryptoki · Nov 16, 2018 · c69c320 · c69c320
1 parent 9ef8f83
commit c69c320
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/configure.ac b/configure.ac
@@ -80,12 +80,16 @@ if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enab
 	FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2"
 fi
 
+# check if assembler can generate missing build notes, binutils >= 2.31 or older with backport is needed
+AX_CHECK_COMPILE_FLAG([-Wa,--generate-missing-build-notes=yes], [ICA_ASFLAGS="-Wa,--generate-missing-build-notes=yes"])
+
 # restore cmdline flags (ignore PROG_AS/PROG_CC defaults)
 CFLAGS="$cmdline_CFLAGS"
 CCASFLAGS="$cmdline_CFLAGS"
 
 AC_SUBST([FLAGS], $FLAGS)
 AC_SUBST([LIBS], $LIBS)
+AC_SUBST([ICA_ASFLAGS], $ICA_ASFLAGS)
 AC_CONFIG_FILES([Makefile doc/Makefile include/Makefile src/Makefile test/Makefile])
 AC_OUTPUT
 

diff --git a/libica.spec b/libica.spec
@@ -9,7 +9,7 @@ URL:           https://github.com/opencryptoki/libica
 Source0:       %{name}-%{version}.tar.gz
 BuildRoot:     %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-BuildRequires: autoconf automake libtool openssl-devel
+BuildRequires: autoconf automake libtool openssl-devel autoconf-archive
 
 %description
 Interface library on Linux for IBM System z to utilize CPACF

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -8,7 +8,7 @@ lib_LTLIBRARIES = libica.la
 
 libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \
 		   -fvisibility=hidden
-libica_la_CCASFLAGS = ${AM_CFLAGS}
+libica_la_CCASFLAGS = ${AM_CFLAGS} ${ICA_ASFLAGS}
 libica_la_LIBADD = @LIBS@ -lrt -lcrypto
 libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \
 		    -version-number ${VERSION}