add build note to assembler sources

[sharkcz]

When distros use the annobin compiler plugin [1], they have complete overview
what compiler flags were used for compilation and they are able to perform
security checks on the produced binaries. Compiling assembler source can't
provide this kind of information by default, so we need the explicit
-Wa,--generate-missing-build-notes=yes option during build. When the option is
missing, then the annocheck tool reports "GAPS" in the resulting binary.

[1] https://fedoraproject.org/wiki/Changes/Annobin

Signed-off-by: Dan Horák [email protected]

[p-steuer]

Does this introduce a dependency on a particular as / binutils version ?

[sharkcz]

Good question, I've asked our (RH/Fedora) toolchain people.

[sharkcz]

And their answer is "GNU binutils 2.31 is needed or distro binutils where it has been backported (eg. F-29)". So I'll add a check into configure for this feature.

[sharkcz]

[sharkcz@devel10 libica]$ annocheck -v src/.libs/libica.so.3.3.3
annocheck: Version 8.35.
Hardened: src/.libs/libica.so.3.3.3: pass: No gaps found.
Hardened: src/.libs/libica.so.3.3.3: pass: Linked with -Wl,-z,now.
Hardened: src/.libs/libica.so.3.3.3: pass: Dynamic segment is present.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with -D_FORTIFY_SOURCE=2.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with -D_GLIBCXX_ASSERTIONS.
Hardened: src/.libs/libica.so.3.3.3: pass: Linked with -Wl,-z,relro.
Hardened: src/.libs/libica.so.3.3.3: pass: Stack not executable.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with sufficient optimization.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with PIC/PIE.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled as a position independent binary.
Hardened: src/.libs/libica.so.3.3.3: pass: DT_RPATH/DT_RUNPATH absent or rooted at /usr.
Hardened: src/.libs/libica.so.3.3.3: pass: No RWX segments found.
Hardened: src/.libs/libica.so.3.3.3: pass: Consistent use of the -fshort-enum option.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with -fstack-clash-protection.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with sufficient stack protection.
Hardened: src/.libs/libica.so.3.3.3: pass: No text relocations found.
Hardened: src/.libs/libica.so.3.3.3: pass: No thread cancellation problems.
Hardened: src/.libs/libica.so.3.3.3: pass: GOT/PLT relocations are read only.
Hardened: src/.libs/libica.so.3.3.3: PASS.
[sharkcz@devel10 libica]$ rpm -q annobin binutils
annobin-8.35-1.fc30.s390x
binutils-2.31.1-13.fc30.s390x

[sharkcz]

result without the patch

[sharkcz@devel10 libica]$ annocheck -v src/.libs/libica.so.3.3.3
annocheck: Version 8.35.
Hardened: src/.libs/libica.so.3.3.3: gap:  (21516..21f00 probable component: test_vec.c) in annobin notes.
Hardened: src/.libs/libica.so.3.3.3: FAIL: Gaps were detected in the annobin coverage.
Hardened: src/.libs/libica.so.3.3.3: pass: Linked with -Wl,-z,now.
Hardened: src/.libs/libica.so.3.3.3: pass: Dynamic segment is present.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with -D_FORTIFY_SOURCE=2.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with -D_GLIBCXX_ASSERTIONS.
Hardened: src/.libs/libica.so.3.3.3: pass: Linked with -Wl,-z,relro.
Hardened: src/.libs/libica.so.3.3.3: pass: Stack not executable.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with sufficient optimization.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with PIC/PIE.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled as a position independent binary.
Hardened: src/.libs/libica.so.3.3.3: pass: DT_RPATH/DT_RUNPATH absent or rooted at /usr.
Hardened: src/.libs/libica.so.3.3.3: pass: No RWX segments found.
Hardened: src/.libs/libica.so.3.3.3: pass: Consistent use of the -fshort-enum option.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with -fstack-clash-protection.
Hardened: src/.libs/libica.so.3.3.3: pass: Compiled with sufficient stack protection.
Hardened: src/.libs/libica.so.3.3.3: pass: No text relocations found.
Hardened: src/.libs/libica.so.3.3.3: pass: No thread cancellation problems.
Hardened: src/.libs/libica.so.3.3.3: pass: GOT/PLT relocations are read only.

both builds were with distro CFLAGS/LDFLAGS
CFLAGS="$(rpmbuild --eval %{build_cflags})" LDFLAGS="$(rpmbuild --eval %{build_ldflags})" ./configure && make

[sharkcz]

The new version with configure-time check for the flag introduces dependency on autoconf-archive.

[p-steuer]

Even with the check I still question portability e.g., on F-28 it says:

./configure: line 17296: syntax error near unexpected token `-Wa,--generate-missing-build-notes=yes,'
./configure: line 17296: `AX_CHECK_COMPILE_FLAG(-Wa,--generate-missing-build-notes=yes, ICA_ASFLAGS="-Wa,--generate-missing-build-notes=yes")'

Why dont you put it with distro flags where you know its available? How do you solve this problem with other packages that come with asm code and dont use autotools e.g. openssl-libcrypto ?