diff --git a/0001-Remove-flto-from-Clang-LLVM-plugins.patch b/0001-Remove-flto-from-Clang-LLVM-plugins.patch deleted file mode 100644 index 5118e92..0000000 --- a/0001-Remove-flto-from-Clang-LLVM-plugins.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 01ac24b72b225d74e3685f02d2967b2d80b4184d Mon Sep 17 00:00:00 2001 -From: David Abdurachmanov -Date: Thu, 4 Aug 2022 07:05:05 +0300 -Subject: [PATCH] Remove -flto from Clang & LLVM plugins - -This requres LLVMgold.so, which is not supported right now. - -Signed-off-by: David Abdurachmanov ---- - clang-plugin/Makefile.in | 1 - - llvm-plugin/Makefile.in | 1 - - 2 files changed, 2 deletions(-) - -diff --git a/clang-plugin/Makefile.in b/clang-plugin/Makefile.in -index 5e4dc24..26cd5d9 100644 ---- a/clang-plugin/Makefile.in -+++ b/clang-plugin/Makefile.in -@@ -14,7 +14,6 @@ PLUGIN_OPTIONS = \ - -fPIC \ - -Wall \ - -O2 \ -- -flto \ - -g -grecord-gcc-switches \ - -Wl,--build-id=md5 \ - -Wl,-z,now -diff --git a/llvm-plugin/Makefile.in b/llvm-plugin/Makefile.in -index 1148a1c..fb333ab 100644 ---- a/llvm-plugin/Makefile.in -+++ b/llvm-plugin/Makefile.in -@@ -14,7 +14,6 @@ PLUGIN_OPTIONS = \ - -fPIC \ - -Wall \ - -O2 \ -- -flto \ - -g -grecord-gcc-switches \ - -Wl,--build-id=md5 \ - -Wl,-z,now --- -2.37.1 - diff --git a/annobin.spec b/annobin.spec index f3bf3b5..e32c324 100644 --- a/annobin.spec +++ b/annobin.spec @@ -1,15 +1,12 @@ -%ifarch riscv64 -# Disable LTO: LLVMgold.so: cannot open shared object file: No such file or directory -%global _lto_cflags %nil -%endif Name: annobin Summary: Annotate and examine compiled binary files -Version: 10.81 -Release: 1.0.riscv64%{?dist} +Version: 11.08 +Release: 1%{?dist} License: GPLv3+ URL: https://sourceware.org/annobin/ # Maintainer: nickc@redhat.com +# Web Page: https://sourceware.org/annobin/ # Watermark Protocol: https://fedoraproject.org/wiki/Toolchain/Watermark #--------------------------------------------------------------------------------- @@ -41,7 +38,7 @@ URL: https://sourceware.org/annobin/ # checking logic or when building on RHEL-7 or earlier. %global with_hard_gcc_version_requirement 1 -%bcond_with plugin_rebuild +%bcond_without plugin_rebuild # Allow the building of annobin without using annobin itself. # This is because if we are bootstrapping a new build environment we can have # a new version of gcc installed, but without a new of annobin installed. @@ -72,8 +69,6 @@ Source: https://nickc.fedorapeople.org/%{annobin_sources} # Insert patches here, if needed. Eg: # Patch01: annobin-foo.patch -Patch11: 0001-Remove-flto-from-Clang-LLVM-plugins.patch - #--------------------------------------------------------------------------------- # Make sure that the necessary sub-packages are built. @@ -177,6 +172,23 @@ Installs the annocheck program which uses the notes generated by annobin to check that the specified files were compiled with the correct security hardening options. +%package libannocheck +Summary: A library for checking the security hardening status of binaries + +BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel make + +%if %{with debuginfod} +BuildRequires: elfutils-debuginfod-client-devel +%endif + +Requires: %{name}-docs = %{version}-%{release} +Requires: binutils-devel + +%description libannocheck +Installs the libannocheck library which uses the notes generated by the +annobin plugins to check that the specified files were compiled with the +correct security hardening options. + %endif #---------------------------------------------------------------------------- @@ -360,11 +372,19 @@ export CFLAGS="$CFLAGS -DAARCH64_BRANCH_PROTECTION_SUPPORTED=1" export CFLAGS="$CFLAGS $RPM_OPT_FLAGS %build_cflags" export LDFLAGS="$LDFLAGS %build_ldflags" +# Set target-specific security options to be used when building the +# Clang and LLVM plugins. FIXME: There should be a better way to do +# this. %ifarch %{ix86} x86_64 -# FIXME: There should be a better way to do this. export CLANG_TARGET_OPTIONS="-fcf-protection" %endif +%ifarch aarch64 +%if 0%{?fedora} != 0 +export CLANG_TARGET_OPTIONS="-mbranch-protection=standard" +%endif +%endif + %ifarch ppc ppc64 ppc64le # FIXME: This is a workaround for a problem with the Clang C++ headers. It should not be needed. export CLANG_TARGET_OPTIONS="-mabi=ibmlongdouble" @@ -385,7 +405,12 @@ make -C gcc-plugin clean BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so" # Disable the standard annobin plugin so that we do get conflicts. +# Note - Fedora's rpm uses a different way of evaluating macros. +%if 0%{?fedora} == 0 OPTS="$(rpm --eval '%undefine _annotated_build %build_cflags %build_ldflags')" +%else +OPTS="$(rpm --undefine=_annotated_build --eval '%build_cflags %build_ldflags')" +%endif # If building on systems with an assembler that does not support the # .attach_to_group pseudo op (eg RHEL-7) then enable the next line. @@ -485,17 +510,112 @@ fi %if %{with annocheck} %files annocheck -%{_includedir}/libannocheck.h -%{_libdir}/libannocheck.* %{_bindir}/annocheck %{_mandir}/man1/annocheck.1* + +%files libannocheck +%{_includedir}/libannocheck.h +%{_libdir}/libannocheck.* +%{_libdir}/pkgconfig/libannocheck.pc %endif #--------------------------------------------------------------------------------- %changelog -* Mon Aug 15 2022 David Abdurachmanov - 10.81-1.0.riscv64 -- Disable LTO for riscv64 +* Tue Jan 31 2023 Nick Clifton - 11.08-1 +- Annocheck: Fix atexit test. Fix recording of version numbers. (#2165528) + +* Wed Jan 25 2023 Nick Clifton - 11.07-2 +- LLVM & Clang Plugins: Build with branch protection on AArch64. (#2164364) +- Fix gating tests. + +* Fri Jan 20 2023 Nick Clifton - 11.07-1 +- Libannocheck: Fix bug causing infinite looping when running tests. + +* Wed Jan 18 2023 Fedora Release Engineering - 11.06-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Jan 16 2023 Jakub Jelinek - 11.06-2 +- Rebuilt against GCC 13. + +* Fri Jan 13 2023 Nick Clifton - 11.06-1 +- Annocheck: Fix handling of file built by multiple versions of gcc. (#2160700) + +* Mon Jan 09 2023 Nick Clifton - 11.05-1 +- Annocheck: Fix handling of empty files. (#2159292) + +* Fri Jan 06 2023 Nick Clifton - 11.04-1 +- Annocheck: Add crti.o and crtn.o to the list of known glibc special files. (#2158740) + +* Fri Jan 06 2023 Nick Clifton - 11.03-1 +- Annocheck: Fix memory leaks. + +* Wed Jan 04 2023 Nick Clifton - 11.02-1 +- Annocheck: Do not assume that object files contain no code simply because they do not have an executable segment. (#2158182) + +* Wed Jan 04 2023 Nick Clifton - 11.01-1 +- Annocheck: Add more special glibc filenames. (#2158100) + +* Wed Dec 21 2022 Nick Clifton - 10.99-1 +- Annocheck: Improve handling of tool versions. + +* Tue Dec 20 2022 Nick Clifton - 10.98-3 +- Spec File: Fix building with plugin_rebuild enabled. + +* Fri Dec 16 2022 Nick Clifton - 10.98-1 +- GCC plugin: Fix building with gcc-13. + +* Fri Dec 16 2022 Nick Clifton - 10.97-1 +- Annocheck: Add test for binaries built by cross compilers. + +* Thu Dec 15 2022 Nick Clifton - 10.96-1 +- Annocheck: Improve heuristic used to detect binaries without code. (#2144533) + +* Mon Dec 12 2022 Nick Clifton - 10.95-1 +- Annocheck: Avoid using debug filename when parsing notes in a debuginfo file. (#2152280) + +* Wed Nov 30 2022 Nick Clifton - 10.94-1 +- Annocheck: Better detection of binaries which do not contain code. (#2144533) + +* Wed Nov 23 2022 Nick Clifton - 10.93-1 +- Annocheck: Provide more information when a test is skipped because the file being tested was not compiled. + +* Mon Nov 07 2022 Nick Clifton - 10.92-1 +- Annocheck: Try harder not to run mutually exclusive tests. + +* Fri Oct 21 2022 Nick Clifton - 10.91-1 +- Tests: Fix future-test so that it properly handles the situation where the compiler does not support the new options. + +* Wed Oct 19 2022 Nick Clifton - 10.90-1 +- Libannocheck: Actually set result fields after tests are run. + +* Tue Oct 11 2022 Nick Clifton - 10.89-1 +- Libannocheck: Replace libannocheck_version variable with LIBANNOCHECK_VERSION define. + +* Tue Oct 11 2022 Nick Clifton - 10.88-1 +- Libannocheck: Remove 'Requires binutils-devel' from libannocheck.pc. + +* Wed Oct 05 2022 Nick Clifton - 10.87-2 +- Libannocheck: Move into separate sub-package. + +* Fri Sep 30 2022 Nick Clifton - 10.87-1 +- Libannocheck: Add libannocheck.pc pkgconfig file. + +* Fri Sep 30 2022 Nick Clifton - 10.86-1 +- Libannocheck: Add libannocheck_reinit(). + +* Thu Sep 22 2022 Nick Clifton - 10.85-1 +- GCC Plugin: Record -ftrivial-auto-var-init and -fzero-call-used-regs. +- Annocheck: Add future tests for -ftrivial-auto-var-init and -fzero-call-used-regs. + +* Tue Sep 20 2022 Serge Guelton - 10.84-1 +- Clang Plugin: Fix for building with Clang-15. (#2125875) + +* Fri Sep 09 2022 Nick Clifton - 10.83-1 +- Annocheck: Add a test for the inconsistent use of -Ofast. (#1248744) + +* Tue Sep 06 2022 Nick Clifton - 10.81-2 +- NVR Bump in order to trigger a rebuild for ELN. (#2124562) * Thu Aug 11 2022 Nick Clifton - 10.81-1 - Plugin: Fix top level configuration support for RiscV. diff --git a/plans/ci.fmf b/plans/ci.fmf index 1ad2c12..85710d6 100644 --- a/plans/ci.fmf +++ b/plans/ci.fmf @@ -3,4 +3,4 @@ discover: how: fmf directory: tests execute: - how: beakerlib + how: tmt diff --git a/sources b/sources index 5b4476b..98d9553 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (annobin-10.81.tar.xz) = e62098c3537fd4d5be4d8219f9ab6e5305d49f350c659f669851181333944676c4f3c7b2075fef2b8c652c1617095e5462c88aa4aeb5851c1e18c4bd182f51bb +SHA512 (annobin-11.08.tar.xz) = 233e0314648b3577bd3e8f977b7da523e3c1770664dd0ade10e97fa251aa00fe1e02fb3104973bf5f6a30b1acb21772a3d9ba05c89bf1edf2feb665f88000fee diff --git a/tests/Regression/annobin-fails-to-skip-endbr64-entry-point-check/main.fmf b/tests/Regression/annobin-fails-to-skip-endbr64-entry-point-check/main.fmf index 435d7ff..e0cbc5d 100644 --- a/tests/Regression/annobin-fails-to-skip-endbr64-entry-point-check/main.fmf +++ b/tests/Regression/annobin-fails-to-skip-endbr64-entry-point-check/main.fmf @@ -8,9 +8,11 @@ component: - annobin test: ./runtest.sh framework: beakerlib -recommend: +require: - annobin-annocheck +- annobin-plugin-gcc - gcc +- redhat-rpm-config duration: 48h extra-summary: /tools/annobin/Regression/annobin-fails-to-skip-endbr64-entry-point-check extra-task: /tools/annobin/Regression/annobin-fails-to-skip-endbr64-entry-point-check diff --git a/tests/Regression/annobin-fails-to-skip-endbr64-entry-point-check/runtest.sh b/tests/Regression/annobin-fails-to-skip-endbr64-entry-point-check/runtest.sh index 41312a4..91fa544 100755 --- a/tests/Regression/annobin-fails-to-skip-endbr64-entry-point-check/runtest.sh +++ b/tests/Regression/annobin-fails-to-skip-endbr64-entry-point-check/runtest.sh @@ -28,13 +28,10 @@ # Include Beaker environment . /usr/share/beakerlib/beakerlib.sh || exit 1 -PACKAGE="annobin" - rlJournalStart rlPhaseStartSetup rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" rlRun "pushd $TmpDir" - rlRun "rpm -q annobin-annocheck gcc" rlPhaseEnd rlPhaseStartTest @@ -43,7 +40,7 @@ rlJournalStart rlRun "gcc `rpm --eval %build_cflags` -fpic -c f1.c" rlRun "gcc `rpm --eval %build_cflags` -fpic -c f2.c" rlRun "gcc `rpm --eval %build_ldflags` -shared f1.o f2.o" - rlRun "annocheck -v a.out" + rlRun "annocheck -v --skip-lto a.out" rlPhaseEnd rlPhaseStartCleanup diff --git a/tests/Regression/identify/main.fmf b/tests/Regression/identify/main.fmf index a10e87d..674544e 100644 --- a/tests/Regression/identify/main.fmf +++ b/tests/Regression/identify/main.fmf @@ -7,15 +7,8 @@ component: test: ./runtest.sh framework: beakerlib recommend: -- annobin -- devtoolset-10 -- devtoolset-10-annocheck -- devtoolset-11 -- devtoolset-11-annocheck -- gcc-toolset-10 -- gcc-toolset-10-annocheck -- gcc-toolset-11 -- gcc-toolset-11-annocheck +- annobin-plugin-gcc +- annobin-annocheck duration: 48h extra-summary: /tools/annobin/Regression/identify extra-task: /tools/annobin/Regression/identify diff --git a/tests/Regression/lto-preprocessor-options/main.fmf b/tests/Regression/lto-preprocessor-options/main.fmf index 03e6b88..2a3e56a 100644 --- a/tests/Regression/lto-preprocessor-options/main.fmf +++ b/tests/Regression/lto-preprocessor-options/main.fmf @@ -6,11 +6,12 @@ component: - annobin test: ./runtest.sh framework: beakerlib -recommend: -- gcc -- annobin +require: +- annobin-plugin-gcc - annobin-annocheck - redhat-rpm-config +- gcc +- redhat-rpm-config duration: 48h extra-summary: /tools/annobin/Regression/lto-preprocessor-options extra-task: /tools/annobin/Regression/lto-preprocessor-options diff --git a/tests/Regression/missing-check-for-x86-property-note-content/main.fmf b/tests/Regression/missing-check-for-x86-property-note-content/main.fmf index a7afb11..b4ab7fd 100644 --- a/tests/Regression/missing-check-for-x86-property-note-content/main.fmf +++ b/tests/Regression/missing-check-for-x86-property-note-content/main.fmf @@ -7,8 +7,8 @@ component: - annobin test: ./runtest.sh framework: beakerlib -recommend: -- annobin +require: +- annobin-annocheck duration: 48h link: - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1991931 diff --git a/tests/Regression/processing-params-in-reverse-order/main.fmf b/tests/Regression/processing-params-in-reverse-order/main.fmf index 19b497d..99adc08 100644 --- a/tests/Regression/processing-params-in-reverse-order/main.fmf +++ b/tests/Regression/processing-params-in-reverse-order/main.fmf @@ -7,8 +7,8 @@ component: - annobin test: ./runtest.sh framework: beakerlib -recommend: -- annobin +require: +- annobin-annocheck duration: 48h link: - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1988714 diff --git a/tests/Regression/segv-when-processing-multiple-params-incl-symlink/main.fmf b/tests/Regression/segv-when-processing-multiple-params-incl-symlink/main.fmf index bd8362f..07395fa 100644 --- a/tests/Regression/segv-when-processing-multiple-params-incl-symlink/main.fmf +++ b/tests/Regression/segv-when-processing-multiple-params-incl-symlink/main.fmf @@ -7,8 +7,9 @@ component: - annobin test: ./runtest.sh framework: beakerlib -recommend: -- annobin +require: +- annobin-plugin-gcc +- annobin-annocheck - libstdc++ duration: 48h link: diff --git a/tests/Regression/testsuite/main.fmf b/tests/Regression/testsuite/main.fmf index 7352f78..f117f62 100644 --- a/tests/Regression/testsuite/main.fmf +++ b/tests/Regression/testsuite/main.fmf @@ -6,23 +6,19 @@ component: - annobin test: ./runtest.sh framework: beakerlib -recommend: -- annobin +require: +- annobin-plugin-gcc - annobin-annocheck - binutils-devel -- gcc -- gcc-c++ +- bzip2-devel +- dnf - elfutils - elfutils-devel +- gcc-c++ +- gcc-plugin-devel - make - rpm-build - rpm-devel -- gcc-plugin-devel -- yum -- dnf -- yum-utils -- bzip2-devel -- rpm-build duration: 48h extra-summary: /tools/annobin/Regression/testsuite extra-task: /tools/annobin/Regression/testsuite diff --git a/tests/Regression/testsuite/runtest.sh b/tests/Regression/testsuite/runtest.sh index c8016ad..1507c45 100755 --- a/tests/Regression/testsuite/runtest.sh +++ b/tests/Regression/testsuite/runtest.sh @@ -62,7 +62,7 @@ rlJournalStart rlRun "pushd $TMP" rlFetchSrcForInstalled $PACKAGE - rlRun "yum-builddep -y *src.rpm" + rlRun "dnf builddep -y *src.rpm" rlRun "rpm --define='_topdir $TMP' -Uvh *src.rpm" rlRun "rpmbuild --define='_topdir $TMP' -bc SPECS/annobin.spec" rlPhaseEnd diff --git a/tests/Sanity/annocheck-silently-ignores-any-file-parameter/main.fmf b/tests/Sanity/annocheck-silently-ignores-any-file-parameter/main.fmf index 9aea593..9ece622 100644 --- a/tests/Sanity/annocheck-silently-ignores-any-file-parameter/main.fmf +++ b/tests/Sanity/annocheck-silently-ignores-any-file-parameter/main.fmf @@ -7,8 +7,9 @@ component: - annobin test: ./runtest.sh framework: beakerlib -recommend: -- annobin +require: +- annobin-plugin-gcc +- annobin-annocheck duration: 48h link: - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1973981 diff --git a/tests/Sanity/annocheck-silently-ignores-any-file-parameter/runtest.sh b/tests/Sanity/annocheck-silently-ignores-any-file-parameter/runtest.sh index ca991af..bb1a436 100755 --- a/tests/Sanity/annocheck-silently-ignores-any-file-parameter/runtest.sh +++ b/tests/Sanity/annocheck-silently-ignores-any-file-parameter/runtest.sh @@ -28,8 +28,6 @@ # Include Beaker environment . /usr/share/beakerlib/beakerlib.sh || exit 1 -PACKAGE="annobin" - rlJournalStart rlPhaseStartSetup rlRun "TMP=$(mktemp -d)" @@ -41,7 +39,10 @@ rlJournalStart samplecnt=$(ls *.sample | wc -l) testcnt=$(ls *.sample | \ xargs annocheck |& \ - fgrep '.sample: is not an ELF format file' | wc -l) + grep -F \ + -e '.sample: unable to read magic number' \ + -e '.sample: is not an ELF format file' \ + | wc -l) rlRun "test $samplecnt -eq 300" rlRun "test $testcnt -eq 300" rlPhaseEnd diff --git a/tests/Sanity/smoke/main.fmf b/tests/Sanity/smoke/main.fmf index 49d2862..fca8ae4 100644 --- a/tests/Sanity/smoke/main.fmf +++ b/tests/Sanity/smoke/main.fmf @@ -6,11 +6,11 @@ component: - annobin test: ./runtest.sh framework: beakerlib -recommend: +require: +- annobin-plugin-gcc +- annobin-annocheck - man-db - gcc -- annobin -- annobin-annocheck duration: 48h extra-summary: /tools/annobin/Sanity/smoke extra-task: /tools/annobin/Sanity/smoke