diff options
| author | W. J. van der Laan <laanwj@protonmail.com> | 2022-01-04 15:37:14 +0100 |
|---|---|---|
| committer | W. J. van der Laan <laanwj@protonmail.com> | 2022-01-04 15:37:19 +0100 |
| commit | 8319c4e906e6df5f2048e7c048942fde285a93a2 (patch) | |
| tree | 2d9a08f387118721c4f346e9310eb717f02878e2 | |
| parent | 66be456d93a66526322b7f36fd734a8dbd5e5524 (diff) | |
| parent | b9898aeeaa6a3db76e40f1981d0a9db80a5d82ff (diff) | |
Merge bitcoin/bitcoin#23838: scripts: make security checks architecture independent
b9898aeeaa6a3db76e40f1981d0a9db80a5d82ff scripts: make security checks architecture independent (fanquake)
Pull request description:
This paves the way for using and checking for architecture dependent flags like `-fcf-protection` on x86_64 Linux and `-mbranch-protection` on 64 bit ARM.
While we need a workaround for RISCV arch detection, I sent a change upstream (https://github.com/lief-project/LIEF/pull/640), which has been merged. So we can drop this workaround along with our other RISCV workarounds (i.e https://github.com/lief-project/LIEF/pull/562) with the next LIEF release.
Required for #19075, #21851, #21888 etc.
Guix build:
```bash
bash-5.1# find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
c57bcad9d763aae223a256283fef6243d79e0df46c5b5706dc9034a87df56694 guix-build-b9898aeeaa6a/output/aarch64-linux-gnu/SHA256SUMS.part
f16fb8f0a2d4dfd576fea440c487722d076f3db9d10ec0480b2f94df0c92a6a3 guix-build-b9898aeeaa6a/output/aarch64-linux-gnu/bitcoin-b9898aeeaa6a-aarch64-linux-gnu-debug.tar.gz
0e6e660eca7484ddb160b3d62d8867cf171044e81e719de899cd9b8b898cc614 guix-build-b9898aeeaa6a/output/aarch64-linux-gnu/bitcoin-b9898aeeaa6a-aarch64-linux-gnu.tar.gz
29f14e305a280dc1d33a1f2d660db952caf6f3a9aeff9ab9560f122821269ab2 guix-build-b9898aeeaa6a/output/arm-linux-gnueabihf/SHA256SUMS.part
26477f58601363dfe8eb2639472f71943bc341d415b6190316af232f363f5485 guix-build-b9898aeeaa6a/output/arm-linux-gnueabihf/bitcoin-b9898aeeaa6a-arm-linux-gnueabihf-debug.tar.gz
372be53fd6d7fedad1bddc45cd9d1ce34cff376eaae4f613e2aa2465728fba82 guix-build-b9898aeeaa6a/output/arm-linux-gnueabihf/bitcoin-b9898aeeaa6a-arm-linux-gnueabihf.tar.gz
39778c9d2949deaba404c90b930e5a0b72663bb05e9d82e93439be131fd622e3 guix-build-b9898aeeaa6a/output/dist-archive/bitcoin-b9898aeeaa6a.tar.gz
599eee817b364b0348034a3e8c97b4bb1a35a78e3ba3472f7589f7a241947b51 guix-build-b9898aeeaa6a/output/powerpc64-linux-gnu/SHA256SUMS.part
ade0c5ac07d467aa73f85d2a08c3fc3b311816869a2b6903bba4b4e6c88ad9d2 guix-build-b9898aeeaa6a/output/powerpc64-linux-gnu/bitcoin-b9898aeeaa6a-powerpc64-linux-gnu-debug.tar.gz
c63db0e2570756df0b459e6114f01f0b47972ba8d81fcd9568edee95dfade23b guix-build-b9898aeeaa6a/output/powerpc64-linux-gnu/bitcoin-b9898aeeaa6a-powerpc64-linux-gnu.tar.gz
dc4e6ba6958e534161a54669ff5d75bc312cfeb92567cc2092235eed0e2f6aa7 guix-build-b9898aeeaa6a/output/powerpc64le-linux-gnu/SHA256SUMS.part
3ce4c7e50915f72f24fcd24e1e1bc8460cdf2c065e390cf5f626c4cffd50961c guix-build-b9898aeeaa6a/output/powerpc64le-linux-gnu/bitcoin-b9898aeeaa6a-powerpc64le-linux-gnu-debug.tar.gz
c8f4a8f10f16fab07547553f1f2580c4aa98ac63246fb30da0560a6367990dd1 guix-build-b9898aeeaa6a/output/powerpc64le-linux-gnu/bitcoin-b9898aeeaa6a-powerpc64le-linux-gnu.tar.gz
8206937fefc76cc277cc7aa8762d7554575942a9e1704106d5ab9b6fe01d5408 guix-build-b9898aeeaa6a/output/riscv64-linux-gnu/SHA256SUMS.part
9530ee044927df02d96c3a9e5974d68b70a7105cb943b94e846c496c2d0579b9 guix-build-b9898aeeaa6a/output/riscv64-linux-gnu/bitcoin-b9898aeeaa6a-riscv64-linux-gnu-debug.tar.gz
fc4885db902c3205d3c1bc45c7e03375e621633efb419df37f145d11329bd6ed guix-build-b9898aeeaa6a/output/riscv64-linux-gnu/bitcoin-b9898aeeaa6a-riscv64-linux-gnu.tar.gz
caedbc37d5aa5fbb0e370019ce5f1d5f6745b32153f562b0aee80aceec57deab guix-build-b9898aeeaa6a/output/x86_64-apple-darwin/SHA256SUMS.part
1b363dfde1d83530ec4deb0f24547c07446f5db99f327fe382a6e91b4b6cc454 guix-build-b9898aeeaa6a/output/x86_64-apple-darwin/bitcoin-b9898aeeaa6a-osx-unsigned.dmg
bee82fe6e50a249eab21b6c97ad7436447489d0eabe3e5f7c992ba3b22dfc5ea guix-build-b9898aeeaa6a/output/x86_64-apple-darwin/bitcoin-b9898aeeaa6a-osx-unsigned.tar.gz
a935280e1229c69bdd29f32d4c894f1384e765872c68ea0dcdacdf897d4bc013 guix-build-b9898aeeaa6a/output/x86_64-apple-darwin/bitcoin-b9898aeeaa6a-osx64.tar.gz
370a87e34e694fe44ba0cd809a1ba044bcc0e7e100b01d74a883069b3d754d1c guix-build-b9898aeeaa6a/output/x86_64-linux-gnu/SHA256SUMS.part
46f8c3aa2c3a65f3fc73ddda344724e800bb463d80b062dc749ab76f4c21bc8c guix-build-b9898aeeaa6a/output/x86_64-linux-gnu/bitcoin-b9898aeeaa6a-x86_64-linux-gnu-debug.tar.gz
9704b95152ebe582f8aa70bbab8f34ea5e32d80dfda948c019cb9f7d0982f36c guix-build-b9898aeeaa6a/output/x86_64-linux-gnu/bitcoin-b9898aeeaa6a-x86_64-linux-gnu.tar.gz
8385a966601ab4b9dc11d4467435c26af93dce97b66f3d33d7a8f7a885ac326d guix-build-b9898aeeaa6a/output/x86_64-w64-mingw32/SHA256SUMS.part
f46812804e79166e5440b678166ce2cc38b5628d1a9e312b3af138720cacc478 guix-build-b9898aeeaa6a/output/x86_64-w64-mingw32/bitcoin-b9898aeeaa6a-win-unsigned.tar.gz
1d7077fdc59ce6af2ea5bffaa5a2ab579f8e8382467a7140623a6a2c4a588a0c guix-build-b9898aeeaa6a/output/x86_64-w64-mingw32/bitcoin-b9898aeeaa6a-win64-debug.zip
033fa4263ec91ca1e53ff652f12104c3c2aa7da9240a9b48bfa8f2341c79a225 guix-build-b9898aeeaa6a/output/x86_64-w64-mingw32/bitcoin-b9898aeeaa6a-win64-setup-unsigned.exe
b7fdc84dee75951c131747c00e1e3c2da87e6f98e9435ffe7fa350ecda6771e8 guix-build-b9898aeeaa6a/output/x86_64-w64-mingw32/bitcoin-b9898aeeaa6a-win64.zip
```
ACKs for top commit:
laanwj:
Code review ACK b9898aeeaa6a3db76e40f1981d0a9db80a5d82ff
hebasto:
ACK b9898aeeaa6a3db76e40f1981d0a9db80a5d82ff
Tree-SHA512: d7e7c3eb33f54d44a2252f36871fdb77c182da18ee02078e8b5b4f91d02ec91f9e5c829160839b010b40670202ff05d2c702b7a3873b450878f21ade4dc0ab58
| -rwxr-xr-x | contrib/devtools/security-check.py | 46 |
1 files changed, 38 insertions, 8 deletions
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py index 655f2c89c0..137fe377da 100755 --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -12,6 +12,10 @@ from typing import List import lief #type:ignore +# temporary constant, to be replaced with lief.ELF.ARCH.RISCV +# https://github.com/lief-project/LIEF/pull/562 +LIEF_ELF_ARCH_RISCV = lief.ELF.ARCH(243) + def check_ELF_RELRO(binary) -> bool: ''' Check for read-only relocations. @@ -178,24 +182,24 @@ def check_control_flow(binary) -> bool: return True return False - -CHECKS = { -lief.EXE_FORMATS.ELF: [ +BASE_ELF = [ ('PIE', check_PIE), ('NX', check_NX), ('RELRO', check_ELF_RELRO), ('Canary', check_ELF_Canary), ('separate_code', check_ELF_separate_code), -], -lief.EXE_FORMATS.PE: [ +] + +BASE_PE = [ ('PIE', check_PIE), ('DYNAMIC_BASE', check_PE_DYNAMIC_BASE), ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA), ('NX', check_NX), ('RELOC_SECTION', check_PE_RELOC_SECTION), ('CONTROL_FLOW', check_PE_control_flow), -], -lief.EXE_FORMATS.MACHO: [ +] + +BASE_MACHO = [ ('PIE', check_PIE), ('NOUNDEFS', check_MACHO_NOUNDEFS), ('NX', check_NX), @@ -203,6 +207,21 @@ lief.EXE_FORMATS.MACHO: [ ('Canary', check_MACHO_Canary), ('CONTROL_FLOW', check_control_flow), ] + +CHECKS = { + lief.EXE_FORMATS.ELF: { + lief.ARCHITECTURES.X86: BASE_ELF, + lief.ARCHITECTURES.ARM: BASE_ELF, + lief.ARCHITECTURES.ARM64: BASE_ELF, + lief.ARCHITECTURES.PPC: BASE_ELF, + LIEF_ELF_ARCH_RISCV: BASE_ELF, + }, + lief.EXE_FORMATS.PE: { + lief.ARCHITECTURES.X86: BASE_PE, + }, + lief.EXE_FORMATS.MACHO: { + lief.ARCHITECTURES.X86: BASE_MACHO, + } } if __name__ == '__main__': @@ -211,13 +230,24 @@ if __name__ == '__main__': try: binary = lief.parse(filename) etype = binary.format + arch = binary.abstract.header.architecture + binary.concrete + if etype == lief.EXE_FORMATS.UNKNOWN: print(f'{filename}: unknown executable format') retval = 1 continue + if arch == lief.ARCHITECTURES.NONE: + if binary.header.machine_type == LIEF_ELF_ARCH_RISCV: + arch = LIEF_ELF_ARCH_RISCV + else: + print(f'{filename}: unknown architecture') + retval = 1 + continue + failed: List[str] = [] - for (name, func) in CHECKS[etype]: + for (name, func) in CHECKS[etype][arch]: if not func(binary): failed.append(name) if failed: |