diff --git a/hooks/install/qa-elf.sh b/hooks/install/qa-elf.sh new file mode 100755 index 0000000000..78d54f4ba9 --- /dev/null +++ b/hooks/install/qa-elf.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +check_compiler_flags() +{ + local binary="$1" + local flags=false + local fortify=true + local stack=true + ${readelf} -p .GCC.command.line "${binary}" | \ + { + while read flag ; do + flags=true + case "${flag}" in + *"-U_FORTIFY_SOURCE"*) + fortify=false + ;; + *"-fno-stack-protector"*) + stack=false + ;; + esac + done + if ! ${flags}; then + echo "File not built with -frecord-gcc-switches: ${binary}" + return + fi + ${fortify} || echo "File not built with -D_FORTIFY_SOURCE: ${binary}" + ${stack} || echo "File not built with -fstack-protector: ${binary}" + } +} + +check_linker_flags() +{ + local binary="$1" + local pie=false + local relro=false + local now=false + local gold=false + ${readelf} -dlSW "${binary}" | \ + { + while read line ; do + case "${line}" in + *".note.gnu.gold-version"*) + gold=true + ;; + *"Shared object file"*) + pie=true + ;; + *"GNU_RELRO"*) + relro=true + ;; + *"BIND_NOW"*) + now=true + ;; + esac + done + + ${pie} || echo "File not PIE: ${binary}" + ${relro} || echo "File not built with -Wl,-z,relro: ${binary}" + ${now} || echo "File not built with -Wl,-z,now: ${binary}" + ${gold} || echo "File not built with gold: ${binary}" + } +} + +check_binaries() +{ + local CTARGET="${CTARGET:-${CHOST}}" + local readelf="${CTARGET}-readelf" + local binary + scanelf -y -B -F '%F' -R "${D}" | \ + while read binary ; do + case "${binary}" in + *.ko) + ;; + *) + check_compiler_flags "${binary}" + check_linker_flags "${binary}" + ;; + esac + done +} + +check_binaries diff --git a/setup_board b/setup_board index 52bdd6e70f..fe86d72abe 100755 --- a/setup_board +++ b/setup_board @@ -535,6 +535,12 @@ cmds=( ) sudo_multi "${cmds[@]}" +# Set up post_install hooks that run qa on ELF binaries. +sudo_multi \ + "mkdir -p '${BOARD_ROOT}/etc/portage/hooks'" \ + "ln -sfT '${SCRIPTS_DIR}/hooks/install' \ + '${BOARD_ROOT}/etc/portage/hooks/install'" + # Select the profile to build based on the board and profile passed to # setup_board. The developer can later change profiles by running # cros_choose_profile manually.