setup_board: add ELF qa post_install hooks for all boards.

BUG=chromium-os:24742 TEST=./setup_board --board=$board emerge-$board quipper # no warnings. sudo binutils-config <non-gold config> emerge-$board quipper # gold warning. <edit> # Change sysroot wrapper to not pass in -fstack-protector emerge-$board quipper # stack warning. etc. Change-Id: I94ccda99e9ac47c25ff23a7fe45774fb62447e4c Reviewed-on: https://gerrit.chromium.org/gerrit/34151 Tested-by: asharif <asharif@chromium.org> Reviewed-by: <jimhebert@google.com> Reviewed-by: David James <davidjames@chromium.org> Commit-Ready: asharif <asharif@chromium.org>
2025-09-22 14:11:07 +02:00 · 2012-09-26 16:20:00 -07:00 · 2012-09-26 16:20:00 -07:00 · e824585f80
commit e824585f80
parent a242b0a7cd
2 changed files with 92 additions and 0 deletions
--- a/hooks/install/qa-elf.sh
+++ b/hooks/install/qa-elf.sh
@ -0,0 +1,86 @@
+#!/bin/bash
+
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+check_compiler_flags()
+{
+  local binary="$1"
+  local flags=false
+  local fortify=true
+  local stack=true
+  ${readelf} -p .GCC.command.line "${binary}" | \
+  {
+    while read flag ; do
+      flags=true
+      case "${flag}" in
+        *"-U_FORTIFY_SOURCE"*)
+          fortify=false
+          ;;
+        *"-fno-stack-protector"*)
+          stack=false
+          ;;
+      esac
+    done
+    if ! ${flags}; then
+      echo "File not built with -frecord-gcc-switches: ${binary}"
+      return
+    fi
+    ${fortify} || echo "File not built with -D_FORTIFY_SOURCE: ${binary}"
+    ${stack} || echo "File not built with -fstack-protector: ${binary}"
+  }
+}
+
+check_linker_flags()
+{
+  local binary="$1"
+  local pie=false
+  local relro=false
+  local now=false
+  local gold=false
+  ${readelf} -dlSW "${binary}" | \
+  {
+    while read line ; do
+      case "${line}" in
+        *".note.gnu.gold-version"*)
+          gold=true
+          ;;
+        *"Shared object file"*)
+          pie=true
+          ;;
+        *"GNU_RELRO"*)
+          relro=true
+          ;;
+        *"BIND_NOW"*)
+          now=true
+          ;;
+      esac
+    done
+
+    ${pie} || echo "File not PIE: ${binary}"
+    ${relro} || echo "File not built with -Wl,-z,relro: ${binary}"
+    ${now} || echo "File not built with -Wl,-z,now: ${binary}"
+    ${gold} || echo "File not built with gold: ${binary}"
+  }
+}
+
+check_binaries()
+{
+  local CTARGET="${CTARGET:-${CHOST}}"
+  local readelf="${CTARGET}-readelf"
+  local binary
+  scanelf -y -B -F '%F' -R "${D}" | \
+    while read binary ; do
+      case "${binary}" in
+        *.ko)
+          ;;
+        *)
+          check_compiler_flags "${binary}"
+          check_linker_flags "${binary}"
+          ;;
+      esac
+    done
+}
+
+check_binaries
--- a/6
+++ b/6
@ -535,6 +535,12 @@ cmds=(
 )
 sudo_multi "${cmds[@]}"

+# Set up post_install hooks that run qa on ELF binaries.
+sudo_multi \
+  "mkdir -p '${BOARD_ROOT}/etc/portage/hooks'" \
+  "ln -sfT '${SCRIPTS_DIR}/hooks/install' \
+    '${BOARD_ROOT}/etc/portage/hooks/install'"
+
 # Select the profile to build based on the board and profile passed to
 # setup_board.  The developer can later change profiles by running
 # cros_choose_profile manually.