[PATCH 2/2] image-with-hardened-binaries: Add selftest

Maximilian Blenk <Maximilian.Blenk@...>

Hi guys,

we are currenlty working on adding automatically checking the binaries we put into an image for the presence of certain recommended compiler features. To achieve this, we created a bbclass that wraps around the existing project checksec.py (https://github.com/Wenzel/checksec.py). In particular, checksec.py is used to check if
* relro is enabled
* exectuables are compiled to be position independet code
* rpath and runpath are not set
* stack canaries are enabled
* foritfy source is enabled
I must however admit that the last two checks can suffer from false-positives which need manual analysis and whitelisting (check can also be completely disabled).

We've decided that such checks would be a nice thing to have because people might overwrite important compiler flags in their local recipe. Additionally there is always the possibility that components are shipped as binaries instead of code (so they are actually build outside the current build environment). Overall we've detected several cases where required compiler flags have not been applied to shipped components. After internal discussion we came to the conclusion that you guys would maybe also be interested in this kind of checks, so I'm offering this patch to you as well.

I would really appreciate your feedback :-)

BR Max


Maximilian Blenk
Security Engineer

Lise-Meitner-Str. 14
89081 Ulm
Tel.: +49 731 378041-11

Mail: maximilian.blenk@...
Web: http://www.bmw-carit.de
Geschäftsführer: Kai-Uwe Balszuweit und Michael Böttrich
Sitz und Registergericht: München HRB 134810

Von: Blenk Maximilian, JC-4
Gesendet: Donnerstag, 12. August 2021 00:36
An: yocto@...
Cc: Blenk Maximilian, JC-4
Betreff: [PATCH 2/2] image-with-hardened-binaries: Add selftest

Add selftest that executes binary analysis on small rootfs

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@...>
.../cases/hardened_binaries_checker.py | 42 +++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 lib/oeqa/selftest/cases/hardened_binaries_checker.py

diff --git a/lib/oeqa/selftest/cases/hardened_binaries_checker.py b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
new file mode 100644
index 0000000..6385757
--- /dev/null
+++ b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
@@ -0,0 +1,42 @@
+import os
+import re
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake, get_bb_var
+class HardenTests(OESelftestTestCase):
+ def test_hardened_binaries(self):
+ self.write_recipeinc('emptytest', """
+SUMMARY = "A small image just capable of allowing a device to boot."
+IMAGE_INSTALL = "packagegroup-core-boot ${CORE_IMAGE_EXTRA_INSTALL}"
+inherit image
+inherit image-with-hardened-binaries
+do_write_config_file() {
+ echo "[rpath]\nenabled = true\nwhitelist = []\n" > "${WORKDIR}/check-config.toml"
+ echo "[runpath]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[relro]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[pie]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[nx]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+addtask do_write_config_file before do_image_qa
+ """)
+ result = bitbake("-c image_qa emptytest", ignore_status=True)
+ if result.status != 0:
+ self.logger.warn(result.output)
+ raise self.failureException("build failed, something went wrong...")

Join yocto@lists.yoctoproject.org to automatically receive all group messages.