[2/2] image-with-hardened-binaries: Add selftest

Submitted by Maximilian Blenk on Aug. 12, 2021, 7:49 a.m. | Patch ID: 180082

Details

Message ID 1628754743217.38512@bmw.de
State New
Headers show

Commit Message

Maximilian Blenk Aug. 12, 2021, 7:49 a.m.
Hi guys,

we are currenlty working on adding automatically checking the binaries we put into an image for the presence of certain recommended compiler features. To achieve this, we created a bbclass that wraps around the existing project checksec.py (https://github.com/Wenzel/checksec.py). In particular, checksec.py is used to check if
* relro is enabled
* exectuables are compiled to be position independet code
* rpath and runpath are not set
* stack canaries are enabled
* foritfy source is enabled
I must however admit that the last two checks can suffer from false-positives which need manual analysis and whitelisting (check can also be completely disabled). 

Motivation:
We've decided that such checks would be a nice thing to have because people might overwrite important compiler flags in their local recipe. Additionally there is always the possibility that components are shipped as binaries instead of code (so they are actually build outside the current build environment). Overall we've detected several cases where required compiler flags have not been applied to shipped components. After internal discussion we came to the conclusion that you guys would maybe also be interested in this kind of checks, so I'm offering this patch to you as well.

I would really appreciate your feedback :-)

BR Max

--

BMW Car IT GmbH
Maximilian Blenk
Security Engineer

Lise-Meitner-Str. 14
89081 Ulm
Tel.:  +49 731 378041-11

Mail: maximilian.blenk@bmw.de
Web: http://www.bmw-carit.de
------------------------------------------------------
BMW Car IT GmbH
Geschäftsführer: Kai-Uwe Balszuweit und Michael Böttrich
Sitz und Registergericht: München HRB 134810
------------------------------------------------------

Patch hide | download patch | download mbox

diff --git a/lib/oeqa/selftest/cases/hardened_binaries_checker.py b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
new file mode 100644
index 0000000..6385757
--- /dev/null
+++ b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
@@ -0,0 +1,42 @@ 
+import os
+import re
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake, get_bb_var
+
+class HardenTests(OESelftestTestCase):
+    def test_hardened_binaries(self):
+
+        self.write_recipeinc('emptytest', """
+SUMMARY = "A small image just capable of allowing a device to boot."
+
+IMAGE_INSTALL = "packagegroup-core-boot ${CORE_IMAGE_EXTRA_INSTALL}"
+
+CORE_IMAGE_EXTRA_INSTALL ?= ""
+
+LICENSE = "MIT"
+
+inherit image
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit image-with-hardened-binaries
+
+HARDENED_BINARIES_CONFIG_FILE = "${WORKDIR}/check-config.toml"
+
+do_write_config_file() {
+    echo "[rpath]\nenabled = true\nwhitelist = []\n" > "${WORKDIR}/check-config.toml"
+    echo "[runpath]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+    echo "[relro]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+    echo "[pie]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+    echo "[nx]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+}
+
+addtask do_write_config_file before do_image_qa
+
+        """)
+
+        result = bitbake("-c image_qa emptytest", ignore_status=True)
+        if result.status != 0:
+            self.logger.warn(result.output)
+            raise self.failureException("build failed, something went wrong...")