[Rpm-maint] [rpm-software-management/rpm] Compress annobin notes (#751)

Mark Wielaard mark at klomp.org
Mon Jun 17 11:57:13 UTC 2019


Hi Nick,

On Fri, 2019-06-14 at 09:29 -0700, nickclifton wrote:
> This is a request to add support for compressing annobin notes found
> in executable binaries built on Fedora and RHEL systems.
> 
> The annobin project adds a note section to binary files describing
> the security hardening features of how they were
> built.  Unfortunately these notes can get quite large, especially for
> projects that use lots of object files.  The objcopy program from the
> binutils package has an option to reduce the size of these notes by
> eliminating empties and merging duplicates.  If the binary does not
> contain any annobin notes then the objcopy will take no noticeable
> amount of time.  In fact even if the file does contain annobin notes
> the merging process is relatively fast and it is unlikely to add any
> significant amount of time to the overall build process.
> [...]
> diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
> index d75da1108..14d9ed901 100755
> --- a/scripts/find-debuginfo.sh
> +++ b/scripts/find-debuginfo.sh
> @@ -296,6 +296,8 @@ add_minidebug()
>    xz "$mini_debuginfo"
>    mini_debuginfo="${mini_debuginfo}.xz"
>    objcopy --add-section .gnu_debugdata="$mini_debuginfo" "$binary"
> +  # Compress any annobin notes in the original binary.
> +  objcopy --merge-notes "$binary"
>    rm -f "$dynsyms" "$funcsyms" "$keep_symbols" "$mini_debuginfo"
>  }
>  
> 

I don't think this should be part of add_minidebug (). It is something
that would need to happen even if we don't run add_minidebug (). Also
add_minidebug () runs after stripping/splitting the main ELF file into
a .debug file (which also gets a copy of all notes).

I noticed older binutils objcopy don't seem to know about --merge-
notes. And produce large errors when trying to run.

So I think this should be something like this, in do_file (), before
the binary is actually stripped.

diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
index d75da11..b6a343e 100755
--- a/scripts/find-debuginfo.sh
+++ b/scripts/find-debuginfo.sh
@@ -405,6 +405,10 @@ do_file()
     fi
   fi
 
+  # Compress any annobin notes in the original binary.
+  # Ignore any errors, since older objcopy don't support --merge-notes
+  objcopy --merge-notes "$f" 2>/dev/null || true
+
   # A binary already copied into /usr/lib/debug doesn't get stripped,
   # just has its file names collected and adjusted.
   case "$dn" in

Cheers,

Mark


More information about the Rpm-maint mailing list