[Rpm-maint] [rpm-software-management/rpm] Compress annobin notes (#751)
mark at klomp.org
Mon Jun 17 11:57:13 UTC 2019
On Fri, 2019-06-14 at 09:29 -0700, nickclifton wrote:
> This is a request to add support for compressing annobin notes found
> in executable binaries built on Fedora and RHEL systems.
> The annobin project adds a note section to binary files describing
> the security hardening features of how they were
> built. Unfortunately these notes can get quite large, especially for
> projects that use lots of object files. The objcopy program from the
> binutils package has an option to reduce the size of these notes by
> eliminating empties and merging duplicates. If the binary does not
> contain any annobin notes then the objcopy will take no noticeable
> amount of time. In fact even if the file does contain annobin notes
> the merging process is relatively fast and it is unlikely to add any
> significant amount of time to the overall build process.
> diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
> index d75da1108..14d9ed901 100755
> --- a/scripts/find-debuginfo.sh
> +++ b/scripts/find-debuginfo.sh
> @@ -296,6 +296,8 @@ add_minidebug()
> xz "$mini_debuginfo"
> objcopy --add-section .gnu_debugdata="$mini_debuginfo" "$binary"
> + # Compress any annobin notes in the original binary.
> + objcopy --merge-notes "$binary"
> rm -f "$dynsyms" "$funcsyms" "$keep_symbols" "$mini_debuginfo"
I don't think this should be part of add_minidebug (). It is something
that would need to happen even if we don't run add_minidebug (). Also
add_minidebug () runs after stripping/splitting the main ELF file into
a .debug file (which also gets a copy of all notes).
I noticed older binutils objcopy don't seem to know about --merge-
notes. And produce large errors when trying to run.
So I think this should be something like this, in do_file (), before
the binary is actually stripped.
diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
index d75da11..b6a343e 100755
@@ -405,6 +405,10 @@ do_file()
+ # Compress any annobin notes in the original binary.
+ # Ignore any errors, since older objcopy don't support --merge-notes
+ objcopy --merge-notes "$f" 2>/dev/null || true
# A binary already copied into /usr/lib/debug doesn't get stripped,
# just has its file names collected and adjusted.
case "$dn" in
More information about the Rpm-maint