Description of problem: Attempting to test if grub2 binaries were properly built with stack protection via -fstack-protector-strong yields skip: stack-prot test because not compiled C/C++ code. Version-Release number of selected component (if applicable): grub2-tools-minimal-2.06-27.el9_0.x86_64 annobin-annocheck-10.54-2.el9.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. dnf install -y annobin-annocheck grub2-tools-minimal 2. dnf debuginfo-install -y grub2-tools-minimal 3. rpm -ql grub2-tools-minimal | grep -E '/usr/s?bin/' | while read f ; do test -L $f || echo $f ; done | xargs -- annocheck --verbose --skip-all --test-stack-prot Actual results: annocheck: Version 10.54. Hardened: /usr/bin/grub2-editenv: PASS: stack-prot test Hardened: /usr/bin/grub2-editenv: Overall: PASS. Hardened: /usr/bin/grub2-mkpasswd-pbkdf2: PASS: stack-prot test Hardened: /usr/bin/grub2-mkpasswd-pbkdf2: Overall: PASS. Hardened: /usr/bin/grub2-mount: PASS: stack-prot test Hardened: /usr/bin/grub2-mount: Overall: PASS. annocheck: Warning: /usr/sbin/grub2-get-kernel-settings: is not an ELF format file. Hardened: /usr/sbin/grub2-probe: PASS: stack-prot test Hardened: /usr/sbin/grub2-probe: Overall: PASS. Hardened: /usr/sbin/grub2-set-bootflag: skip: stack-prot test because not compiled C/C++ code Hardened: /usr/sbin/grub2-set-bootflag: Overall: PASS. annocheck: Warning: /usr/sbin/grub2-set-default: is not an ELF format file. annocheck: Warning: /usr/sbin/grub2-set-password: is not an ELF format file. Expected results: No "skip: stack-prot test because not compiled C/C++ code" on the /usr/sbin/grub2-set-bootflag binary. Additional info: Adding Nick to Cc in case this turns out to be an issue in annocheck itself.
Checking with readelf -Ws /usr/sbin/grub2-set-bootflag | grep '__stack_chk_fail' does not find anything, meaning the function to be called when the stack protection detects a corrupted stack is not referenced. So it seems to suggest -fstack-protector-strong was indeed not used.
Given grub2-set-bootflag is setuid (bug 2007431), the potential lack of standard compiler hardening is even more worrying.
(In reply to Jan Pazdziora from comment #0) > Description of problem: > Hardened: /usr/sbin/grub2-set-bootflag: skip: stack-prot test because not > compiled C/C++ code Just to explain further here. This message means that annocheck was unable to prove that the file being checked was created by compiling C or C++ source code. Since code written in other high level languages does not need stack protection (at least as an optionally enabled security feature) failing the test would be inappropriate. On the other hand, being unable to prove that the source code was written in C/C++ when in fact this is the case indicates a problem with how the program is being compiled. In particular it means that annobin annotation has not been enabled, and probably that the security hardening options and debug info generation options have not been enabled either.