[Buildroot] [PATCH] support/testing: test_hardening: update toolchain to aarch64 for checksec tests
Thomas Perale
thomas.perale at mind.be
Thu Sep 11 19:26:53 UTC 2025
In reply of:
> TestRelroPartial is broken since the last checksec update to 2.7.1 [1]
> (Buildroot 2024.08) due to a relro check fix [2] that doesn't work for
> powerpc architecture where .got.plt doesn't exist for some reasons
> (that's why the expected result "full" is replaced by "Partial").
>
> From [3]:
>
> if ${readelf} -d "${1}/exe" 2> /dev/null | grep -q 'BIND_NOW' || ! ${readelf} -l "${1}/exe" 2> /dev/null | grep -q '\.got\.plt'; then
> echo_message '\033[32mFull RELRO \033[m ' 'Full RELRO,' ' relro="full"' '"relro":"full",'
> else
> echo_message '\033[33mPartial RELRO\033[m ' 'Partial RELRO,' ' relro="partial"' '"relro":"partial",'
>
> checksec tool is problably tested upstream on more common architectures
> like x86_64 or aarch64 than powerpc64 e5500. This may explain why
> checksec broke on powerpc64 e5500 target.
>
> Also, the Booltin powerpc64-e5500--glibc--stable-2018.02-2 toolchain
> used by test_hardening tests was not updated since the hardening tests
> were introduced back in 2018.11 release.
>
> So, switch to the current Bootling aarch64 stable toolchain
> (currently Bootlin aarch64 glibc stable 2025.08-1).
>
> Checked that all 6 hardening tests pass with this new toolchain:
>
> tests.core.test_hardening.TestFortifyConserv
> tests.core.test_hardening.TestFortifyNone
> tests.core.test_hardening.TestRelro
> tests.core.test_hardening.TestRelroPartial
> tests.core.test_hardening.TestSspNone
> tests.core.test_hardening.TestSspStrong
>
> Fixes:
> https://gitlab.com/buildroot.org/buildroot/-/jobs/11176773995 (TestRelroPartial)
>
> [1] 61505649746cb4d0dd57e35ff6139b7925bab72d
> [2] https://github.com/slimm609/checksec/commit/1c80e39c4956f902ed15c4baa8d9c17851096900
> [3] https://github.com/slimm609/checksec/commit/1c80e39c4956f902ed15c4baa8d9c17851096900#diff-9e8d1b28dfaf1c704560ac51a5613b70d70de2dcd84e87b9fa20f28811e6484aL1491
>
> Signed-off-by: Romain Naour <romain.naour at smile.fr>
Applied to 2025.02.x & 2025.05.x. Thanks
> ---
> support/testing/tests/core/test_hardening.py | 12 +++---------
> 1 file changed, 3 insertions(+), 9 deletions(-)
>
> diff --git a/support/testing/tests/core/test_hardening.py b/support/testing/tests/core/test_hardening.py
> index e9d30f3a38..2daafbd883 100644
> --- a/support/testing/tests/core/test_hardening.py
> +++ b/support/testing/tests/core/test_hardening.py
> @@ -7,16 +7,10 @@ import infra.basetest
> class TestHardeningBase(infra.basetest.BRTest):
> config = \
> """
> - BR2_powerpc64=y
> - BR2_powerpc_e5500=y
> + BR2_aarch64=y
> BR2_TOOLCHAIN_EXTERNAL=y
> - BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
> - BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
> - BR2_TOOLCHAIN_EXTERNAL_URL="https://toolchains.bootlin.com/downloads/releases/toolchains/powerpc64-e5500/tarballs/powerpc64-e5500--glibc--stable-2018.02-2.tar.bz2"
> - BR2_TOOLCHAIN_EXTERNAL_GCC_6=y
> - BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_1=y
> - BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC=y
> - BR2_TOOLCHAIN_EXTERNAL_CXX=y
> + BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
> + BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
> BR2_PACKAGE_LIGHTTPD=y
> BR2_PACKAGE_HOST_CHECKSEC=y
> # BR2_TARGET_ROOTFS_TAR is not set
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
More information about the buildroot
mailing list