Problem: Lack of annobin notes in a binary means that other tests will not work properly Fix By: Compiling with -fplugin=annobin Waive If: The annobin plugin is not available Example: FAIL: notes test because gaps were detected in the annobin coverage Example: MAYB: notes test because not all of the .text section is covered by notes Example: FAIL: notes test because annobin notes were not found Example: MAYB: lto test because no indication that LTO was used Example: MAYB: stack-clash test because no notes found regarding this test Example: FAIL: fortify test because no indication that the necessary option was used (and a C compiler was detected) Example: FAIL: warnings test because no indication that the necessary option was used (and a C compiler was detected) Example: FAIL: stack-realign test because stack realign support is mandatory Example: FAIL: branch-protection test because the -mbranch-protection option was not used
This test checks that there are annobin notes covering all of the file. Annobin notes are generated by the compiler and describe the security features that have been enabled. The notes contain range information, so that it is possible to determine if all of an application has been covered by the notes, or if there are parts that are missing notes.
If annobin notes are missing from a file then some of the other checks run by the hardened checker will not work, which can trigger FAIL or MAYB results for those tests.
Annobin notes are normally produced by a compiler plugin which can be enabled via the -fplugin=annobin option for gcc or Clang, and the -fpass-plugin=annobin option for LLVM. (Note for pre version-13 of LLVM the -Xclang -load -Xclang annobin option should be used instead).
Annobin notes can be generated for assembler sources by using the -Wa,--generate-missing-build-notes=yes option. Even better would be to add extra code to the assembler sources to create annobin notes that describe the security features supported by the assembler.
Compiling a simple C program with the -S -fverbose-asm -fplugin=annobin <security option> options should provide an example of how to encode an annobin note about <security option>.
If necessary the test can be disabled via the --skip-notes and --skip-gaps options and re-enabled via the --test-notes and --test-gaps options.