[Buildroot] [RFC PATCH v2] Verify hardened builds

[Buildroot] [RFC PATCH v2] Verify hardened builds

[Stefan Sørensen]

This patch series introduces a new package post install check that
verifies that the correct build hardening flags has been applied.

Most of the work here is done by the annobin GCC plugin that annotates
all objects files, libraries and executables with the flags used in
the build. 

The checking functionality is heavily based on the check-bin-arch
functionality with only minor adjustments, and with the validation
itself performed by the hardened.sh script from the annobin package.

At the end of the package install step, it will output any failed
checks:
hardened.sh: output/target/usr/bin/foo: FAIL: compiled with -fstack-protector-off
hardened.sh: output/target/usr/bin/foo: FAIL: optimization level of -O0 used
hardened.sh: output/target/usr/bin/foo: FAIL: insufficient value for -D_FORTIFY_SOURCE=0
hardened.sh: output/target/usr/bin/foo: FAIL: -Wl,-z,now not used

---
Changes v1-v2:
 * Make annobin a proper host package
 * Split package addition and toolchain integeration
 * Remove GCC 6 dependency
 * Add patches to fix PIC/PIE checks in hardened.sh
 * Install annobin plugin in $(HOST_DIR)/lib/gcc/plugin/annobin
 * Spelling fixes

Stefan S?rensen (3):
  annobin: New package
  toolchain: Integrate annobin gcc plugin
  core: Verify that hardening flags are used

 Config.in                                     |  9 +++
 DEVELOPERS                                    |  1 +
 package/Config.in.host                        |  1 +
 package/annobin/0001-Fix-pic-pie-check.patch  | 43 +++++++++++
 ...reat-.so.-files-as-dynamic-libraries.patch | 32 ++++++++
 ...3-Only-issue-warning-for-PIC-PIE-mix.patch | 52 +++++++++++++
 package/annobin/Config.in.host                | 13 ++++
 package/annobin/annobin.hash                  |  2 +
 package/annobin/annobin.mk                    | 43 +++++++++++
 package/gcc/gcc-final/gcc-final.mk            |  3 +
 package/pkg-generic.mk                        | 36 +++++++++
 support/scripts/check-hardened                | 75 +++++++++++++++++++
 .../pkg-toolchain-external.mk                 |  3 +
 toolchain/toolchain-wrapper.c                 |  3 +
 toolchain/toolchain/toolchain.mk              |  4 +
 15 files changed, 320 insertions(+)
 create mode 100644 package/annobin/0001-Fix-pic-pie-check.patch
 create mode 100644 package/annobin/0002-Also-treat-.so.-files-as-dynamic-libraries.patch
 create mode 100644 package/annobin/0003-Only-issue-warning-for-PIC-PIE-mix.patch
 create mode 100644 package/annobin/Config.in.host
 create mode 100644 package/annobin/annobin.hash
 create mode 100644 package/annobin/annobin.mk
 create mode 100755 support/scripts/check-hardened

-- 
2.17.0

[Buildroot] [RFC PATCH v2] annobin: New package

[Stefan Sørensen]

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 DEVELOPERS                     |  1 +
 package/Config.in.host         |  1 +
 package/annobin/Config.in.host | 13 ++++++++++++
 package/annobin/annobin.hash   |  2 ++
 package/annobin/annobin.mk     | 37 ++++++++++++++++++++++++++++++++++
 5 files changed, 54 insertions(+)
 create mode 100644 package/annobin/Config.in.host
 create mode 100644 package/annobin/annobin.hash
 create mode 100644 package/annobin/annobin.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 24d134cb70..edf432443c 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1787,6 +1787,7 @@ F:	package/yasm/
 F:	package/zlib-ng/
 
 N:	Stefan S?rensen <stefan.sorensen@spectralink.com>
+F:	package/annobin/
 F:	package/cracklib/
 F:	package/libpwquality/
 F:	package/libscrypt/
diff --git a/package/Config.in.host b/package/Config.in.host
index a8a4c1f802..672025757a 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -2,6 +2,7 @@ menu "Host utilities"
 
 	source "package/aespipe/Config.in.host"
 	source "package/android-tools/Config.in.host"
+	source "package/annobin/Config.in.host"
 	source "package/cargo/Config.in.host"
 	source "package/cbootimage/Config.in.host"
 	source "package/checkpolicy/Config.in.host"
diff --git a/package/annobin/Config.in.host b/package/annobin/Config.in.host
new file mode 100644
index 0000000000..8bf2c86cb1
--- /dev/null
+++ b/package/annobin/Config.in.host
@@ -0,0 +1,13 @@
+config BR2_PACKAGE_HOST_ANNOBIN
+	bool "annobin"
+	help
+	  A plugin for GCC that records extra information in the files
+	  that it compiles, and a set of scripts that analyze the
+	  recorded information.  These scripts can determine things
+	  ABI clashes in compiled binaries, or the absence of required
+	  hardening options
+
+	  Enabling this will slightly (1-2%) increase the size of
+	  built binaries.
+
+	  https://developers.redhat.com/blog/2018/02/20/annobin-storing-information-binaries/
diff --git a/package/annobin/annobin.hash b/package/annobin/annobin.hash
new file mode 100644
index 0000000000..0340e55291
--- /dev/null
+++ b/package/annobin/annobin.hash
@@ -0,0 +1,2 @@
+# Locally calculated
+sha256	176a8588088af40361f14415c2a1dfaae0723c46cd6df7765605090d6c4cea49  annobin-5.6.tar.xz
diff --git a/package/annobin/annobin.mk b/package/annobin/annobin.mk
new file mode 100644
index 0000000000..32a5d4b6f0
--- /dev/null
+++ b/package/annobin/annobin.mk
@@ -0,0 +1,37 @@
+################################################################################
+#
+# annobin
+#
+################################################################################
+
+ANNOBIN_VERSION = 5.6
+ANNOBIN_SOURCE = annobin-$(ANNOBIN_VERSION).tar.xz
+ANNOBIN_SITE = https://nickc.fedorapeople.org
+
+HOST_ANNOBIN_DEPENDENCIES += toolchain
+
+# The plugin has to be configured with the same arcane configure
+# scripts used by gcc, this prevents regeneration of the scripts.
+define ANNOBIN_PRE_CONFIGURE_FIXUP
+	(cd $(@D); touch aclocal.m4 plugin/config.h.in configure */configure \
+		Makefile.in */Makefile.in)
+endef
+
+HOST_ANNOBIN_PRE_CONFIGURE_HOOKS += ANNOBIN_PRE_CONFIGURE_FIXUP
+
+# If using a pre-installed external toolchain, we cannot install the plugin in
+# the standard location, so provide our own and put the include path from the
+# standard location in CXX_FLAGS.
+HOST_ANNOBIN_PLUGIN_DIR = $(HOST_DIR)/lib/gcc/plugin/annobin
+HOST_ANNOBIN_CXXFLAGS = $(HOST_CXXFLAGS) -I$(shell $(TARGET_CC) --print-file-name=plugin)/include
+
+# The host and target options are mixed up, so override the defaults
+HOST_ANNOBIN_CONF_OPTS = \
+	--build=$(GNU_HOST_NAME) \
+	--host=$(GNU_TARGET_NAME) \
+	--with-gcc-plugin-dir=$(HOST_ANNOBIN_PLUGIN_DIR) \
+	CXXFLAGS="$(HOST_ANNOBIN_CXXFLAGS)"
+
+HOST_ANNOBIN_GCC_PLUGIN=$(HOST_ANNOBIN_PLUGIN_DIR)/annobin.so
+
+$(eval $(host-autotools-package))
-- 
2.17.0

[Buildroot] [RFC PATCH v2] toolchain: Integrate annobin gcc plugin

[Stefan Sørensen]

This patch integrates the annobin gcc plugin into the toolchain by adding a
-fplugin=<path>/annobin.so flag to the toolchain wrapper.

This introduces a dependency on the host-annobin package to the toolchain,
so in order to break the circular dependency, the dependency on the toolchain
in the annobin package is shortcircuted to either toolchain-buildroot or
toolchain-external.

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 package/annobin/annobin.mk                             | 8 +++++++-
 package/gcc/gcc-final/gcc-final.mk                     | 3 +++
 toolchain/toolchain-external/pkg-toolchain-external.mk | 3 +++
 toolchain/toolchain-wrapper.c                          | 3 +++
 toolchain/toolchain/toolchain.mk                       | 4 ++++
 5 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/package/annobin/annobin.mk b/package/annobin/annobin.mk
index 32a5d4b6f0..c1ee4e84f2 100644
--- a/package/annobin/annobin.mk
+++ b/package/annobin/annobin.mk
@@ -8,7 +8,13 @@ ANNOBIN_VERSION = 5.6
 ANNOBIN_SOURCE = annobin-$(ANNOBIN_VERSION).tar.xz
 ANNOBIN_SITE = https://nickc.fedorapeople.org
 
-HOST_ANNOBIN_DEPENDENCIES += toolchain
+# toolchain depends on host-annobin, so shortcircuit the reverse
+# dependency to avoid a circular dependency
+ifeq ($(BR2_TOOLCHAIN_BUILDROOT),y)
+HOST_ANNOBIN_DEPENDENCIES += toolchain-buildroot
+else ifeq ($(BR2_TOOLCHAIN_EXTERNAL),y)
+HOST_ANNOBIN_DEPENDENCIES += toolchain-external
+endif
 
 # The plugin has to be configured with the same arcane configure
 # scripts used by gcc, this prevents regeneration of the scripts.
diff --git a/package/gcc/gcc-final/gcc-final.mk b/package/gcc/gcc-final/gcc-final.mk
index 9897d18682..2dd28b7a40 100644
--- a/package/gcc/gcc-final/gcc-final.mk
+++ b/package/gcc/gcc-final/gcc-final.mk
@@ -116,6 +116,9 @@ endef
 HOST_GCC_FINAL_POST_INSTALL_HOOKS += HOST_GCC_FINAL_CREATE_CC_SYMLINKS
 
 HOST_GCC_FINAL_TOOLCHAIN_WRAPPER_ARGS += $(HOST_GCC_COMMON_TOOLCHAIN_WRAPPER_ARGS)
+ifeq ($(BR2_PACKAGE_HOST_ANNOBIN),y)
+HOST_GCC_FINAL_TOOLCHAIN_WRAPPER_ARGS += -DBR_ANNOBIN_GCC_PLUGIN='"$(HOST_ANNOBIN_GCC_PLUGIN)"'
+endif
 HOST_GCC_FINAL_POST_BUILD_HOOKS += TOOLCHAIN_WRAPPER_BUILD
 HOST_GCC_FINAL_POST_INSTALL_HOOKS += TOOLCHAIN_WRAPPER_INSTALL
 # Note: this must be done after CREATE_CC_SYMLINKS, otherwise the
diff --git a/toolchain/toolchain-external/pkg-toolchain-external.mk b/toolchain/toolchain-external/pkg-toolchain-external.mk
index 8b2c283654..73af6777ed 100644
--- a/toolchain/toolchain-external/pkg-toolchain-external.mk
+++ b/toolchain/toolchain-external/pkg-toolchain-external.mk
@@ -241,6 +241,9 @@ TOOLCHAIN_EXTERNAL_TOOLCHAIN_WRAPPER_ARGS += \
 	-DBR_CROSS_PATH_REL='"$(TOOLCHAIN_EXTERNAL_BIN:$(HOST_DIR)/%=%)"'
 endif
 
+ifeq ($(BR2_PACKAGE_HOST_ANNOBIN),y)
+TOOLCHAIN_EXTERNAL_TOOLCHAIN_WRAPPER_ARGS += -DBR_ANNOBIN_GCC_PLUGIN='"$(HOST_ANNOBIN_GCC_PLUGIN)"'
+endif
 
 #
 # The following functions creates the symbolic links needed to get the
diff --git a/toolchain/toolchain-wrapper.c b/toolchain/toolchain-wrapper.c
index c5eb813dd0..d45c9d4f59 100644
--- a/toolchain/toolchain-wrapper.c
+++ b/toolchain/toolchain-wrapper.c
@@ -94,6 +94,9 @@ static char *predef_args[] = {
 #if defined(BR_MIPS_TARGET_BIG_ENDIAN) || defined(BR_ARC_TARGET_BIG_ENDIAN)
 	"-EB",
 #endif
+#ifdef BR_ANNOBIN_GCC_PLUGIN
+        "-fplugin=" BR_ANNOBIN_GCC_PLUGIN,
+#endif
 #ifdef BR_ADDITIONAL_CFLAGS
 	BR_ADDITIONAL_CFLAGS
 #endif
diff --git a/toolchain/toolchain/toolchain.mk b/toolchain/toolchain/toolchain.mk
index 91c9ca2eff..5e59e277a1 100644
--- a/toolchain/toolchain/toolchain.mk
+++ b/toolchain/toolchain/toolchain.mk
@@ -10,6 +10,10 @@ else ifeq ($(BR2_TOOLCHAIN_EXTERNAL),y)
 TOOLCHAIN_DEPENDENCIES += toolchain-external
 endif
 
+ifeq ($(BR2_PACKAGE_HOST_ANNOBIN),y)
+TOOLCHAIN_DEPENDENCIES += host-annobin
+endif
+
 TOOLCHAIN_ADD_TOOLCHAIN_DEPENDENCY = NO
 
 # Apply a hack that Rick Felker suggested[1] to avoid conflicts between libc
-- 
2.17.0

[Buildroot] [RFC PATCH v2] core: Verify that hardening flags are used

[Stefan Sørensen]

This patch add a new package post install check that verifies that
configured hardening options are used.

Using the ELF notes added by the GCC annobin plugin, it verifies that
the following build options are used:
  * Stack protector
  * RELRO
  * FORTIFY_SOURCE
  * Optimization
  * Possition Independent Code/Executeable (-fPIC/-fPIE)

Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
---
 Config.in                                     |  9 +++
 package/annobin/0001-Fix-pic-pie-check.patch  | 43 +++++++++++
 ...reat-.so.-files-as-dynamic-libraries.patch | 32 ++++++++
 ...3-Only-issue-warning-for-PIC-PIE-mix.patch | 52 +++++++++++++
 package/pkg-generic.mk                        | 36 +++++++++
 support/scripts/check-hardened                | 75 +++++++++++++++++++
 6 files changed, 247 insertions(+)
 create mode 100644 package/annobin/0001-Fix-pic-pie-check.patch
 create mode 100644 package/annobin/0002-Also-treat-.so.-files-as-dynamic-libraries.patch
 create mode 100644 package/annobin/0003-Only-issue-warning-for-PIC-PIE-mix.patch
 create mode 100755 support/scripts/check-hardened

diff --git a/Config.in b/Config.in
index 6b5b2b043c..79b5cedf8a 100644
--- a/Config.in
+++ b/Config.in
@@ -826,6 +826,15 @@ endchoice
 
 comment "Fortify Source needs a glibc toolchain and optimization"
 	depends on (!BR2_TOOLCHAIN_USES_GLIBC || BR2_OPTIMIZE_0)
+
+config BR2_CHECK_HARDENING
+       bool "Verify hardened build"
+       select BR2_PACKAGE_HOST_ANNOBIN
+       help
+         This option enables a package post install step that verifies
+         that the selected hardening options were actually used during
+         the build.
+
 endmenu
 
 source "toolchain/Config.in"
diff --git a/package/annobin/0001-Fix-pic-pie-check.patch b/package/annobin/0001-Fix-pic-pie-check.patch
new file mode 100644
index 0000000000..056a4a8c13
--- /dev/null
+++ b/package/annobin/0001-Fix-pic-pie-check.patch
@@ -0,0 +1,43 @@
+From 484886ade43da8baceeaa0007053ebaa73865e83 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= <stefan.sorensen@spectralink.com>
+Date: Fri, 4 May 2018 11:39:44 +0200
+Subject: [PATCH] Fix pic/pie check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The bash -eq operator is for arithmetic comparison and does not work
+as expected with string operands. This causes the check for missing
+-fPIC/-fPIE to fail.
+
+Fix by using the = operator.
+
+Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
+---
+ scripts/hardened.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/hardened.sh b/scripts/hardened.sh
+index b12574e..672ea07 100755
+--- a/scripts/hardened.sh
++++ b/scripts/hardened.sh
+@@ -712,14 +712,14 @@ check_for_pie_or_pic ()
+ 	else
+ 	    if [[ $filetype = lib || ( $filetype = auto && $file == *.so ) ]] ;
+ 	    then
+-		if [[ "x${hard[0]}" -eq "xPIC" || "x${hard[0]}" -eq "xpic" ]] ;
++		if [[ "${hard[0]}" = "PIC" || "${hard[0]}" = "pic" ]] ;
+ 		then
+ 		    pass "compiled with -f${hard[0]}"
+ 		else
+ 		    fail "compiled with -f${hard[0]}"
+ 		fi
+ 	    else
+-		if [[ "x${hard[0]}" -eq "xPIE" || "x${hard[0]}" -eq "xpie" ]] ;
++		if [[ "${hard[0]}" = "PIE" || "${hard[0]}" = "pie" ]] ;
+ 		then
+ 		    pass "compiled with -f${hard[0]}"
+ 		else
+-- 
+2.17.0
+
diff --git a/package/annobin/0002-Also-treat-.so.-files-as-dynamic-libraries.patch b/package/annobin/0002-Also-treat-.so.-files-as-dynamic-libraries.patch
new file mode 100644
index 0000000000..ffb71a3393
--- /dev/null
+++ b/package/annobin/0002-Also-treat-.so.-files-as-dynamic-libraries.patch
@@ -0,0 +1,32 @@
+From fccf40786008b4737cd815f66ce261da06232326 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= <stefan.sorensen@spectralink.com>
+Date: Fri, 4 May 2018 15:22:05 +0200
+Subject: [PATCH] Also treat *.so.* files as dynamic libraries.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The wildcard to match dynamic libraries only matches *.so, so add
+*.so.* as match.
+
+Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
+---
+ scripts/hardened.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/hardened.sh b/scripts/hardened.sh
+index 672ea07..20ffbc9 100755
+--- a/scripts/hardened.sh
++++ b/scripts/hardened.sh
+@@ -710,7 +710,7 @@ check_for_pie_or_pic ()
+ 	then
+ 	    fail "multiple, different, settings of -fpic/-fpie used"
+ 	else
+-	    if [[ $filetype = lib || ( $filetype = auto && $file == *.so ) ]] ;
++	    if [[ $filetype = lib || ( $filetype = auto && ($file == *.so || $file == *.so.* )) ]] ;
+ 	    then
+ 		if [[ "${hard[0]}" = "PIC" || "${hard[0]}" = "pic" ]] ;
+ 		then
+-- 
+2.17.0
+
diff --git a/package/annobin/0003-Only-issue-warning-for-PIC-PIE-mix.patch b/package/annobin/0003-Only-issue-warning-for-PIC-PIE-mix.patch
new file mode 100644
index 0000000000..ce0dc06f99
--- /dev/null
+++ b/package/annobin/0003-Only-issue-warning-for-PIC-PIE-mix.patch
@@ -0,0 +1,52 @@
+From af42159baf0fbd787f57ac446c8796fa38c7811e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= <stefan.sorensen@spectralink.com>
+Date: Fri, 4 May 2018 11:45:18 +0200
+Subject: [PATCH] Only issue warning for PIC/PIE mix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A lot of packages build with a mix of -fPIC and -fPIE, so bump this
+down from a failure to just issuing a warning.
+
+Signed-off-by: Stefan S?rensen <stefan.sorensen@spectralink.com>
+---
+ scripts/hardened.sh | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/scripts/hardened.sh b/scripts/hardened.sh
+index 20ffbc9..b3ee1d8 100755
+--- a/scripts/hardened.sh
++++ b/scripts/hardened.sh
+@@ -173,6 +173,14 @@ fail ()
+     vulnerable=1
+ }
+ 
++warn ()
++{
++    if [ $report -gt 1 ]
++    then
++        report "$file: WARN:" ${1+"$@"}
++    fi
++}
++
+ pass ()
+ {
+     if [ $report -gt 2 ]
+@@ -708,7 +716,12 @@ check_for_pie_or_pic ()
+     else
+ 	if [ ${#hard[*]} -gt 1 ];
+ 	then
+-	    fail "multiple, different, settings of -fpic/-fpie used"
++	    if [[ "${hard[*]}" == *"static"* ]]	;
++	    then
++		fail "multiple, different, settings of -fpic/-fpie/-fstatic used"
++	    else  
++		warn "multiple, different, settings of -fpic/-fpie used"
++	    fi
+ 	else
+ 	    if [[ $filetype = lib || ( $filetype = auto && ($file == *.so || $file == *.so.* )) ]] ;
+ 	    then
+-- 
+2.17.0
+
diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 8a3b5f90a9..3f46e01a86 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -94,6 +94,42 @@ endef
 
 GLOBAL_INSTRUMENTATION_HOOKS += check_bin_arch
 
+ifeq ($(BR2_CHECK_HARDENING),y)
+# For now, since we do not build with these options, no support for operator[]
+# range check, control flow enforcement, stack clash protection and control
+# flow protection hardening
+HARDENED_OPTS = -k operator -k cet -k clash -k cf
+
+ifneq ($(BR2_SSP_STRONG)$(BR2_SSP_ALL),y)
+HARDENED_OPTS += -k stack
+endif
+ifneq ($(BR2_OPTIMIZE_2)$(BR2_OPTIMIZE_3)$(BR2_OPTIMIZE_S),y)
+HARDENED_OPTS += -k opt
+endif
+ifneq ($(BR2_FORTIFY_SOURCE_2),y)
+HARDENED_OPTS += -k fort
+endif
+ifneq ($(BR2_RELRO_PARTIAL)$(BR2_RELRO_FULL),y)
+HARDENED_OPTS += -k relro
+endif
+ifneq ($(BR2_RELRO_FULL),y)
+HARDENED_OPTS += -k now -k pic
+endif
+
+define check_hardened
+	$(if $(filter end-install-target,$(1)-$(2)),\
+		support/scripts/check-hardened \
+			-p $(3) \
+			-l $(BUILD_DIR)/packages-file-list.txt \
+			$(foreach i,$($(PKG)_HARDENED_EXCLUDE),-i "$(i)") \
+			$(HARDENED_OPTS) \
+			-r $(TARGET_READELF) \
+			-h $(HOST_DIR)/bin/hardened.sh)
+endef
+
+GLOBAL_INSTRUMENTATION_HOOKS += check_hardened
+endif
+
 # This hook checks that host packages that need libraries that we build
 # have a proper DT_RPATH or DT_RUNPATH tag
 define check_host_rpath
diff --git a/support/scripts/check-hardened b/support/scripts/check-hardened
new file mode 100755
index 0000000000..5c052f7af2
--- /dev/null
+++ b/support/scripts/check-hardened
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+# Heavily based on check-bin-arch
+
+# List of hardcoded paths that should be ignored, as they are
+# contain binaries for an architecture different from the
+# architecture of the target.
+declare -a IGNORES=(
+	# Skip firmware files, they could be ELF files for other
+	# architectures without hardening
+	"/lib/firmware"
+	"/usr/lib/firmware"
+
+	# Skip kernel modules
+	"/lib/modules"
+	"/usr/lib/modules"
+
+	# Skip files in /usr/share, several packages (qemu,
+	# pru-software-support) legitimately install ELF binaries that
+	# are not for the target architecture and are not hardened
+	"/usr/share"
+)
+
+declare -a skip
+
+while getopts p:l:h:r:i:k: OPT ; do
+	case "${OPT}" in
+	p) package="${OPTARG}";;
+	l) pkg_list="${OPTARG}";;
+	h) hardened="${OPTARG}";;
+	i)
+		# Ensure we do have single '/' as separators,
+		# and that we have a leading one.
+		pattern="$(sed -r -e 's:/+:/:g; s:^/*:/:;' <<<"${OPTARG}")"
+		IGNORES+=("${pattern}")
+		;;
+	r) readelf="${OPTARG}";;
+	k) skip+=("--skip=${OPTARG}");;
+	:) error "option '%s' expects a mandatory argument\n" "${OPTARG}";;
+	\?) error "unknown option '%s'\n" "${OPTARG}";;
+	esac
+done
+
+if test -z "${package}" -o -z "${pkg_list}" -o -z "${hardened}" ; then
+	echo "Usage: $0 -p <pkg> -l <pkg-file-list> -h <hardened> -r <readelf> [-i PATH ...]"
+	exit 1
+fi
+
+# Script may run before annobin plugin and hardened.sh is installed
+if [ ! -e ${hardened} ]; then
+	exit 0
+fi
+
+exitcode=0
+
+# Only split on new lines, for filenames-with-spaces
+IFS="
+"
+
+while read f; do
+	for ignore in "${IGNORES[@]}"; do
+		if [[ "${f}" =~ ^"${ignore}" ]]; then
+			continue 2
+		fi
+	done
+
+	# Only check regular files
+	if [[ ! -f "${TARGET_DIR}/${f}" ]]; then
+		continue
+	fi
+
+	${hardened} --readelf=${readelf} --ignore-unknown ${skip[*]} ${TARGET_DIR}${f} || exitcode=1
+done < <( sed -r -e "/^${package},\.(.+)$/!d; s//\1/;" ${pkg_list} )
+
+exit ${exitcode}
-- 
2.17.0