1ANNOBIN(1)                   RPM Development Tools                  ANNOBIN(1)
2
3
4

NAME

6       annobin - Annobin
7

SYNOPSIS

DESCRIPTION

10       Binary Annotation is a method for recording information about an
11       application inside the application itself.  It is an implementation of
12       the "Watermark" specification defined here:
13       <https://fedoraproject.org/wiki/Toolchain/Watermark>
14
15       Although mainly focused on recording security information, the system
16       can be used to record any kind of data, even data not related to the
17       application.  One of the main goals of the system however is the
18       ability to specify the address range over which a given piece of
19       information is valid.  So for example it is possible to specify that
20       all of a program was compiled with the -O2 option except for one
21       special function which was compiled with -O0 instead.
22
23       The range information is useful because it allows third parties to
24       examine the binary and find out if its construction was consistent.  IE
25       that there are no gaps in the recorded information, and no special
26       cases where a required feature was not active.
27
28       The system works by adding a special section to the application
29       containing individual pieces of information along with an address range
30       for which the information is valid.  (Some effort has gone into the
31       storing this information in a reasonably compact format).
32
33       The information is generated by a plugin that is attached to the
34       compiler (either "gcc" or "clang").  The plugin is called "annobin" and
35       it extracts information from the internals of compiler and records them
36       in the object file(s) being produced.
37
38       Note - the plugin method is just one way of generating the information.
39       Any interested party can create and add information to the objhect
40       file, providing that they follow the Watermark specification.
41
42       The information can be extracted from files via the use of tools like
43       "readelf" and "objdump".  The "annobin" package itself includes a
44       program called annocheck which can can also examine this information.
45       Details on this program can be found elsewhere in this documentation.
46
47       Normally the option to enable the recording of binary annotation notes
48       is enabled automatically by the build system, so no user intervention
49       is required.  On Fedora and RHEL based systems this is handled by the
50       redhat-rpm-config package.
51
52       Currently the binary annotations are generated by a plugin to the "GCC"
53       and "clang" compilers.  This does mean that files that are not compiled
54       with either of these compilers will not gain any binary annotations,
55       although there is an optional assembler switch to add some basic notes
56       if none are present in the input files.
57
58       If the build system being used does not automatically enabled the
59       annobin plugin then it can be specifically added to the compiler
60       command line by adding the -fplugin=annobin option.  It may also be
61       necessary to tell the compiler where to find the plugin by adding the
62       -iplugindir= option, although this should only be necessary if the
63       plugin is installed in an unusual place.
64
65       If it is desired to disable the recording of binary annotations then
66       the -fplugin-arg-annobin-disable (for "gcc") or -Xclang
67       -plugin-arg-annobin-disable (for "clang") can be used.  Note - these
68       options must be placed after the -fplugin=annobin option.
69
70       On Fedora and RHEL systems the plugin can be disabled entirely for all
71       compilations in a package by adding %undefine _annotated_build to the
72       spec file.
73
74       The information is stored in the ELF Note format in a special section
75       called ".gnu.build.attributes".  The "readelf" program from the
76       "binutils" package can extract and display these notes when the --notes
77       option is provided.  (Adding the --wide option is also helpful).  Here
78       is an example of the output:
79
80               Displaying notes found in: .gnu.build.attributes
81                 Owner                        Data size        Description
82                 GA$<version>3p3              0x00000010       OPEN        Applies to region from 0x8a0 to 0x8c6 (hello.c)
83                 GA$<tool>gcc 7.2.1 20170915  0x00000000       OPEN        Applies to region from 0x8a0 to 0x8c6
84                 GA*GOW:0x452b                0x00000000       OPEN        Applies to region from 0x8a0 to 0x8c6
85                 GA*<stack prot>strong        0x00000000       OPEN        Applies to region from 0x8a0 to 0x8c6
86                 GA*GOW:0x412b                0x00000010       func        Applies to region from 0x8c0 to 0x8c6 (baz)
87
88       This shows various different pieces of information, including the fact
89       that the notes were produced using version 3 of the specification, and
90       version 3 of the plugin.  The binary was built by gcc version 7.2.1 and
91       the -fstack-protector-strong option was enabled on the command line.
92       The program was compiled with -O2 enabled except the baz() function
93       which was compiled with -O0 instead.
94
95       The most complicated part of the notes is the owner field.  This is
96       used to encode the type of note as well as its value and possibly extra
97       data as well.  The format of the field is explained in detail in the
98       Watermark specification, but it basically consists of the letters G and
99       A followed by an encoding character (one of *$!+) and then a type
100       character and finally the value.
101
102       The notes are always four byte aligned, even on 64-bit systems.  This
103       does mean that consumers of the notes may have to read 8-byte wide
104       values from 4-byte aligned addresses, and that producers of the notes
105       may have to generate unaligned relocs when creating them.
106

OPTIONS

108       The plugin accepts a small selection of command line arguments, all
109       accessed by passing -fplugin-arg-annobin-<option> (for "gcc") or
110       -Xclang -plugin-arg-annobin-<option> (for "clang") on the command line.
111       These options must be placed on the command line after the plugin
112       itself is mentioned.  The options are:
113
114       "disable"
115       "enable"
116           Either disable or enable the plugin.  The default is for the plugin
117           to be enabled.
118
119       "help"
120           Display a list of supported options on the standard output.  This
121           is in addition to whatever else the plugin has been instructed to
122           do.
123
124       "version"
125           Display the version of the plugin on the standard output.  This is
126           in addition to whatever else the plugin has been instructed to do.
127
128       "verbose"
129           Report the actions that the plugin is taking.  If invoked for a
130           second time on the command line the plugin will be very verbose.
131
132       "function-verbose"
133           Report the generation of function specific notes.  This indicates
134           that the named function was compiled with different options from
135           those that were globally enabled.
136
137       "no-dynamic-notes"
138       "dynamic-notes"
139           Do not, or do, record information for the dynamic loader.  The
140           default is to record this information.
141
142       "no-static-notes"
143       "static-notes"
144           Do not, or do, record information for static analysis.  The default
145           is to record this information.
146
147       "stack-size-notes"
148       "no-stack-size-notes"
149           Do, or do not, record information about the stack requirements of
150           functions in the executable.  This feature is disabled by default
151           as these notes can take up a lot of extra room if the executable
152           contains a lot of functions.
153
154       "stack-threshold=N"
155           If stack size requirements are being recorded then this option sets
156           the minimum value to record.  Functions which require less than "N"
157           bytes of static stack space will not have their requirements
158           recorded.  If not set, then "N" defaults to 1024.
159
160       "global-file-syms"
161       "no-global-file-syms"
162           If enabled the global-file-syms option will create globally
163           visible, unique symbols to mark the start and end of the compiled
164           code.  This can be desirable if a program consists of multiple
165           source files with the same name, or if it links to a library that
166           was built with source files of the same name as the program itself.
167           The disadvantage of this feature however is that the unique names
168           are based upon the time of the build, so repeated builds of the
169           same source will have different symbol names inside it.  This
170           breaks the functionality of the build-id system which is meant to
171           identify similar builds created at different times.  This feature
172           is disabled by default, and if enabled can be disabled again via
173           the no-global-file-syms option.
174
175       "attach"
176       "no-attach"
177           When gcc compiles code with the -ffunction-sections option active
178           it will place each function into its own section.  When the annobin
179           attach option is active the plugin will attempt to attach the
180           function section to a group containing the notes and relocations
181           for the function.  In that way, if the linker decides to discard
182           the function, it will also know that it should discard the notes
183           and relocations as well.
184
185           The default is to enable attach, but the inverse option is
186           available in case the host assembler does not support the
187           .attach_to_group pseudo-op.  If this feature is disabled then note
188           generation for function sections will not work properly.
189
190       "rename"
191           Adds an extra prefix to the symbol names generated by the "annobin"
192           plugin.  This allows the plugin to be run twice on the same
193           executable, which can be useful for debugging and build testing.
194
195       "active-checks"
196       "no-active-checks"
197           The active-checks option enables compile time checking by the
198           annobin plugin.  The plugin will actively examine the gcc command
199           line and generate errors if required security options are missing
200           or have the wrong value.  The default is not to perform these
201           checkes.
202
203           Note - this option is currently under development, and is not yet
204           fully functional.
205
207       Copyright (c) 2018 - 2020 Red Hat.
208
209       Permission is granted to copy, distribute and/or modify this document
210       under the terms of the GNU Free Documentation License, Version 1.3 or
211       any later version published by the Free Software Foundation; with no
212       Invariant Sections, with no Front-Cover Texts, and with no Back-Cover
213       Texts.  A copy of the license is included in the section entitled "GNU
214       Free Documentation License".
215
216
217
218annobin-1                         2020-01-31                        ANNOBIN(1)
Impressum