s390x build test failure for GO FIPS

s390x build test failure for GO FIPS

[Mark Wielaard]

Since commit 08bc2832527f42b517f2d550e8ada452b4ad21ee
12.24: Annocheck: Changes GO FIPS test to look for CGO_ENABLED markers
The s390x CI builder has been failing:
https://builder.sourceware.org/buildbot/#/builders/annobin-fedora-s390x

The tests/test-suite.log looks as follows:

===================================================
   Binary Annotations 12.0: tests/test-suite.log
===================================================

# TOTAL: 27
# PASS:  26
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: go-fips-test
==================

~/annobin/tests/tmp_go-fips ~/annobin/tests
 go-fips: Running: go build no-use-crypto.go
 go-fips: Checking a GO binary that does not use crypto
 go-fips: Running: ../../annocheck/annocheck -v --skip-all --test-fips no-use-crypto
Hardened: no-use-crypto: skip: fips test because binary did not load a crypto library 
 go-fips: PASS: annocheck ignored a GO binary that does not use crypto
 go-fips: Running: CGO_ENABLED=1 go build use-crypto.go
 go-fips: Checking a FIPS-compliant GO binary
 go-fips: FAIL: annocheck did not detect a FIPS compliant GO binary
annocheck: Version 12.34.
Hardened: use-crypto: warn: Unable to determine the binary's producer from it's DW_AT_producer string.
Hardened: use-crypto: FAIL: fips test because the binary was not built with CGO_ENABLED=1 
Hardened: use-crypto: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-fips.html
Hardened: use-crypto: Overall: FAIL.
~/annobin/tests
FAIL go-fips-test (exit status: 1)

Note that this is a Fedora 38 system with:
$ alternatives --display go
go - status is auto.
 link currently points to /usr/bin/go.gcc
/usr/bin/go.gcc - priority 92
 follower gofmt: /usr/bin/gofmt.gcc
/usr/lib/golang/bin/go - priority 90
 follower gofmt: /usr/lib/golang/bin/gofmt
Current `best' version is /usr/bin/go.gcc.

Re: s390x build test failure for GO FIPS

[Nick Clifton]

Hi Mark,

> Since commit 08bc2832527f42b517f2d550e8ada452b4ad21ee
> 12.24: Annocheck: Changes GO FIPS test to look for CGO_ENABLED markers
> The s390x CI builder has been failing:
> https://builder.sourceware.org/buildbot/#/builders/annobin-fedora-s390x

Is there any way to recover the test binary that was built as part of the failing test ?

> annocheck: Version 12.34.
> Hardened: use-crypto: warn: Unable to determine the binary's producer from it's DW_AT_producer string.
> Hardened: use-crypto: FAIL: fips test because the binary was not built with CGO_ENABLED=1

Annocheck looks for two symbols in the binary's symbol table:
"crypto" which indicates that the crypto library is being used and
"cgo_topofstack" which indicates that the binary was compiled with
CGO_ENABLED=1.  The test only fails if the "crypto" symbol is present
but the "cgo_topofstack" symbol is missing.

Since this failure is specific to the s390x architecture, I am guessing
that there is a symbol prefix problem here.  Ie the symbols are probably
called "_crypto" and "_cgo_topofstack" on the s390x.  But I would need to
examine the actual failing binary in order to check.

Cheers
   Nick

PS.  There is sourceware bugzilla support for annobin...

PPS. Did you really report this problem on the 25th of December ?

Re: s390x build test failure for GO FIPS

[Mark Wielaard]

[-- Attachment #1: Type: text/plain, Size: 1768 bytes --]

Hi Nick,

On Tue, Jan 02, 2024 at 10:30:45AM +0000, Nick Clifton wrote:
> >Since commit 08bc2832527f42b517f2d550e8ada452b4ad21ee
> >12.24: Annocheck: Changes GO FIPS test to look for CGO_ENABLED markers
> >The s390x CI builder has been failing:
> >https://builder.sourceware.org/buildbot/#/builders/annobin-fedora-s390x
> 
> Is there any way to recover the test binary that was built as part of the failing test ?

Attached.

> >annocheck: Version 12.34.
> >Hardened: use-crypto: warn: Unable to determine the binary's producer from it's DW_AT_producer string.
> >Hardened: use-crypto: FAIL: fips test because the binary was not built with CGO_ENABLED=1
> 
> Annocheck looks for two symbols in the binary's symbol table:
> "crypto" which indicates that the crypto library is being used and
> "cgo_topofstack" which indicates that the binary was compiled with
> CGO_ENABLED=1.  The test only fails if the "crypto" symbol is present
> but the "cgo_topofstack" symbol is missing.
> 
> Since this failure is specific to the s390x architecture, I am guessing
> that there is a symbol prefix problem here.  Ie the symbols are probably
> called "_crypto" and "_cgo_topofstack" on the s390x.  But I would need to
> examine the actual failing binary in order to check.

Or gccgo just doesn't use the same symbols as golang?

> PS.  There is sourceware bugzilla support for annobin...
> PPS. Did you really report this problem on the 25th of December ?

ah, sorry, yes. I was just playing with the little starfive riscv
board, to admire the blinklights for Christmas. I admit I didn't have
a s390x mainframe around (which probably has even more blinkenlights!)
but just happened to look at the other test results.

I can file a bug report in bugzilla if you like.

Cheers,

Mark

[-- Attachment #2: use-crypto.gz --]
[-- Type: application/gzip, Size: 47584 bytes --]