porting Clickhouse #37993, Strip less aggressively to make the embedded hash survive

Author: qijun-niu-timeplus

CMakeLists.txt

@@ -234,16 +234,18 @@ endif ()
 # Add a section with the hash of the compiled machine code for integrity checks.
 # Only for official builds, because adding a section can be time consuming (rewrite of several GB).
 # And cross compiled binaries are not supported (since you cannot execute clickhouse hash-binary)
-if (OBJCOPY_PATH AND YANDEX_OFFICIAL_BUILD AND (NOT CMAKE_TOOLCHAIN_FILE))
-    set (USE_BINARY_HASH 1)
+if (YANDEX_OFFICIAL_BUILD AND (NOT CMAKE_TOOLCHAIN_FILE OR CMAKE_TOOLCHAIN_FILE MATCHES "linux/toolchain-x86_64.cmake$"))
+    message(STATUS "Official build: A checksum hash will be added to the clickhouse executable")
+    set (USE_BINARY_HASH 1 CACHE STRING "Calculate binary hash and store it in the separate section")
+else ()
+    message(STATUS "No official build: A checksum hash will not be added to the clickhouse executable")
 endif ()
 
-# Allows to build stripped binary in a separate directory
-if (OBJCOPY_PATH AND READELF_PATH)
-    option(INSTALL_STRIPPED_BINARIES "Build stripped binaries with debug info in separate directory" OFF)
-    if (INSTALL_STRIPPED_BINARIES)
-        set(STRIPPED_BINARIES_OUTPUT "stripped" CACHE STRING "A separate directory for stripped information")
-    endif()
+# Optionally split binaries and debug symbols.
+option(INSTALL_STRIPPED_BINARIES "Split binaries and debug symbols" OFF)
+if (INSTALL_STRIPPED_BINARIES)
+    message(STATUS "Will split binaries and debug symbols")
+    set(STRIPPED_BINARIES_OUTPUT "stripped" CACHE STRING "A separate directory for stripped information")
 endif()
 
 cmake_host_system_information(RESULT AVAILABLE_PHYSICAL_MEMORY QUERY AVAILABLE_PHYSICAL_MEMORY) # Not available under freebsd

cmake/strip_binary.cmake

@@ -19,9 +19,12 @@ macro(proton_strip_binary)
         COMMAND mkdir -p "${STRIP_DESTINATION_DIR}/lib/debug/bin"
         COMMAND mkdir -p "${STRIP_DESTINATION_DIR}/bin"
         COMMAND cp "${STRIP_BINARY_PATH}" "${STRIP_DESTINATION_DIR}/bin/${STRIP_TARGET}"
+        # Splits debug symbols into separate file, leaves the binary untouched:
         COMMAND "${OBJCOPY_PATH}" --only-keep-debug --compress-debug-sections "${STRIP_DESTINATION_DIR}/bin/${STRIP_TARGET}" "${STRIP_DESTINATION_DIR}/lib/debug/bin/${STRIP_TARGET}.debug"
         COMMAND chmod 0644 "${STRIP_DESTINATION_DIR}/lib/debug/bin/${STRIP_TARGET}.debug"
-        COMMAND "${STRIP_PATH}" --remove-section=.comment --remove-section=.note "${STRIP_DESTINATION_DIR}/bin/${STRIP_TARGET}"
+        # Strips binary, sections '.note' & '.comment' are removed in line with Debian's stripping policy: www.debian.org/doc/debian-policy/ch-files.html, section '.clickhouse.hash' is needed for integrity check:
+       COMMAND "${STRIP_PATH}" --remove-section=.comment --remove-section=.note --keep-section=.clickhouse.hash "${STRIP_DESTINATION_DIR}/bin/${STRIP_TARGET}"
+       # Associate stripped binary with debug symbols:
         COMMAND "${OBJCOPY_PATH}" --add-gnu-debuglink "${STRIP_DESTINATION_DIR}/lib/debug/bin/${STRIP_TARGET}.debug" "${STRIP_DESTINATION_DIR}/bin/${STRIP_TARGET}"
         COMMENT "Stripping proton binary" VERBATIM
     )

programs/CMakeLists.txt

@@ -380,7 +380,7 @@ else ()
     endif()
 
     if (USE_BINARY_HASH)
-        add_custom_command(TARGET proton POST_BUILD COMMAND ./proton hash-binary > hash && ${OBJCOPY_PATH} --add-section .note.proton .hash=hash proton COMMENT "Adding .note.proton.hash to proton" VERBATIM)
+        add_custom_command(TARGET clickhouse POST_BUILD COMMAND ./clickhouse hash-binary > hash && ${OBJCOPY_PATH} --add-section .clickhouse.hash=hash clickhouse COMMENT "Adding section '.clickhouse.hash' to clickhouse binary" VERBATIM)
     endif()
 
     if (INSTALL_STRIPPED_BINARIES)

programs/main.cpp

@@ -70,7 +70,7 @@ int mainRestart(int argc, char ** argv);
 int mainHashBinary(int, char **)
 {
     /// Intentionally without newline. So you can run:
-    /// objcopy --add-section .note.ClickHouse.hash=<(./clickhouse hash-binary) clickhouse
+    /// objcopy --add-section .clickhouse.hash=<(./clickhouse hash-binary) clickhouse
     std::cout << getHashOfLoadedBinaryHex();
     return 0;
 }

src/Common/Elf.cpp

@@ -176,9 +176,9 @@ String Elf::getBuildID(const char * nhdr_pos, size_t size)
 #endif // OS_SUNOS
 
 
-String Elf::getBinaryHash() const
+String Elf::getStoredBinaryHash() const
 {
-    if (auto section = findSectionByName(".note.ClickHouse.hash"))
+    if (auto section = findSectionByName(".clickhouse.hash"))
         return {section->begin(), section->end()};
     else
         return {};

src/Common/Elf.h

@@ -61,7 +61,7 @@ class Elf final
     static String getBuildID(const char * nhdr_pos, size_t size);
 
     /// Hash of the binary for integrity checks.
-    String getBinaryHash() const;
+    String getStoredBinaryHash() const;
 
 private:
     MMapReadBufferFromFile in;

src/Daemon/BaseDaemon.cpp

@@ -891,7 +891,7 @@ void BaseDaemon::initializeTerminationAndSignalProcessing()
     std::string executable_path = getExecutablePath();
 
     if (!executable_path.empty())
-        stored_binary_hash = DB::Elf(executable_path).getBinaryHash();
+        stored_binary_hash = DB::Elf(executable_path).getStoredBinaryHash();
 #endif
 }