Continuous scan of the archive for ISA (in)compatibility

Registered by Adam Conrad on 2012-04-25

Every architecture we ship has instruction supersets that cause incompatibilities with our baseline targets, for example:
NEON on armhf
altivec on powerpc
cmov on i386
sse, 3dnow, etc on amd64

We need to both define a base ISA for each architecture, and sort out ways to continually scan for violations of same.

Blueprint information

Status:
Not started
Approver:
Steve Langasek
Priority:
Medium
Drafter:
Adam Conrad
Direction:
Approved
Assignee:
Adam Conrad
Definition:
Approved
Series goal:
Accepted for raring
Implementation:
Not started
Milestone target:
None

Related branches

Sprints

Whiteboard

Evan Broder's lintian-lab is available.

i386: i686 (ppro), possibly including cmov
amd64: x86_64 (no extensions)
powerpc: 740/750 (no freescale or IBM extension on top)
armel: armv5t
armhf: armv7-a vfpv3-d16 hard-float, no NEON!
arm64: baseline aarch64

Al Stone has a python scanner that currently does <= armv6 scanning.

Stack-protection can present interesting "issues", given the curious implementation, and this needs to be detected in vaguely sane ways.

Packages that have inline routines that are only run based on runtime detection need to be whitelisted on a case-by-case.

http://anonscm.debian.org/viewvc/hardening/hardening-wrapper/hardening-check?revision=113&view=markup

(?)

Work Items

Work items:
[adconrad] First cut, defining every arch in the arch tables of the current scanner: TODO
[adconrad] Second cut, transliterate into perl and make it a lintian check: TODO
[adconrad] follow up with kees on scanning tricks (based on the hardening-check experience): TODO
[adconrad] investigate post-build scanning in lp-buildd as warnings, and eventually maybe hard failures?: TODO
[ahs3] Look into other curious ways we can use this data once collects (things setting r7 stupidly and/or maliciously): TODO

Dependency tree

* Blueprints in grey have been implemented.