How to use --kernel option on a cross compiled embedded linux system from the host?

[frakman1]

Issue tracker

Issue

I normally run checksec against the target rootfs on my workstation works using the --dir= option. However, running it with --kernel doesn't let you specify the target directory and wants to run on the host machine's native linux kernel. I am cross compiling an embedded linux system and wish to use checksec's --kernel option against it. If I specify both, I get the error:

Error: To many options selected. Please select one at a time.

The problem is that the embedded system does not have the necessary tools to conduct the checksec checks. Running it on the device returns the usual 'file not found errors'

Is there a way to do this?

Debug Report

include the output of checksec --debug_report

***** Checksec debug *****
uid=1000(abhishek) gid=1000(abhishek) groups=1000(abhishek),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
Linux abhi-dell 4.15.0-212-generic #223-Ubuntu SMP Tue May 23 13:09:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
checksec version: 2.6.0 -- 2022052701
OS=Ubuntu
VER=18.04
-rwxr-xr-x 1 root root 35064 Jan 18  2018 /bin/cat
/bin/cat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=747e524bc20d33ce25ed4aea108e3025e5c3b78f, stripped
lrwxrwxrwx 1 root root 21 Jul 14  2021 /usr/bin/awk -> /etc/alternatives/awk
-rwxr-xr-x 1 root root 658072 Feb 11  2018 /usr/bin/gawk
/usr/bin/gawk: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c8501e8e996c37ed412a87269b6395bc6afbbebb, stripped
-rwxr-xr-x 1 root root 22600 Aug  9  2019 /sbin/sysctl
/sbin/sysctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a00798d18069ef7db0dac6f99e562eb52da1da33, stripped
-rwxr-xr-x 1 root root 109000 Jan 29  2018 /bin/sed
/bin/sed: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=10744c40e02644c1d07a1298982dd6dc198deadc, stripped
-rwxr-xr-x 1 root root 35032 Jan 18  2018 /bin/uname
/bin/uname: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2b4b6989bb8cf1061951e98ab1cc8e6130f6aa5c, stripped
lrwxrwxrwx 1 root root 24 May 19  2023 /usr/bin/objdump -> x86_64-linux-gnu-objdump
-rwxr-xr-x 1 root root 414256 May 19  2023 /usr/bin/x86_64-linux-gnu-objdump
/usr/bin/x86_64-linux-gnu-objdump: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=0a1c7cc73b739341edb2848bbbab78c4765563eb, stripped
-rwxr-xr-x 1 root root 43192 Jan 18  2018 /bin/mktemp
/bin/mktemp: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8258387eab419d6c48de0e1f6d6518eac46dac36, stripped
-rwxr-xr-x 1 root root 723944 May 24  2023 /usr/bin/openssl
/usr/bin/openssl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=263b917cda316757a56438bb059afc8825f68288, stripped
-rwxr-xr-x 1 root root 219456 Sep 18  2019 /bin/grep
/bin/grep: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=4806f6fd2346800fffcaeedb877623aa54cf94e8, stripped
-rwxr-xr-x 1 root root 80088 Jan 18  2018 /usr/bin/stat
/usr/bin/stat: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a8ada86d60f0d5361c99eb114227dea0b8b133b4, stripped
-rwxr-xr-x 1 root root 22792 May 12  2020 /usr/bin/file
/usr/bin/file: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2b26928f841d92afa31613c2c916a3abc96bbed8, stripped
-rwxr-xr-x 1 root root 238080 Nov  5  2017 /usr/bin/find
/usr/bin/find: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b920f53e0c67a31d8ef07b84b1344f87a0e82d71, stripped
-rwxr-xr-x 1 root root 43224 Jan 18  2018 /usr/bin/head
/usr/bin/head: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f53353500249659d3b82d732445de676de95b24a, stripped
-rwxr-xr-x 1 root root 133432 Aug  9  2019 /bin/ps
/bin/ps: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=58b99c8d60ac34519f0295af42103dda69f180f6, stripped
-rwxr-xr-x 1 root root 43192 Jan 18  2018 /bin/readlink
/bin/readlink: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=427b7c5d8766a0185381c7ad75855d4758030fb2, stripped
-rwxr-xr-x 1 root root 35000 Jan 18  2018 /usr/bin/basename
/usr/bin/basename: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cb1bb6b3247280ca512b0443ab48fdcf87e32aef, stripped
-rwxr-xr-x 1 root root 43224 Jan 18  2018 /usr/bin/id
/usr/bin/id: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=cba786491810c0767b2a66ab876bcb7783955cad, stripped
lrwxrwxrwx 1 root root 10 Jul 14  2021 /usr/bin/which -> /bin/which
-rwxr-xr-x 1 root root 946 Dec 30  2017 /bin/which
/bin/which: POSIX shell script, ASCII text executable
-rwxr-xr-x 1 root root 499264 Apr  8  2019 /usr/bin/wget
/usr/bin/wget: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=970fffbfe51d7e5331e8226842ebf75d5c926dda, stripped
-rwxr-xr-x 1 root root 223304 Mar 15  2023 /usr/bin/curl
/usr/bin/curl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=72f23eea6078a436cfa5fa66a4dc6a3af3055f10, stripped
lrwxrwxrwx 1 root root 24 May 19  2023 /usr/bin/readelf -> x86_64-linux-gnu-readelf
-rwxr-xr-x 1 root root 596440 May 19  2023 /usr/bin/x86_64-linux-gnu-readelf
/usr/bin/x86_64-linux-gnu-readelf: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=4eeb6320b3d263b6c4da32da890c596a55736ade, stripped
*** can not find command eu-readelf

Command run to produce the error

When run from device (expected as these tools are not available on the device and cannot be):

# ./checksec --v
WARNING: 'objdump' not found! It's required for most checks.
WARNING: 'file' not found! It's required for most checks.
WARNING: 'ldd' not found! It's required for most checks.
WARNING: Not all necessary commands found. Some tests might not work!

ERROR: readelf is a required tool for almost all tests. Aborting...  

When run from host:

/<path-to-checksec>/checksec --dir=./ --kernel
Error: To many options selected. Please select one at a time.

Running it without the --dir is not desired because it will just return information about the host, and not the device.

OS version and Kernel version

Host: VERSION="18.04.6 LTS (Bionic Beaver)" Device: Yocto arm based embedded system

Debug output

Not applicable.

[slimm609]

you want to use --kernel=$dir

[frakman1]

Thank you. Are you sure it's a directory path though? I checked the code and help output seems to want to point to a kconfig file (not a directory) --kernel[=kconfig] I am not sure I understand all of it but it seems to also look at other files it expects like in /proc or /boot.

Anyway, if I specify the path of the directory that contains the cross-compiled kernel (the one that contains the .config and vmlinux files) then it doesn't work and reverts to /boot/config... of the host.

However, if I specify the path to the actual .config file instead, I do get some meaningful and relevant output.

Not sure if I'm using it properly or not so any help would be appreciated. I also didn't see an example using this option in this way in the README.

[slimm609]

There are several things that it doesn't check in offline mode for kernel. This is because the runtime parameters have influence on it

if [[ -e "${CHK_KERNEL}" ]] && [[ ! -d "${CHK_KERNEL}" ]]; then
    if [[ -s "$(pwd -P)/${CHK_KERNEL}" ]]; then
      configfile=$(pwd -P)/${CHK_KERNEL}
    elif [[ -s "${CHK_KERNEL}" ]]; then
      configfile=${CHK_KERNEL}
    else
      "Error: config file specified do not exist"
      exit 1
    fi

[slimm609]

It does have to be the actual config file. It doesn't search the directory

I am working on a refactor at the moment and its slowing coming along but I will look at finding the .config in the directory.

[frakman1]

Well, I looked at kernelcheck() again and it seems that in this case, only the parts that looks at the ${kconfig} file and does a grep for certain parameters are valid. Everything else seems to want to run a sysctl -n command on something and that can only happen on the host.

This means that the results are a mix of the cross compiled kernel and the host's kernel!

That doesn't seem right.

[slimm609]

Yea. The kernel feature was intended to analyze the running host with different kernel configurations

[frakman1]

Understood. I look forward to testing the next version and happy to provide results.

[frakman1]

I also want to point out that checksec aborts when it can't find some tools like readelf etc. However, those tools are not necessary for the kernel check to complete so perhaps you can skip the abort in that case.

[slimm609]

The refactor removes all dependencies on external tools so it won't be an issue once completed