obfuscate all assembly filenames

We were still leaking the filenames for assembly files.
In our existing asm.txtar test's output binary,
the string `test/main/garble_main_amd64.s` was present.
This leaked full import paths on one hand,
and the filenames of each assembly file on the other.

We avoid this in Go files by using `/*line` directives,
but those are not supported in assembly files.
Instead, obfuscate the paths in the temporary directory.
Note that we still need a separate temporary directory per package,
because otherwise any included header files might collide.

We must remove the `main` package panic in obfuscatedImportPath,
as we now need to use that function for all packages.

While here, remove the outdated comment about `-trimpath`.

Fixes #605.

main.go

@@ -596,14 +596,15 @@ func transformAsm(args []string) ([]string, error) {
 
 	flags = alterTrimpath(flags)
 
-	// If the assembler is running just for -gensymabis,
-	// don't obfuscate the source, as we are not assembling yet.
-	// The assembler will run again later; obfuscating twice is just wasteful.
+	// The assembler runs twice; the first with -gensymabis,
+	// where we continue below and we obfuscate all the source.
+	// The second time, without -gensymabis, we reconstruct the paths to the
+	// obfuscated source files and reuse them to avoid work.
 	newPaths := make([]string, 0, len(paths))
 	if !slices.Contains(args, "-gensymabis") {
 		for _, path := range paths {
-			name := filepath.Base(path)
-			pkgDir := filepath.Join(sharedTempDir, filepath.FromSlash(curPkg.ImportPath))
+			name := hashWithPackage(curPkg, filepath.Base(path))
+			pkgDir := filepath.Join(sharedTempDir, curPkg.obfuscatedImportPath())
 			newPath := filepath.Join(pkgDir, name)
 			newPaths = append(newPaths, newPath)
 		}
@@ -672,7 +673,9 @@ func transformAsm(args []string) ([]string, error) {
 		// Uncomment for some quick debugging. Do not delete.
 		// fmt.Fprintf(os.Stderr, "\n-- %s --\n%s", path, buf.Bytes())
 
-		name := filepath.Base(path)
+		// With assembly files, we obfuscate the filename in the temporary
+		// directory, as assembly files do not support `/*line` directives.
+		name := hashWithPackage(curPkg, filepath.Base(path))
 		if path, err := writeTemp(name, buf.Bytes()); err != nil {
 			return nil, err
 		} else {
@@ -777,7 +780,10 @@ func replaceAsmNames(buf *bytes.Buffer, remaining []byte) {
 // Note that the file is created under a directory tree following curPkg's
 // import path, mimicking how files are laid out in modules and GOROOT.
 func writeTemp(name string, content []byte) (string, error) {
-	pkgDir := filepath.Join(sharedTempDir, filepath.FromSlash(curPkg.ImportPath))
+	// We use the obfuscated import path to hold the temporary files.
+	// Assembly files do not support line directives to set positions,
+	// so the only way to not leak the import path is to replace it.
+	pkgDir := filepath.Join(sharedTempDir, curPkg.obfuscatedImportPath())
 	if err := os.MkdirAll(pkgDir, 0o777); err != nil {
 		return "", err
 	}
@@ -2007,8 +2013,6 @@ func splitFlagsFromArgs(all []string) (flags, args []string) {
 }
 
 func alterTrimpath(flags []string) []string {
-	// If the value of -trimpath doesn't contain the separator ';', the 'go
-	// build' command is most likely not using '-trimpath'.
 	trimpath := flagValue(flags, "-trimpath")
 
 	// Add our temporary dir to the beginning of -trimpath, so that we don't

shared.go

@@ -160,9 +160,6 @@ type listedPackage struct {
 }
 
 func (p *listedPackage) obfuscatedImportPath() string {
-	if p.Name == "main" {
-		panic("main packages should never need to obfuscate their import paths")
-	}
 	// We can't obfuscate the embed package's import path,
 	// as the toolchain expects to recognize the package by it.
 	if p.ImportPath == "embed" || !p.ToObfuscate {

testdata/script/asm.txtar

@@ -8,8 +8,7 @@ env GOGARBLE=test/main
 garble build
 exec ./main
 cmp stderr main.stderr
-# TODO: ! binsubstr main$exe 'test/main' 'privateAdd' 'PublicAdd' 'garble_main' 'garble_define'
-! binsubstr main$exe 'privateAdd' 'PublicAdd'
+! binsubstr main$exe 'test/main' 'privateAdd' 'PublicAdd' 'garble_'
 
 [short] stop # no need to verify this with -short