packages/linux-sgx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
linux-sgx/add-secure-compilation-options.patch
modric 599a99bdc6 upgrade to v2.15
2022-06-13 19:05:44 +08:00

180 lines
7.9 KiB
Diff
Raw Blame History

From 89a45f1ce701e168dcab9fa0dadec533eff11d6b Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Mon, 30 May 2022 19:18:21 +0800
Subject: [PATCH] add-secure-compilation-options
---
external/ippcp_internal/Makefile | 22 +------------------
.../ippcp_internal/ipp-crypto/CMakeLists.txt | 3 +++
.../sources/cmake/linux/GNU8.2.0.cmake | 2 +-
.../ippcp/crypto_mb/src/cmake/linux/GNU.cmake | 2 +-
.../openmp/openmp_code/final/CMakeLists.txt | 2 ++
.../protobuf_code/cmake/CMakeLists.txt | 2 ++
.../protobuf_code/cmake/install.cmake | 7 ------
.../le_launch_service_bundle/CMakeLists.txt | 2 +-
.../source/core/ipc/CMakeLists.txt | 1 +
.../aesm_service/source/utils/CMakeLists.txt | 2 +-
10 files changed, 13 insertions(+), 32 deletions(-)
diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
index 96187ed..7b5ef26 100644
--- a/external/ippcp_internal/Makefile
+++ b/external/ippcp_internal/Makefile
@@ -64,16 +64,6 @@ OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/
PATCH_LOG = $(shell cd ./$(IPP_SOURCE) && git log --oneline --grep='IPP crypto for SGX.' | cut -d' ' -f 5)
CHECK_PATCHED :=
-CHECK_SOURCE :=
-# For reproducibility build in docker, the code should be
-# prepared before build. So skip the code check to avoid
-# triggering network request
-ifneq ($(origin NIX_PATH), environment)
-ifneq ($(PATCH_LOG), SGX.)
-CHECK_SOURCE:= ipp_source
-endif
-endif
-
.PHONY: all build_ipp
all: build_ipp
# copy the built out lib, header files and license to the target folder
@@ -84,19 +74,9 @@ all: build_ipp
$(MKDIR) license
$(CP) ipp-crypto/LICENSE ./license/
-build_ipp: $(CHECK_SOURCE)
+build_ipp:
cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s
-.PHONY: ipp_source
-ipp_source:
-ifeq ($(shell git rev-parse --is-inside-work-tree), true)
- git submodule update -f --init --recursive --remote -- $(IPP_SOURCE)
-else
- $(RM) -rf $(IPP_SOURCE)
- git clone -b ippcp_2021.3 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
-endif
- cd $(IPP_SOURCE) && git am ../0001-IPP-crypto-for-SGX.patch
-
.PHONY: clean
clean:
$(RM) -rf ipp-crypto/build
diff --git a/external/ippcp_internal/ipp-crypto/CMakeLists.txt b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
index f750c7b..6b1eef3 100644
--- a/external/ippcp_internal/ipp-crypto/CMakeLists.txt
+++ b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
@@ -20,6 +20,9 @@
cmake_minimum_required(VERSION 3.12)
+set(SGX_PROGRAM_SEARCH_PATH)
+LIST(APPEND CMAKE_PROGRAM_PATH "/usr/local/bin/" ${SGX_PROGRAM_SEARCH_PATH} ...)
+
include("${CMAKE_CURRENT_SOURCE_DIR}/sources/cmake/ippcp-utils.cmake")
ippcp_getlibversion("${CMAKE_CURRENT_SOURCE_DIR}/include/ippversion.h")
if ((NOT DEFINED IPPCP_VERSION_MAJOR) OR
diff --git a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
index 24d7e0f..a137ee6 100644
--- a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
+++ b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
@@ -70,7 +70,7 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -flto-report")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c99")
if ((${ARCH} MATCHES "ia32") OR (NOT NONPIC_LIB))
# Stack-based Buffer Overrun Detection (only when not nonpic intel64)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-strong")
endif()
# Security flag that adds compile-time and run-time checks
diff --git a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
index 5d148a1..0c33a20 100644
--- a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
+++ b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
@@ -34,7 +34,7 @@ if(${CMAKE_BUILD_TYPE} STREQUAL "Release")
endif()
# Stack-based Buffer Overrun Detection
-set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector")
+set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector-strong")
# Stack-based Buffer Overrun Detection
set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-clash-protection")
# Position Independent Execution (PIE)
diff --git a/external/openmp/openmp_code/final/CMakeLists.txt b/external/openmp/openmp_code/final/CMakeLists.txt
index 597eedc..00ee39e 100644
--- a/external/openmp/openmp_code/final/CMakeLists.txt
+++ b/external/openmp/openmp_code/final/CMakeLists.txt
@@ -1,5 +1,7 @@
cmake_minimum_required(VERSION 2.8 FATAL_ERROR)
+add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
+
# Add cmake directory to search for custom cmake functions.
set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH})
diff --git a/external/protobuf/protobuf_code/cmake/CMakeLists.txt b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
index 52661f5..ec0b64f 100644
--- a/external/protobuf/protobuf_code/cmake/CMakeLists.txt
+++ b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
@@ -1,6 +1,8 @@
# Minimum CMake required
cmake_minimum_required(VERSION 3.1.3)
+add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
+
if(protobuf_VERBOSE)
message(STATUS "Protocol Buffers Configuring...")
endif()
diff --git a/external/protobuf/protobuf_code/cmake/install.cmake b/external/protobuf/protobuf_code/cmake/install.cmake
index 4091bc8..8e12831 100644
--- a/external/protobuf/protobuf_code/cmake/install.cmake
+++ b/external/protobuf/protobuf_code/cmake/install.cmake
@@ -31,13 +31,6 @@ endforeach()
if (protobuf_BUILD_PROTOC_BINARIES)
install(TARGETS protoc EXPORT protobuf-targets
RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc)
- if (UNIX AND NOT APPLE)
- set_property(TARGET protoc
- PROPERTY INSTALL_RPATH "$ORIGIN/../${CMAKE_INSTALL_LIBDIR}")
- elseif (APPLE)
- set_property(TARGET protoc
- PROPERTY INSTALL_RPATH "@loader_path/../lib")
- endif()
endif (protobuf_BUILD_PROTOC_BINARIES)
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/protobuf.pc ${CMAKE_CURRENT_BINARY_DIR}/protobuf-lite.pc DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
diff --git a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
index 9f3aba8..87f6582 100644
--- a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
@@ -28,4 +28,4 @@ add_custom_command(
)
target_link_libraries(${bundle} oal utils urts_internal)
-set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs")
+set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2")
diff --git a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
index f233595..72e9246 100644
--- a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
@@ -25,4 +25,5 @@ target_link_libraries(ipc
PUBLIC
${PROTOBUF_LIBRARIES}
)
+set_property(TARGET ipc APPEND_STRING PROPERTY LINK_FLAGS " -O2 -D_FORTIFY_SOURCE=2")
diff --git a/psw/ae/aesm_service/source/utils/CMakeLists.txt b/psw/ae/aesm_service/source/utils/CMakeLists.txt
index 77aac37..6d17c19 100644
--- a/psw/ae/aesm_service/source/utils/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/utils/CMakeLists.txt
@@ -25,7 +25,7 @@ target_compile_definitions(utils PRIVATE
$<$<CONFIG:Debug>:DBG_LOG>
)
-set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs")
+set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2")
target_link_libraries(utils
${OPENSSL_LIBRARIES}
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink