From 8db31845260bee040a1c3aacac90b6eba23cb67a Mon Sep 17 00:00:00 2001 From: liuyaning Date: Tue, 27 Aug 2024 17:20:53 +0800 Subject: [PATCH] oAdd security options Add security flags for compile and link Issue:https://gitee.com/openharmony/third_party_llvm-project/issues/IAMT0Y Signed-off-by: liuyaning --- libcxx/CMakeLists.txt | 7 +++++++ libcxxabi/CMakeLists.txt | 7 +++++++ libunwind/CMakeLists.txt | 7 +++++++ llvm-build/MakeLiblzma | 8 ++++---- llvm-build/build.py | 20 ++++++++++++++++---- llvm-build/build_libedit.sh | 11 +++++++---- llvm-build/build_ncurses.sh | 9 +++++++-- llvm-build/python_builder.py | 32 ++++++++++++++++++++++++++++++++ llvm/runtimes/CMakeLists.txt | 2 ++ 9 files changed, 89 insertions(+), 14 deletions(-) diff --git a/libcxx/CMakeLists.txt b/libcxx/CMakeLists.txt index 945a59509075..79c34b26ddba 100644 --- a/libcxx/CMakeLists.txt +++ b/libcxx/CMakeLists.txt @@ -918,6 +918,13 @@ function(cxx_add_common_build_flags target) cxx_link_system_libraries(${target}) endfunction() +#OHOS_LOCAL begin +if(SECURITY_LINKER_FLAGS_FOR_RUNTIMES OR SECURITY_COMPILE_FLAGS_FOR_RUNTIMES) + list(APPEND LIBCXX_LINK_FLAGS ${SECURITY_LINKER_FLAGS_FOR_RUNTIMES}) + list(APPEND LIBCXX_COMPILE_FLAGS ${SECURITY_COMPILE_FLAGS_FOR_RUNTIMES}) +endif() +#OHOS_LOCAL end + #=============================================================================== # Setup Source Code And Tests #=============================================================================== diff --git a/libcxxabi/CMakeLists.txt b/libcxxabi/CMakeLists.txt index f6f945a134f8..7e742b1a536f 100644 --- a/libcxxabi/CMakeLists.txt +++ b/libcxxabi/CMakeLists.txt @@ -472,6 +472,13 @@ if (UNIX AND ${CMAKE_SYSTEM_NAME} MATCHES "AIX") add_definitions("-D_XOPEN_SOURCE=700") endif() +#OHOS_LOCAL begin +if(SECURITY_LINKER_FLAGS_FOR_RUNTIMES OR SECURITY_COMPILE_FLAGS_FOR_RUNTIMES) + list(APPEND LIBCXXABI_LINK_FLAGS ${SECURITY_LINKER_FLAGS_FOR_RUNTIMES}) + list(APPEND LIBCXXABI_COMPILE_FLAGS ${SECURITY_COMPILE_FLAGS_FOR_RUNTIMES}) +endif() +#OHOS_LOCAL end + #=============================================================================== # Setup Source Code #=============================================================================== diff --git a/libunwind/CMakeLists.txt b/libunwind/CMakeLists.txt index a895e4787c85..c23f0221f38f 100644 --- a/libunwind/CMakeLists.txt +++ b/libunwind/CMakeLists.txt @@ -326,6 +326,13 @@ if (C_SUPPORTS_COMMENT_LIB_PRAGMA) endif() endif() +#OHOS_LOCAL begin +if(SECURITY_LINKER_FLAGS_FOR_RUNTIMES OR SECURITY_COMPILE_FLAGS_FOR_RUNTIMES) + list(APPEND LIBUNWIND_LINK_FLAGS ${SECURITY_LINKER_FLAGS_FOR_RUNTIMES}) + list(APPEND LIBUNWIND_COMPILE_FLAGS ${SECURITY_COMPILE_FLAGS_FOR_RUNTIMES}) +endif() +#OHOS_LOCAL end + #=============================================================================== # Setup Source Code #=============================================================================== diff --git a/llvm-build/MakeLiblzma b/llvm-build/MakeLiblzma index 4970b9f98033..681fa4e1304f 100644 --- a/llvm-build/MakeLiblzma +++ b/llvm-build/MakeLiblzma @@ -20,19 +20,19 @@ SRC_PREFIX := LIB_VERSION := ifeq ($(TARGET_TRIPLE),linux-x86_64) -CFLAGS := --target=x86_64-unknown-linux-gnu -D_7ZIP_ST -Wall -Werror -Wno-empty-body -Wno-enum-conversion -Wno-logical-op-parentheses -Wno-self-assign -fPIC -LDFLAGS := -shared -fuse-ld=lld +CFLAGS := --target=x86_64-unknown-linux-gnu -D_7ZIP_ST -Wall -Werror -Wno-empty-body -Wno-enum-conversion -Wno-logical-op-parentheses -Wno-self-assign -fPIC -fstack-protector-strong +LDFLAGS := -shared -fuse-ld=lld -Wl,-z,relro,-z,now -Wl,-z,noexecstack TARGET := liblzma.so else ifeq ($(TARGET_TRIPLE),windows-x86_64) -CFLAGS := --target=x86_64-pc-windows-gnu --sysroot=$(SYSROOT) -D_7ZIP_ST -Wall -Werror -Wno-empty-body -Wno-enum-conversion -Wno-logical-op-parentheses -Wno-self-assign -fPIC +CFLAGS := --target=x86_64-pc-windows-gnu --sysroot=$(SYSROOT) -D_7ZIP_ST -Wall -Werror -Wno-empty-body -Wno-enum-conversion -Wno-logical-op-parentheses -Wno-self-assign -fPIC -fstack-protector-strong LDFLAGS := -shared -fuse-ld=lld --rtlib=compiler-rt -Wl,--out-implib=liblzma.dll.a TARGET := liblzma.dll TARGET_A := liblzma.dll.a else ifeq ($(findstring darwin,$(TARGET_TRIPLE)),darwin) SDKROOT := $(shell xcrun --sdk macosx --show-sdk-path) -CFLAGS := -D_7ZIP_ST -Wall -Werror -Wno-empty-body -Wno-enum-conversion -Wno-logical-op-parentheses -Wno-self-assign -fPIC -current_version $(LIB_VERSION) -compatibility_version $(LIB_VERSION) +CFLAGS := -D_7ZIP_ST -Wall -Werror -Wno-empty-body -Wno-enum-conversion -Wno-logical-op-parentheses -Wno-self-assign -fPIC -current_version $(LIB_VERSION) -compatibility_version $(LIB_VERSION) -fstack-protector-strong LDFLAGS := -dynamiclib -fuse-ld=lld -Wl,-syslibroot,$(SDKROOT) -install_name @rpath/liblzma.$(LIB_VERSION).dylib TARGET := liblzma.$(LIB_VERSION).dylib else diff --git a/llvm-build/build.py b/llvm-build/build.py index 40aaf865a976..e7d073143120 100755 --- a/llvm-build/build.py +++ b/llvm-build/build.py @@ -922,6 +922,11 @@ class LlvmCore(BuildUtils): llvm_defines['SWIG_EXECUTABLE'] = self.find_program('swig') llvm_defines['LLDB_ENABLE_CURSES'] = 'OFF' + #Control the security compile flags which used by LLVM_ENABLE_RUNTIMES + if not self.host_is_darwin(): + llvm_defines['SECURITY_LINKER_FLAGS_FOR_RUNTIMES'] = ' -Wl,-z,relro,-z,now -Wl,-z,noexecstack' + llvm_defines['SECURITY_COMPILE_FLAGS_FOR_RUNTIMES'] = '-fstack-protector-strong' + if self.build_config.build_ncurses and self.get_ncurses_version() is not None: llvm_defines['LLDB_ENABLE_CURSES'] = 'ON' llvm_defines['CURSES_INCLUDE_DIRS'] = self.merge_ncurses_install_dir(self.use_platform(), 'include') @@ -1028,7 +1033,7 @@ class LlvmCore(BuildUtils): cflags = '-fstack-protector-strong' if not self.host_is_darwin(): - ldflags += ' -Wl,-z,relro,-z,now -pie' + ldflags += ' -Wl,-z,relro,-z,now -pie -Wl,-z,noexecstack' if self.build_config.strip: ldflags += ' -s' @@ -1156,7 +1161,8 @@ class LlvmCore(BuildUtils): '-Wl,--high-entropy-va'] ldflags.extend(ldflag) - cflag = ['-stdlib=libc++', + cflag = ['-fstack-protector-strong', + '-stdlib=libc++', '--target=x86_64-pc-windows-gnu', '-fdata-sections', '-D_LARGEFILE_SOURCE', @@ -2181,15 +2187,20 @@ class LlvmLibs(BuildUtils): defines = self.build_libxml2_defines() defines['CMAKE_INSTALL_PREFIX'] = install_path + cflags = ['-fstack-protector-strong'] if static: defines['BUILD_SHARED_LIBS'] = 'OFF' + elif not self.host_is_darwin(): + ldflags = ['-Wl,-z,relro,-z,now -Wl,-z,noexecstack'] + defines['CMAKE_SHARED_LINKER_FLAGS'] = ' '.join(ldflags) if triple in ['arm-linux-ohos', 'aarch64-linux-ohos']: defines['CMAKE_C_COMPILER'] = self.merge_out_path('llvm-install','bin','clang') - cflags = [f"--target={triple}"] + cflags.append(f'--target={triple}') if triple == 'arm-linux-ohos': cflags.append('-march=armv7-a -mfloat-abi=soft') - defines['CMAKE_C_FLAGS'] = ' '.join(cflags) + + defines['CMAKE_C_FLAGS'] = ' '.join(cflags) self.rm_cmake_cache(build_path) @@ -2216,6 +2227,7 @@ class LlvmLibs(BuildUtils): cflags = ['--target=x86_64-pc-windows-gnu'] cflags.extend(('-I', os.path.join(windows_sysroot, 'include'))) + cflags.append('-fstack-protector-strong') ldflags = ['-fuse-ld=lld', '--rtlib=compiler-rt'] diff --git a/llvm-build/build_libedit.sh b/llvm-build/build_libedit.sh index becfc48fb969..86dfbb43e4d1 100755 --- a/llvm-build/build_libedit.sh +++ b/llvm-build/build_libedit.sh @@ -67,6 +67,8 @@ if [ -e ${libedit_package} ]; then # build libedit cd ${LIBEDIT_BUILD_PATH} ohos_suffix='-ohos' + stack_flags="-fstack-protector-strong" + got_ldflags="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" if [[ ${TARGET} != *${ohos_suffix} ]]; then ldflags="-L${NCURSES_PATH}/lib" ncuses_flags="-I${NCURSES_PATH}/include" @@ -75,13 +77,13 @@ if [ -e ${libedit_package} ]; then SDKROOT=$(xcrun --sdk macosx --show-sdk-path) sdk_flags="-I${SDKROOT}/usr/include" export LDFLAGS="$LDFLAGS $sdk_flags $ldflags $ncurses_libs" - export CFLAGS="$CFLAGS -isysroot$SDKROOT $ncuses_flags" + export CFLAGS="$CFLAGS -isysroot$SDKROOT $ncuses_flags $stack_flags" fi if [ "${host_platform}" = "linux" ]; then ncurses_libs="-Wl,-rpath,\$$ORIGIN/../lib:${NCURSES_PATH}/lib" - export LDFLAGS="$LDFLAGS $ldflags $ncuses_flags $ncurses_libs" - export CFLAGS="$CFLAGS $ncuses_flags" + export LDFLAGS="$LDFLAGS $ldflags $ncuses_flags $ncurses_libs $got_ldflags" + export CFLAGS="$CFLAGS $ncuses_flags $stack_flags" fi ${LIBEDIT_UNTAR_PATH}/configure \ @@ -94,12 +96,13 @@ if [ -e ${libedit_package} ]; then if [[ ${TARGET} =~ 'arm' ]]; then C_FLAGS="$C_FLAGS -march=armv7-a -mfloat-abi=soft" fi + C_FLAGS="$C_FLAGS $stack_flags" ${LIBEDIT_UNTAR_PATH}/configure \ --prefix=${LIBEDIT_INSTALL_PATH} \ --host="${TARGET}" \ CC="${PREBUILT_PATH}/../out/llvm-install/bin/clang --target=${TARGET}" \ CFLAGS="${C_FLAGS}" \ - LDFLAGS="-L${NCURSES_PATH}/lib" + LDFLAGS="-L${NCURSES_PATH}/lib $got_ldflags" make -j$(nproc --all) install | tee build_libedit_${TARGET}.log fi diff --git a/llvm-build/build_ncurses.sh b/llvm-build/build_ncurses.sh index decf5b996fa3..e143c43f1ffd 100755 --- a/llvm-build/build_ncurses.sh +++ b/llvm-build/build_ncurses.sh @@ -67,13 +67,15 @@ if [ -e ${ncurses_package} ]; then cd ${NCURSES_BUILD_PATH} # build ncurses ohos_suffix='-ohos' + stack_flags="-fstack-protector-strong" + got_ldflags="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" if [[ ${7} != *${ohos_suffix} ]]; then if [ "${host_platform}" == "darwin" ]; then export LDFLAGS="-Wl,-rpath,@loader_path/../lib" SDKROOT=$(xcrun --sdk macosx --show-sdk-path) flags="-Wl,-syslibroot,${SDKROOT}" export CPPFLAGS="$CPPFALGS -I${SDKROOT}/usr/include -I${SDKROOT}/usr/include/i368" - export CFLAGS="$CFLAGS -isysroot${SDKROOT} $flags" + export CFLAGS="$CFLAGS -isysroot${SDKROOT} $flags $stack_flags" ${NCURSES_UNTAR_PATH}/configure \ --with-shared \ @@ -85,7 +87,8 @@ if [ -e ${ncurses_package} ]; then make -j$(nproc --all) install | tee build_ncurses.log fi if [ "${host_platform}" == "linux" ]; then - export LDFLAGS="-Wl,-rpath,\$$ORIGIN/../lib" + export LDFLAGS="-Wl,-rpath,\$$ORIGIN/../lib $got_ldflags" + export CFLAGS="$CFLAGS $stack_flags" ${NCURSES_UNTAR_PATH}/configure \ --with-shared \ --with-default-terminfo-dir=/usr/lib/terminfo:/lib/terminfo:/usr/share/terminfo \ @@ -100,6 +103,8 @@ if [ -e ${ncurses_package} ]; then C_FLAGS="$C_FLAGS -march=armv7-a -mfloat-abi=soft" fi EXTRA_ARGS="" + C_FLAGS="$C_FLAGS $stack_flags" + export LDFLAGS="$LDFLAGS $got_ldflags" if [[ ${IS_STATIC} == "static" ]]; then NCURSES_HOST_INSTALL_PATH=${10} export LD_LIBRARY_PATH="${NCURSES_HOST_INSTALL_PATH}/lib:$LD_LIBRARY_PATH" diff --git a/llvm-build/python_builder.py b/llvm-build/python_builder.py index a6d62f496ad1..92190baac7b8 100755 --- a/llvm-build/python_builder.py +++ b/llvm-build/python_builder.py @@ -17,6 +17,7 @@ from pathlib import Path import shutil import subprocess from typing import List, Mapping +import binascii class PythonBuilder: target_platform = "" @@ -185,6 +186,15 @@ class PythonBuilder: if item.endswith(exclude_files_tuple): os.remove(os.path.join(root, item)) + def _is_elf_file(self, file_path: Path) -> None: + with open(file_path, 'rb') as f: + magic_numbers = f.read(4) + hex_magic_number = binascii.hexlify(magic_numbers).decode('utf-8') + if hex_magic_number == '7f454c46': + return True + else: + return False + @property def install_dir(self) -> str: return str(self._install_dir) @@ -215,6 +225,7 @@ class MinGWPythonBuilder(PythonBuilder): cflags = [ f'-target {self.target_platform}', f'--sysroot={self._mingw_install_dir}', + f'-fstack-protector-strong', ] return cflags @@ -292,6 +303,7 @@ class OHOSPythonBuilder(PythonBuilder): def _cflags(self) -> List[str]: cflags = [ f'--target={self.target_platform}', + f'-fstack-protector-strong', '-nostdinc', '-I%s' % str(self._out_dir / 'sysroot' / self.target_platform / 'usr' / 'include'), ] @@ -305,6 +317,8 @@ class OHOSPythonBuilder(PythonBuilder): f'-rtlib=compiler-rt', f'--target={self.target_platform}', f'-fuse-ld=lld', + f'-Wl,-z,relro,-z,now -Wl,-z,noexecstack', + '-fstack-protector-strong', '-L%s' % str(self._out_dir / 'sysroot' / self.target_platform / 'usr' / 'lib'), '-lc', '-Wl,-rpath,\\$$ORIGIN/../lib', @@ -342,3 +356,21 @@ class OHOSPythonBuilder(PythonBuilder): def prepare_for_package(self) -> None: self._remove_exclude() + if self.build_utils.build_config.strip: + python_bin_dir = self._install_dir / 'bin' + if not python_bin_dir.is_dir(): + return + + for f in python_bin_dir.iterdir(): + if f.is_symlink(): + continue + if self._is_elf_file(f): + self._strip_in_place(f) + + for root, dirs, files in os.walk(self._install_dir / 'lib'): + for item in files: + f = os.path.join(root, item) + if os.path.islink(f): + continue + if self._is_elf_file(f): + self._strip_in_place(f) diff --git a/llvm/runtimes/CMakeLists.txt b/llvm/runtimes/CMakeLists.txt index 701d35c0a2c9..54666614e772 100644 --- a/llvm/runtimes/CMakeLists.txt +++ b/llvm/runtimes/CMakeLists.txt @@ -242,6 +242,8 @@ function(runtime_default_target) -DCMAKE_C_COMPILER_WORKS=ON -DCMAKE_CXX_COMPILER_WORKS=ON -DCMAKE_ASM_COMPILER_WORKS=ON + -DSECURITY_LINKER_FLAGS_FOR_RUNTIMES=${SECURITY_LINKER_FLAGS_FOR_RUNTIMES} + -DSECURITY_COMPILE_FLAGS_FOR_RUNTIMES=${SECURITY_COMPILE_FLAGS_FOR_RUNTIMES} ${COMMON_CMAKE_ARGS} ${RUNTIMES_CMAKE_ARGS} PASSTHROUGH_PREFIXES LLVM_ENABLE_RUNTIMES -- Gitee