Skip to content

[SYCL][CMake] Fix and apply hardening flags to sycl-rel-6_2 #19444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions buildbot/configure.py
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,8 @@ def do_configure(args, passthrough_args):
cmake_cmd += args.cmake_opt

if args.add_security_flags:
if args.add_security_flags != 'none':
cmake_cmd.extend(["-DCMAKE_POSITION_INDEPENDENT_CODE=ON"])
cmake_cmd.extend(["-DEXTRA_SECURITY_FLAGS={}".format(args.add_security_flags)])

# Add path to root CMakeLists.txt
Expand Down
239 changes: 181 additions & 58 deletions llvm/cmake/modules/AddSecurityFlags.cmake
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
macro(add_compile_option_ext flag name)
cmake_parse_arguments(ARG "" "" "" ${ARGN})
cmake_parse_arguments(ARG "" "" "" ${ARGN})
set(CHECK_STRING "${flag}")
if (MSVC)
if(MSVC)
set(CHECK_STRING "/WX ${CHECK_STRING}")
else()
set(CHECK_STRING "-Werror ${CHECK_STRING}")
endif()

check_c_compiler_flag("${CHECK_STRING}" "C_SUPPORTS_${name}")
check_cxx_compiler_flag("${CHECK_STRING}" "CXX_SUPPORTS_${name}")
if (C_SUPPORTS_${name} AND CXX_SUPPORTS_${name})
if(C_SUPPORTS_${name} AND CXX_SUPPORTS_${name})
message(STATUS "Building with ${flag}")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${flag}")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${flag}")
Expand All @@ -31,73 +31,196 @@ macro(add_link_option_ext flag name)
endif()
endmacro()

function(append_common_extra_security_flags)
if( LLVM_ON_UNIX )
# Fortify Source (strongly recommended):
if (CMAKE_BUILD_TYPE STREQUAL "Debug")
message(WARNING
"-D_FORTIFY_SOURCE=2 can only be used with optimization.")
message(WARNING "-D_FORTIFY_SOURCE=2 is not supported.")
set(is_gcc FALSE)
set(is_clang FALSE)
set(is_msvc FALSE)
set(is_icpx FALSE)

if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
set(is_clang TRUE)
endif()
if(CMAKE_CXX_COMPILER_ID MATCHES "GNU")
set(is_gcc TRUE)
endif()
if(CMAKE_CXX_COMPILER_ID MATCHES "IntelLLVM")
set(is_icpx TRUE)
endif()
if(CMAKE_CXX_COMPILER_ID MATCHES "MSVC")
set(is_msvc TRUE)
endif()

macro(append_common_extra_security_flags)
# Control Flow Integrity
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_compile_option_ext("-fcf-protection=full" FCFPROTECTION)
elseif(is_icpx)
add_compile_option_ext("/Qcf-protection:full" FCFPROTECTION)
elseif(is_msvc)
add_link_option_ext("/LTCG" LTCG CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
add_compile_option_ext("/guard:cf" GUARDCF)
add_link_option_ext("/CETCOMPAT" CETCOMPAT CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()

# Format String Defense
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_compile_option_ext("-Wformat" WFORMAT)
add_compile_option_ext("-Wformat-security" WFORMATSECURITY)
elseif(is_icpx)
add_compile_option_ext("/Wformat" WFORMAT)
add_compile_option_ext("/Wformat-security" WFORMATSECURITY)
endif()

if(CMAKE_BUILD_TYPE MATCHES "Release")
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_compile_option_ext("-Werror=format-security" WERRORFORMATSECURITY)
endif()
endif()

# Inexecutable Stack
if(CMAKE_BUILD_TYPE MATCHES "Release")
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_link_option_ext(
"-Wl,-z,noexecstack" NOEXECSTACK CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()
endif()

# Position Independent Code
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_compile_option_ext("-fPIC" FPIC)
elseif(is_msvc)
add_compile_option_ext("/Gy" GY)
endif()

# Position Independent Execution
# We rely on CMake to set the right -fPIE flags for us, but it must be
# explicitly requested
if (CMAKE_POSITION_INDEPENDENT_CODE)
include(CheckPIESupported)
check_pie_supported()
else()
message(FATAL_ERROR "To enable all necessary security flags, CMAKE_POSITION_INDEPENDENT_CODE must be set to ON")
endif()

if(is_msvc)
add_link_option_ext("/DYNAMICBASE" DYNAMICBASE CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()

if(CMAKE_BUILD_TYPE MATCHES "Release")
if(is_msvc)
add_link_option_ext("/NXCOMPAT" NXCOMPAT CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()
endif()

# Stack Protection
if(is_msvc)
add_compile_option_ext("/GS" GS)
elseif(
is_gcc
OR is_clang
OR (is_icpx AND MSVC))
if(CMAKE_BUILD_TYPE STREQUAL "Debug")
add_compile_option_ext("-fstack-protector" FSTACKPROTECTOR)
elseif(CMAKE_BUILD_TYPE MATCHES "Release")
add_compile_option_ext("-fstack-protector-strong" FSTACKPROTECTORSTRONG)
add_compile_option_ext("-fstack-clash-protection" FSTACKCLASHPROTECTION)
endif()
endif()

# Fortify Source (strongly recommended):
if (NOT WIN32)
# Strictly speaking, _FORTIFY_SOURCE is a glibc feature and not a compiler
# feature. However, we experienced some issues (warnings about redefined macro
# which are problematic under -Werror) when setting it to value '3' with older
# gcc versions. Hence the check.
# Value '3' became supported in glibc somewhere around gcc 12, so that is
# what we are looking for.
if (is_gcc AND CMAKE_CXX_COMPILER_VERSION VERSION_LESS 12)
set(FORTIFY_SOURCE "-D_FORTIFY_SOURCE=2")
else()
# Assuming that the problem is not reproducible with other compilers
set(FORTIFY_SOURCE "-D_FORTIFY_SOURCE=3")
endif()

if(CMAKE_BUILD_TYPE STREQUAL "Debug")
message(WARNING "${FORTIFY_SOURCE} can only be used with optimization.")
message(WARNING "${FORTIFY_SOURCE} is not supported.")
else()
# Sanitizers do not work with checked memory functions,
# such as __memset_chk. We do not build release packages
# with sanitizers, so just avoid -D_FORTIFY_SOURCE=2
# under LLVM_USE_SANITIZER.
if (NOT LLVM_USE_SANITIZER)
message(STATUS "Building with -D_FORTIFY_SOURCE=2")
add_definitions(-D_FORTIFY_SOURCE=2)
# Sanitizers do not work with checked memory functions, such as
# __memset_chk. We do not build release packages with sanitizers, so just
# avoid -D_FORTIFY_SOURCE=N under LLVM_USE_SANITIZER.
if(NOT LLVM_USE_SANITIZER)
message(STATUS "Building with ${FORTIFY_SOURCE}")
add_definitions(${FORTIFY_SOURCE})
else()
message(WARNING
"-D_FORTIFY_SOURCE=2 dropped due to LLVM_USE_SANITIZER.")
message(
WARNING "${FORTIFY_SOURCE} dropped due to LLVM_USE_SANITIZER.")
endif()
endif()
endif()

# Format String Defense
add_compile_option_ext("-Wformat" WFORMAT)
add_compile_option_ext("-Wformat-security" WFORMATSECURITY)
add_compile_option_ext("-Werror=format-security" WERRORFORMATSECURITY)

# Stack Protection
add_compile_option_ext("-fstack-protector-strong" FSTACKPROTECTORSTRONG)
if(LLVM_ON_UNIX)
if(LLVM_ENABLE_ASSERTIONS)
add_definitions(-D_GLIBCXX_ASSERTIONS)
endif()

# Full Relocation Read Only
add_link_option_ext("-Wl,-z,relro" ZRELRO
CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
CMAKE_SHARED_LINKER_FLAGS)
if(CMAKE_BUILD_TYPE MATCHES "Release")
add_link_option_ext("-Wl,-z,relro" ZRELRO CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()

# Immediate Binding (Bindnow)
add_link_option_ext("-Wl,-z,now" ZNOW
CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
CMAKE_SHARED_LINKER_FLAGS)
if(CMAKE_BUILD_TYPE MATCHES "Release")
add_link_option_ext("-Wl,-z,now" ZNOW CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()
endif()
endfunction()
endmacro()

if ( EXTRA_SECURITY_FLAGS )
if (EXTRA_SECURITY_FLAGS STREQUAL "none")
if(EXTRA_SECURITY_FLAGS)
if(EXTRA_SECURITY_FLAGS STREQUAL "none")
# No actions.
elseif (EXTRA_SECURITY_FLAGS STREQUAL "default")
append_common_extra_security_flags()
elseif (EXTRA_SECURITY_FLAGS STREQUAL "sanitize")
append_common_extra_security_flags()
if (CMAKE_CXX_COMPILER_ID MATCHES "Clang")
add_compile_option_ext("-fsanitize=cfi" FSANITIZE_CFI)
add_link_option_ext("-fsanitize=cfi" FSANITIZE_CFI_LINK
CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
CMAKE_SHARED_LINKER_FLAGS)
# Recommended option although linking a DSO with SafeStack is not currently supported by compiler.
#add_compile_option_ext("-fsanitize=safe-stack" FSANITIZE_SAFESTACK)
#add_link_option_ext("-fsanitize=safe-stack" FSANITIZE_SAFESTACK_LINK
# CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
# CMAKE_SHARED_LINKER_FLAGS)
else()
add_compile_option_ext("-fcf-protection=full -mcet" FCF_PROTECTION)
# need to align compile and link option set, link now is set unconditionally
add_link_option_ext("-fcf-protection=full -mcet" FCF_PROTECTION_LINK
CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
CMAKE_SHARED_LINKER_FLAGS)
endif()
elseif(EXTRA_SECURITY_FLAGS STREQUAL "default")
append_common_extra_security_flags()
elseif(EXTRA_SECURITY_FLAGS STREQUAL "sanitize")
append_common_extra_security_flags()
if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
add_compile_option_ext("-fsanitize=cfi" FSANITIZE_CFI)
add_link_option_ext(
"-fsanitize=cfi" FSANITIZE_CFI_LINK CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
# Recommended option although linking a DSO with SafeStack is not
# currently supported by compiler.
# add_compile_option_ext("-fsanitize=safe-stack" FSANITIZE_SAFESTACK)
# add_link_option_ext("-fsanitize=safe-stack" FSANITIZE_SAFESTACK_LINK
# CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
# CMAKE_SHARED_LINKER_FLAGS)
else()
message(FATAL_ERROR "Unsupported value of EXTRA_SECURITY_FLAGS: ${EXTRA_SECURITY_FLAGS}")
add_compile_option_ext("-fcf-protection=full -mcet" FCF_PROTECTION)
# need to align compile and link option set, link now is set
# unconditionally
add_link_option_ext(
"-fcf-protection=full -mcet" FCF_PROTECTION_LINK CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()
else()
message(
FATAL_ERROR
"Unsupported value of EXTRA_SECURITY_FLAGS: ${EXTRA_SECURITY_FLAGS}")
endif()
endif()

8 changes: 7 additions & 1 deletion unified-runtime/cmake/helpers.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,13 @@ endif()

function(add_ur_target_compile_options name)
if(NOT MSVC)
target_compile_definitions(${name} PRIVATE -D_FORTIFY_SOURCE=2)
if (NOT LLVM_ENABLE_PROJECTS)
# If UR is built as part of LLVM (i.e. as part of SYCL), then
# _FORTIFY_SOURCE will be set globally in advance to a potentially
# different value. To avoid redefinition errors, only set the
# macro for a "standalone" build.
target_compile_definitions(${name} PRIVATE -D_FORTIFY_SOURCE=2)
endif()
target_compile_options(${name} PRIVATE
# Warning options
-Wall
Expand Down
Loading