!36 [sync] PR-35: 增加安全编译选项

From: @openeuler-sync-bot Reviewed-by: @houmingyong Signed-off-by: @houmingyong
2022-05-31 14:05:20 +00:00 · 2022-05-31 14:05:20 +00:00 · 149bb61b83
commit 149bb61b83
parent 7c9540d43b 6c73ccd79d
2 changed files with 188 additions and 2 deletions
--- a/add-secure-compilation-options.patch
+++ b/add-secure-compilation-options.patch
@ -0,0 +1,179 @@
 From 89a45f1ce701e168dcab9fa0dadec533eff11d6b Mon Sep 17 00:00:00 2001
 From: houmingyong <houmingyong@huawei.com>
 Date: Mon, 30 May 2022 19:18:21 +0800
 Subject: [PATCH] add-secure-compilation-options
 ---
 external/ippcp_internal/Makefile              | 22 +------------------
 .../ippcp_internal/ipp-crypto/CMakeLists.txt  |  3 +++
 .../sources/cmake/linux/GNU8.2.0.cmake        |  2 +-
 .../ippcp/crypto_mb/src/cmake/linux/GNU.cmake |  2 +-
 .../openmp/openmp_code/final/CMakeLists.txt   |  2 ++
 .../protobuf_code/cmake/CMakeLists.txt        |  2 ++
 .../protobuf_code/cmake/install.cmake         |  7 ------
 .../le_launch_service_bundle/CMakeLists.txt   |  2 +-
 .../source/core/ipc/CMakeLists.txt            |  1 +
 .../aesm_service/source/utils/CMakeLists.txt  |  2 +-
 10 files changed, 13 insertions(+), 32 deletions(-)
 diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
 index 96187ed..7b5ef26 100644
 --- a/external/ippcp_internal/Makefile
 +++ b/external/ippcp_internal/Makefile
@@ -64,16 +64,6 @@ OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/
 PATCH_LOG = $(shell cd ./$(IPP_SOURCE) && git log --oneline --grep='IPP crypto for SGX.' | cut -d' ' -f 5)
 CHECK_PATCHED :=
 -CHECK_SOURCE :=
 -# For reproducibility build in docker, the code should be 
 -# prepared before build. So skip the code check to avoid
 -# triggering network request 
 -ifneq ($(origin NIX_PATH), environment)
 -ifneq ($(PATCH_LOG), SGX.)
 -CHECK_SOURCE:= ipp_source
 -endif
 -endif
 -
 .PHONY: all build_ipp
 all: build_ipp
 	# copy the built out lib, header files and license to the target folder
@@ -84,19 +74,9 @@ all: build_ipp
 	$(MKDIR) license
 	$(CP) ipp-crypto/LICENSE ./license/
 -build_ipp: $(CHECK_SOURCE)
 +build_ipp:
 	cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s
 -.PHONY: ipp_source
 -ipp_source:
 -ifeq ($(shell git rev-parse --is-inside-work-tree), true)
 -	git submodule update -f --init --recursive --remote -- $(IPP_SOURCE)
 -else
 -	$(RM) -rf $(IPP_SOURCE)
 -	git clone -b ippcp_2021.3 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
 -endif
 -	cd $(IPP_SOURCE) && git am ../0001-IPP-crypto-for-SGX.patch
 -
 .PHONY: clean
 clean:
 	$(RM) -rf ipp-crypto/build
 diff --git a/external/ippcp_internal/ipp-crypto/CMakeLists.txt b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
 index f750c7b..6b1eef3 100644
 --- a/external/ippcp_internal/ipp-crypto/CMakeLists.txt
 +++ b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
@@ -20,6 +20,9 @@
 cmake_minimum_required(VERSION 3.12)
 +set(SGX_PROGRAM_SEARCH_PATH)
 +LIST(APPEND CMAKE_PROGRAM_PATH "/usr/local/bin/" ${SGX_PROGRAM_SEARCH_PATH} ...)
 +
 include("${CMAKE_CURRENT_SOURCE_DIR}/sources/cmake/ippcp-utils.cmake")
 ippcp_getlibversion("${CMAKE_CURRENT_SOURCE_DIR}/include/ippversion.h")
 if ((NOT DEFINED IPPCP_VERSION_MAJOR) OR
 diff --git a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
 index 24d7e0f..a137ee6 100644
 --- a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
 +++ b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
@@ -70,7 +70,7 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -flto-report")
 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c99")
 if ((${ARCH} MATCHES "ia32") OR (NOT NONPIC_LIB))
   # Stack-based Buffer Overrun Detection (only when not nonpic intel64)
 -  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector")
 +  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-strong")
 endif()
 # Security flag that adds compile-time and run-time checks
 diff --git a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
 index 5d148a1..0c33a20 100644
 --- a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
 +++ b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
@@ -34,7 +34,7 @@ if(${CMAKE_BUILD_TYPE} STREQUAL "Release")
 endif()
 # Stack-based Buffer Overrun Detection
 -set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector")
 +set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector-strong")
 # Stack-based Buffer Overrun Detection
 set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-clash-protection")
 # Position Independent Execution (PIE)
 diff --git a/external/openmp/openmp_code/final/CMakeLists.txt b/external/openmp/openmp_code/final/CMakeLists.txt
 index 597eedc..00ee39e 100644
 --- a/external/openmp/openmp_code/final/CMakeLists.txt
 +++ b/external/openmp/openmp_code/final/CMakeLists.txt
@@ -1,5 +1,7 @@
 cmake_minimum_required(VERSION 2.8 FATAL_ERROR)
 +add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
 +
 # Add cmake directory to search for custom cmake functions.
 set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH})
 diff --git a/external/protobuf/protobuf_code/cmake/CMakeLists.txt b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
 index 52661f5..ec0b64f 100644
 --- a/external/protobuf/protobuf_code/cmake/CMakeLists.txt
 +++ b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
@@ -1,6 +1,8 @@
 # Minimum CMake required
 cmake_minimum_required(VERSION 3.1.3)
 +add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
 +
 if(protobuf_VERBOSE)
   message(STATUS "Protocol Buffers Configuring...")
 endif()
 diff --git a/external/protobuf/protobuf_code/cmake/install.cmake b/external/protobuf/protobuf_code/cmake/install.cmake
 index 4091bc8..8e12831 100644
 --- a/external/protobuf/protobuf_code/cmake/install.cmake
 +++ b/external/protobuf/protobuf_code/cmake/install.cmake
@@ -31,13 +31,6 @@ endforeach()
 if (protobuf_BUILD_PROTOC_BINARIES)
   install(TARGETS protoc EXPORT protobuf-targets
     RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc)
 -  if (UNIX AND NOT APPLE)
 -    set_property(TARGET protoc
 -      PROPERTY INSTALL_RPATH "$ORIGIN/../${CMAKE_INSTALL_LIBDIR}")
 -  elseif (APPLE)
 -    set_property(TARGET protoc
 -      PROPERTY INSTALL_RPATH "@loader_path/../lib")
 -  endif()
 endif (protobuf_BUILD_PROTOC_BINARIES)
 install(FILES ${CMAKE_CURRENT_BINARY_DIR}/protobuf.pc ${CMAKE_CURRENT_BINARY_DIR}/protobuf-lite.pc DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
 diff --git a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
 index 9f3aba8..87f6582 100644
 --- a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
 +++ b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
@@ -28,4 +28,4 @@ add_custom_command(
 )
 target_link_libraries(${bundle} oal utils urts_internal)
 -set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs")
 +set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2")
 diff --git a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
 index f233595..72e9246 100644
 --- a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
 +++ b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
@@ -25,4 +25,5 @@ target_link_libraries(ipc
     PUBLIC
     ${PROTOBUF_LIBRARIES}
 )
 +set_property(TARGET ipc APPEND_STRING PROPERTY LINK_FLAGS " -O2 -D_FORTIFY_SOURCE=2")
 diff --git a/psw/ae/aesm_service/source/utils/CMakeLists.txt b/psw/ae/aesm_service/source/utils/CMakeLists.txt
 index 77aac37..6d17c19 100644
 --- a/psw/ae/aesm_service/source/utils/CMakeLists.txt
 +++ b/psw/ae/aesm_service/source/utils/CMakeLists.txt
@@ -25,7 +25,7 @@ target_compile_definitions(utils PRIVATE
   $<$<CONFIG:Debug>:DBG_LOG>
 )
 -set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs")
 +set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2")
 target_link_libraries(utils
     ${OPENSSL_LIBRARIES}
 -- 
 2.27.0
--- a/linux-sgx.spec
+++ b/linux-sgx.spec
@ -1,6 +1,6 @@
 Name:           linux-sgx
 Version:        2.15.1
-Release:        1
+Release:        2
 Summary:        Intel(R) Software Guard Extensions for Linux* OS
 ExclusiveArch:	x86_64
 License:        BSD-3-Clause
@ -20,8 +20,9 @@ Source11:       https://github.com/intel/intel-sgx-ssl/archive/refs/tags/intel-s
 Patch0:         0001-disable-the-download-process-in-building.patch
 Patch1:         0002-fix-building-error-for-systemd.patch
 Patch2:         add-secure-compilation-options.patch
-BuildRequires:  gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git
+BuildRequires:  gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git nasm
 Requires:       glibc 
@ -264,6 +265,7 @@ Intel(R) Software Guard Extensions Basic Headers
 %%patch0 -p1
 %%patch1 -p1
 %%patch2 -p1
 %build
@ -283,6 +285,8 @@ mv oneDNN-2.5/{.[!.],}* .
 rm -rf oneDNN-2.5
 popd
 make -j -C external/ippcp_internal/
 make -j2 sdk_install_pkg_no_mitigation
 linux/installer/bin/sgx_linux_x64_sdk_2.15.101.1.bin --prefix=./
 source ./sgxsdk/environment
@ -1017,5 +1021,8 @@ fi
 %files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers
 %changelog
 * Mon May 30 2022 houmingyong <houmingyong@huawei.com> - 2.15.1-2
 - add secure compilation options
 * Thu Dec 9 2021 wangcheng <wangcheng156@huawei.com> - 2.15.1-1
 - init