add secure compilation options

(cherry picked from commit 8bad3f37d13b5f6ade0d88b7730afeec52ba59f3)
2022-05-30 19:38:28 +08:00 · 2022-05-30 19:38:28 +08:00 · 6c73ccd79d
commit 6c73ccd79d
parent 7c9540d43b
2 changed files with 188 additions and 2 deletions
--- a/add-secure-compilation-options.patch
+++ b/add-secure-compilation-options.patch
@ -0,0 +1,179 @@
+From 89a45f1ce701e168dcab9fa0dadec533eff11d6b Mon Sep 17 00:00:00 2001
+From: houmingyong <houmingyong@huawei.com>
+Date: Mon, 30 May 2022 19:18:21 +0800
+Subject: [PATCH] add-secure-compilation-options
+
+---
+ external/ippcp_internal/Makefile              | 22 +------------------
+ .../ippcp_internal/ipp-crypto/CMakeLists.txt  |  3 +++
+ .../sources/cmake/linux/GNU8.2.0.cmake        |  2 +-
+ .../ippcp/crypto_mb/src/cmake/linux/GNU.cmake |  2 +-
+ .../openmp/openmp_code/final/CMakeLists.txt   |  2 ++
+ .../protobuf_code/cmake/CMakeLists.txt        |  2 ++
+ .../protobuf_code/cmake/install.cmake         |  7 ------
+ .../le_launch_service_bundle/CMakeLists.txt   |  2 +-
+ .../source/core/ipc/CMakeLists.txt            |  1 +
+ .../aesm_service/source/utils/CMakeLists.txt  |  2 +-
+ 10 files changed, 13 insertions(+), 32 deletions(-)
+
+diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
+index 96187ed..7b5ef26 100644
+--- a/external/ippcp_internal/Makefile
+++ b/external/ippcp_internal/Makefile
+@@ -64,16 +64,6 @@ OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/
+ PATCH_LOG = $(shell cd ./$(IPP_SOURCE) && git log --oneline --grep='IPP crypto for SGX.' | cut -d' ' -f 5)
+ CHECK_PATCHED :=
+ 
+-CHECK_SOURCE :=
+-# For reproducibility build in docker, the code should be 
+-# prepared before build. So skip the code check to avoid
+-# triggering network request 
+-ifneq ($(origin NIX_PATH), environment)
+-ifneq ($(PATCH_LOG), SGX.)
+-CHECK_SOURCE:= ipp_source
+-endif
+-endif
+-
+ .PHONY: all build_ipp
+ all: build_ipp
+ 	# copy the built out lib, header files and license to the target folder
+@@ -84,19 +74,9 @@ all: build_ipp
+ 	$(MKDIR) license
+ 	$(CP) ipp-crypto/LICENSE ./license/
+ 
+-build_ipp: $(CHECK_SOURCE)
+build_ipp:
+ 	cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s
+ 
+-.PHONY: ipp_source
+-ipp_source:
+-ifeq ($(shell git rev-parse --is-inside-work-tree), true)
+-	git submodule update -f --init --recursive --remote -- $(IPP_SOURCE)
+-else
+-	$(RM) -rf $(IPP_SOURCE)
+-	git clone -b ippcp_2021.3 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
+-endif
+-	cd $(IPP_SOURCE) && git am ../0001-IPP-crypto-for-SGX.patch
+-
+ .PHONY: clean
+ clean:
+ 	$(RM) -rf ipp-crypto/build
+diff --git a/external/ippcp_internal/ipp-crypto/CMakeLists.txt b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
+index f750c7b..6b1eef3 100644
+--- a/external/ippcp_internal/ipp-crypto/CMakeLists.txt
+++ b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
+@@ -20,6 +20,9 @@
+ 
+ cmake_minimum_required(VERSION 3.12)
+ 
+set(SGX_PROGRAM_SEARCH_PATH)
+LIST(APPEND CMAKE_PROGRAM_PATH "/usr/local/bin/" ${SGX_PROGRAM_SEARCH_PATH} ...)
+
+ include("${CMAKE_CURRENT_SOURCE_DIR}/sources/cmake/ippcp-utils.cmake")
+ ippcp_getlibversion("${CMAKE_CURRENT_SOURCE_DIR}/include/ippversion.h")
+ if ((NOT DEFINED IPPCP_VERSION_MAJOR) OR
+diff --git a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
+index 24d7e0f..a137ee6 100644
+--- a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
+++ b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
+@@ -70,7 +70,7 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -flto-report")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c99")
+ if ((${ARCH} MATCHES "ia32") OR (NOT NONPIC_LIB))
+   # Stack-based Buffer Overrun Detection (only when not nonpic intel64)
+-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-strong")
+ endif()
+ 
+ # Security flag that adds compile-time and run-time checks
+diff --git a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
+index 5d148a1..0c33a20 100644
+--- a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
+++ b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
+@@ -34,7 +34,7 @@ if(${CMAKE_BUILD_TYPE} STREQUAL "Release")
+ endif()
+ 
+ # Stack-based Buffer Overrun Detection
+-set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector")
+set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector-strong")
+ # Stack-based Buffer Overrun Detection
+ set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-clash-protection")
+ # Position Independent Execution (PIE)
+diff --git a/external/openmp/openmp_code/final/CMakeLists.txt b/external/openmp/openmp_code/final/CMakeLists.txt
+index 597eedc..00ee39e 100644
+--- a/external/openmp/openmp_code/final/CMakeLists.txt
+++ b/external/openmp/openmp_code/final/CMakeLists.txt
+@@ -1,5 +1,7 @@
+ cmake_minimum_required(VERSION 2.8 FATAL_ERROR)
+ 
+add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
+
+ # Add cmake directory to search for custom cmake functions.
+ set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH})
+ 
+diff --git a/external/protobuf/protobuf_code/cmake/CMakeLists.txt b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
+index 52661f5..ec0b64f 100644
+--- a/external/protobuf/protobuf_code/cmake/CMakeLists.txt
+++ b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
+@@ -1,6 +1,8 @@
+ # Minimum CMake required
+ cmake_minimum_required(VERSION 3.1.3)
+ 
+add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
+
+ if(protobuf_VERBOSE)
+   message(STATUS "Protocol Buffers Configuring...")
+ endif()
+diff --git a/external/protobuf/protobuf_code/cmake/install.cmake b/external/protobuf/protobuf_code/cmake/install.cmake
+index 4091bc8..8e12831 100644
+--- a/external/protobuf/protobuf_code/cmake/install.cmake
+++ b/external/protobuf/protobuf_code/cmake/install.cmake
+@@ -31,13 +31,6 @@ endforeach()
+ if (protobuf_BUILD_PROTOC_BINARIES)
+   install(TARGETS protoc EXPORT protobuf-targets
+     RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc)
+-  if (UNIX AND NOT APPLE)
+-    set_property(TARGET protoc
+-      PROPERTY INSTALL_RPATH "$ORIGIN/../${CMAKE_INSTALL_LIBDIR}")
+-  elseif (APPLE)
+-    set_property(TARGET protoc
+-      PROPERTY INSTALL_RPATH "@loader_path/../lib")
+-  endif()
+ endif (protobuf_BUILD_PROTOC_BINARIES)
+ 
+ install(FILES ${CMAKE_CURRENT_BINARY_DIR}/protobuf.pc ${CMAKE_CURRENT_BINARY_DIR}/protobuf-lite.pc DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
+diff --git a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
+index 9f3aba8..87f6582 100644
+--- a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
+@@ -28,4 +28,4 @@ add_custom_command(
+ )
+ 
+ target_link_libraries(${bundle} oal utils urts_internal)
+-set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs")
+set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2")
+diff --git a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
+index f233595..72e9246 100644
+--- a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
+@@ -25,4 +25,5 @@ target_link_libraries(ipc
+     PUBLIC
+     ${PROTOBUF_LIBRARIES}
+ )
+set_property(TARGET ipc APPEND_STRING PROPERTY LINK_FLAGS " -O2 -D_FORTIFY_SOURCE=2")
+ 
+diff --git a/psw/ae/aesm_service/source/utils/CMakeLists.txt b/psw/ae/aesm_service/source/utils/CMakeLists.txt
+index 77aac37..6d17c19 100644
+--- a/psw/ae/aesm_service/source/utils/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/utils/CMakeLists.txt
+@@ -25,7 +25,7 @@ target_compile_definitions(utils PRIVATE
+   $<$<CONFIG:Debug>:DBG_LOG>
+ )
+ 
+-set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs")
+set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2")
+ 
+ target_link_libraries(utils
+     ${OPENSSL_LIBRARIES}
+-- 
+2.27.0
+
--- a/linux-sgx.spec
+++ b/linux-sgx.spec
@ -1,6 +1,6 @@
 Name:           linux-sgx
 Version:        2.15.1
-Release:        1
+Release:        2
 Summary:        Intel(R) Software Guard Extensions for Linux* OS
 ExclusiveArch:	x86_64
 License:        BSD-3-Clause
@ -20,8 +20,9 @@ Source11:       https://github.com/intel/intel-sgx-ssl/archive/refs/tags/intel-s

 Patch0:         0001-disable-the-download-process-in-building.patch
 Patch1:         0002-fix-building-error-for-systemd.patch
+Patch2:         add-secure-compilation-options.patch

-BuildRequires:  gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git
+BuildRequires:  gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git nasm

 Requires:       glibc 

@ -264,6 +265,7 @@ Intel(R) Software Guard Extensions Basic Headers

 %%patch0 -p1
 %%patch1 -p1
+%%patch2 -p1

 %build

@ -283,6 +285,8 @@ mv oneDNN-2.5/{.[!.],}* .
 rm -rf oneDNN-2.5
 popd

+make -j -C external/ippcp_internal/
+
 make -j2 sdk_install_pkg_no_mitigation
 linux/installer/bin/sgx_linux_x64_sdk_2.15.101.1.bin --prefix=./
 source ./sgxsdk/environment
@ -1017,5 +1021,8 @@ fi
 %files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers

 %changelog
+* Mon May 30 2022 houmingyong <houmingyong@huawei.com> - 2.15.1-2
+- add secure compilation options
+
 * Thu Dec 9 2021 wangcheng <wangcheng156@huawei.com> - 2.15.1-1
 - init