From d4a5c14600b311c166fe8a652f14518c4343a2fb Mon Sep 17 00:00:00 2001 From: Derek G Foster Date: Thu, 10 Aug 2023 18:12:15 -0700 Subject: [PATCH] Set recommended compiler flags - Functions to set C and C++ compiler flags according to the Intel Secure Coding Standards. (squashed) Signed-off-by: Derek G Foster --- CMakeLists.txt | 16 +++-- cmake/CompilerSettings.cmake | 124 +++++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+), 7 deletions(-) create mode 100644 cmake/CompilerSettings.cmake diff --git a/CMakeLists.txt b/CMakeLists.txt index 44a42457..405ba8c4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -7,7 +7,7 @@ # Version 3.15 is the baseline for P4 Control Plane. cmake_minimum_required(VERSION 3.15) -# CMAKE_BUILD_TYPE must be set before the first project() command. +# Set before the first project() command. set(CMAKE_BUILD_TYPE "RelWithDebInfo" CACHE STRING "Type of build to perform") project(networking-recipe VERSION 23.07 LANGUAGES C CXX) @@ -15,6 +15,7 @@ project(networking-recipe VERSION 23.07 LANGUAGES C CXX) list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake) include(CMakePrintHelpers) +include(CompilerSettings) include(CTest) include(FindPkgConfig) include(GNUInstallDirs) @@ -59,7 +60,6 @@ include(SelectTdiTarget) ################### option(SET_RPATH "Set RPATH in libraries and executables" OFF) - option(WITH_KRNLMON "Enable Kernel Monitor support" ON) option(WITH_OVSP4RT "Enable OVS support" ON) @@ -71,9 +71,13 @@ endif() cmake_print_variables(WITH_KRNLMON) cmake_print_variables(WITH_OVSP4RT) -########################### -# Global compiler options # -########################### +############################ +# Global compiler settings # +############################ + +add_basic_settings() +#add_recent_security_settings(${CMAKE_BUILD_TYPE}) +add_legacy_security_settings() add_compile_options(-D${TARGETFLAG}) @@ -85,8 +89,6 @@ if(NOT DEPEND_INSTALL_DIR STREQUAL "") endif() endif() -set(CMAKE_POSITION_INDEPENDENT_CODE ON) - ############################ # find_xxxx() search paths # ############################ diff --git a/cmake/CompilerSettings.cmake b/cmake/CompilerSettings.cmake new file mode 100644 index 00000000..a018f376 --- /dev/null +++ b/cmake/CompilerSettings.cmake @@ -0,0 +1,124 @@ +# CompilerSettings.cmake - Apply recommended compiler settings. +# +# Copyright 2023 Intel Corporation +# SPDX-License-Identifier: Apache 2.0 +# + +include(CheckCCompilerFlag) +include(CheckPIESupported) +include(CMakePrintHelpers) + +# Disabled by default, on the assumption that the choice of warnings +# is best left to the application. +option(ENABLE_WARNING_SETTINGS "Enable compiler warnings" OFF) +option(ENABLE_SPECTRE_SETTINGS "Enable Spectre mitigations" ON) + +function(add_basic_settings) + # Compiler flags + add_compile_options("-pipe") + add_compile_options("-feliminate-unused-debug-types") + + # Linker flags + add_link_options("-Wl,-O1") + add_link_options("-Wl,--hash-style=gnu") + add_link_options("-Wl,--as-needed") + add_link_options("-Wl,-z,now") +endfunction(add_basic_settings) + +# Defines the security settings used in earlier versions +# of the software. +function(add_legacy_security_settings) + # Format String Defense + add_compile_options("-Wformat") + add_compile_options("-Wformat-security") + add_compile_options("-Werror=format-security") + + # Position Independent Code + set(CMAKE_POSITION_INDEPENDENT_CODE TRUE PARENT_SCOPE) + + # Preprocessor Macros + add_compile_options("-D_FORTIFY_SOURCE=2") + + # Read-only Relocation + add_link_options("-Wl,-z,relro") + + # Stack Protection + add_compile_options("-fstack-protector-strong") +endfunction() + +# Defines security settings according to the +# Intel Secure Coding Standards. +function(add_recent_security_settings CONFIG) + string(TOUPPER ${CONFIG} CONFIG) + if(CONFIG STREQUAL "DEBUG") + set(IS_RELEASE FALSE) + else() + set(IS_RELEASE TRUE) + endif() + + macro(check_and_add_option OPTION HAVE_FLAG) + check_c_compiler_flag(${OPTION} ${HAVE_FLAG}) + if(${HAVE_FLAG}) + add_compile_options(${OPTION}) + endif() + endmacro() + + # Compiler Warnings and Error Detection + if(ENABLE_WARNING_SETTINGS) + add_compile_options("-Wall") + add_compile_options("-Wextra") + if(IS_RELEASE) + add_compile_options("-Werror") + endif() + endif() + + # Control Flow Integrity + check_and_add_option("-fsanitize=cfi" HAVE_SANITIZE_CFI) + if(IS_RELEASE) + check_and_add_option("-flto" HAVE_LTO) + check_and_add_option("-fvisibility=hidden" HAVE_VISIBILITY_HIDDEN) + endif() + + # Format String Defense + check_and_add_option("-Wformat" HAVE_WFORMAT) + check_and_add_option("-Wformat-security" HAVE_WFORMAT_SECURITY) + if(IS_RELEASE) + check_and_add_option( + "-Werror=format-security" FLAGS_WERROR_FORMAT_SECURITY) + endif() + + # Inexecutable Stack + check_and_add_option("-Wl,-z,noexecstack" HAVE_NOEXECSTACK) + + # Position Independent Code + set(CMAKE_POSITION_INDEPENDENT_CODE TRUE PARENT_SCOPE) + + # Position Independent Execution + check_pie_supported(LANGUAGES C CXX) + if(CMAKE_C_PIE_SUPPORTED AND CMAKE_CXX_PIE_SUPPORTED) + add_compile_options("-fPIE -pie") + endif() + + # Preprocessor Macros + add_compile_definitions("FORTIFY_SOURCE=2") + + # Read-only Relocation + check_and_add_option("-Wl,-z,relro" HAVE_RELRO) + + # Stack Protection + add_compile_options("-fstack-protector-strong") + + # Spectre Protection + if(IS_RELEASE AND ENABLE_SPECTRE_SETTINGS) + # Mitigating Bounds Check Bypass (Spectre Variant 1) + check_and_add_option( + "-mconditional-branch=keep" HAVE_COND_BRANCH_KEEP) + check_and_add_option( + "-mconditional-branch=pattern-report" HAVE_COND_BRANCH_PATTERN_REPORT) + check_and_add_option( + "-mconditional-branch=pattern-fix" HAVE_COND_BRANCH_PATTERN_FIX) + + # Mitigating Branch Target Injection (Spectre Variant 2) + check_and_add_option("-mretpoline" HAVE_RETPOLINE) + endif() +endfunction(add_recent_security_settings)