forked from ~ljy/RK3588_XEN

blame | history | raw
hc
2024-03-22 ac5f19e89dcbd5c7428fcc78a0d407c887564466 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105

From 103c00c8d74a1cd87686850212bd93c0e4d59fc9 Mon Sep 17 00:00:00 2001


From: Fabrice Fontaine <fontaine.fabrice@gmail.com>


Date: Wed, 11 Aug 2021 21:34:59 +0200


Subject: [PATCH] Add MEDIA_BUILD_HARDENING option


 


Add MEDIA_BUILD_HARDENING option to allow the user to disable hardening


options such as stack-protector-all or FORTIFY SOURCE 2 which are not


always available (e.g. fortify source 2 is only available on glibc >= 6


and not musl/uclibc-ng)


 


Patch sent upstream: https://github.com/intel/media-driver/pull/1242


 


Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>


Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>


---


 cmrtlib/linux/CMakeLists.txt                       | 14 ++++++++++----


 .../cmake/linux/media_compile_flags_linux.cmake    | 12 ++++++++++--


 media_driver/media_top_cmake.cmake                 |  8 +++++++-


 3 files changed, 27 insertions(+), 7 deletions(-)


 


diff --git a/cmrtlib/linux/CMakeLists.txt b/cmrtlib/linux/CMakeLists.txt


index 65f71ceef..b066138d9 100644


--- a/cmrtlib/linux/CMakeLists.txt


+++ b/cmrtlib/linux/CMakeLists.txt


@@ -32,12 +32,18 @@ else()


 endif()


 


 # Set up compile options that will be used for the Linux build


-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive -fstack-protector-all")


-set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fno-strict-aliasing -D_FORTIFY_SOURCE=2")


+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive")


+set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fno-strict-aliasing")


 set(CMAKE_CXX_FLAGS_DEBUG   "${CMAKE_CXX_FLAGS_DEBUG} -D_DEBUG -D__DEBUG -O0")


-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive -fstack-protector-all")


-set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -fno-strict-aliasing -D_FORTIFY_SOURCE=2")


+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive")


+set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -fno-strict-aliasing")


 set(CMAKE_C_FLAGS_DEBUG   "${CMAKE_C_FLAGS_DEBUG} -D_DEBUG -D__DEBUG -O0")


+if(MEDIA_BUILD_HARDENING)


+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS} -fstack-protector-all")


+    set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -D_FORTIFY_SOURCE=2")


+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS} -fstack-protector-all")


+    set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -D_FORTIFY_SOURCE=2")


+endif()


 if(MEDIA_BUILD_FATAL_WARNINGS)


     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS} -Werror")


     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS} -Werror")


diff --git a/media_driver/cmake/linux/media_compile_flags_linux.cmake b/media_driver/cmake/linux/media_compile_flags_linux.cmake


index 7a2bd64b6..98896b131 100755


--- a/media_driver/cmake/linux/media_compile_flags_linux.cmake


+++ b/media_driver/cmake/linux/media_compile_flags_linux.cmake


@@ -47,7 +47,6 @@ set(MEDIA_COMPILER_FLAGS_COMMON


     # Other common flags


     -fmessage-length=0


     -fvisibility=hidden


-    -fstack-protector


     -fdata-sections


     -ffunction-sections


     -Wl,--gc-sections


@@ -64,6 +63,11 @@ set(MEDIA_COMPILER_FLAGS_COMMON


     -g


 )


 


+if(MEDIA_BUILD_HARDENING)


+    set(MEDIA_COMPILER_FLAGS_COMMON


+        ${MEDIA_COMPILER_FLAGS_COMMON}


+        -fstack-protector)


+endif()


 


 if(${UFO_MARCH} STREQUAL "slm")


     set(MEDIA_COMPILER_FLAGS_COMMON


@@ -119,9 +123,13 @@ if(${UFO_VARIANT} STREQUAL "default")


     set(MEDIA_COMPILER_FLAGS_RELEASE


         ${MEDIA_COMPILER_FLAGS_RELEASE}


         -O2


-        -D_FORTIFY_SOURCE=2


         -fno-omit-frame-pointer


     )


+    if(MEDIA_BUILD_HARDENING)


+        set(MEDIA_COMPILER_FLAGS_RELEASE


+            ${MEDIA_COMPILER_FLAGS_RELEASE}


+            -D_FORTIFY_SOURCE=2)


+    endif()


 endif()


 


 if(NOT ${PLATFORM} STREQUAL "android")


diff --git a/media_driver/media_top_cmake.cmake b/media_driver/media_top_cmake.cmake


index f089ea45f..b0b428914 100755


--- a/media_driver/media_top_cmake.cmake


+++ b/media_driver/media_top_cmake.cmake


@@ -111,7 +111,13 @@ if(MEDIA_BUILD_FATAL_WARNINGS)


     set_target_properties(${LIB_NAME_OBJ} PROPERTIES COMPILE_FLAGS "-Werror")


 endif()


 


-set_target_properties(${LIB_NAME} PROPERTIES LINK_FLAGS "-Wl,--no-as-needed -Wl,--gc-sections -z relro -z now -fstack-protector -fPIC")


+set(MEDIA_LINK_FLAGS "-Wl,--no-as-needed -Wl,--gc-sections -z relro -z now -fPIC")


+option(MEDIA_BUILD_HARDENING "Enable hardening (stack-protector, fortify source)" ON)


+if(MEDIA_BUILD_HARDENING)


+    set(MEDIA_LINK_FLAGS "${MEDIA_LINK_FLAGS} -fstack-protector")


+endif()


+set_target_properties(${LIB_NAME} PROPERTIES LINK_FLAGS ${MEDIA_LINK_FLAGS})


+


 set_target_properties(${LIB_NAME}        PROPERTIES PREFIX "")


 set_target_properties(${LIB_NAME_STATIC} PROPERTIES PREFIX "")