StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enable CFI by default but restrict CFI_INCLUDE_PATHS

Browse Source 
This CL enables CFI on security sensitive components for product
configs that inherit core_64_bit.mk (and core_64_bit_only.mk). Note
that this only requests the build system to do so. Internal build
logic will dictate if this is actually enabled on the build or
not (CFI is currently disabled for ARM32 and MIPS for example).

In addition, this also restricts CFI_INCLUDE_PATHS and
PRODUCT_CFI_INCLUDE_PATHS to Arm64 architectures only. This helps
narrow which targets enable CFI out of the box.

Bug: 66301104
Test: CFI is enabled on aosp_* targets
Change-Id: I52af499dc34cd4b42fbfb1175f6a37aaf17b65dd
This commit is contained in:
Vishwath Mohan
2018-05-24 18:04:25 -07:00
parent 2dcba6fed7
commit 6106a4ead5
3 changed files with 17 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
core/config_sanitizers.mk
View File

@@ -96,15 +96,17 @@ ifeq ($(LOCAL_SANITIZE),never)
my_sanitize_diag :=
endif
# Enable CFI in included paths.
# Enable CFI in included paths (for Arm64 only).
ifeq ($(filter cfi, $(my_sanitize)),)
combined_include_paths := $(CFI_INCLUDE_PATHS) \
$(PRODUCT_CFI_INCLUDE_PATHS)
ifneq ($(filter arm64,$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH)),)
combined_include_paths := $(CFI_INCLUDE_PATHS) \
$(PRODUCT_CFI_INCLUDE_PATHS)
ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\
$(filter $(dir)%,$(LOCAL_PATH)))),)
my_sanitize := cfi $(my_sanitize)
my_sanitize_diag := cfi $(my_sanitize_diag)
ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\
$(filter $(dir)%,$(LOCAL_PATH)))),)
my_sanitize := cfi $(my_sanitize)
my_sanitize_diag := cfi $(my_sanitize_diag)
endif
endif
endif

4
target/product/core_64_bit.mk
View File

@@ -31,3 +31,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64_32
TARGET_SUPPORTS_32_BIT_APPS := true
TARGET_SUPPORTS_64_BIT_APPS := true
# Enable CFI for security-sensitive components
$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)

4
target/product/core_64_bit_only.mk
View File

@@ -28,3 +28,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64
TARGET_SUPPORTS_32_BIT_APPS := false
TARGET_SUPPORTS_64_BIT_APPS := true
# Enable CFI for security-sensitive components
$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)