Merge "Enable CFI by default but restrict CFI_INCLUDE_PATHS" into pi-dev

core/config_sanitizers.mk

@@ -96,8 +96,9 @@ ifeq ($(LOCAL_SANITIZE),never)
   my_sanitize_diag :=
 endif
 
-# Enable CFI in included paths.
+# Enable CFI in included paths (for Arm64 only).
 ifeq ($(filter cfi, $(my_sanitize)),)
+  ifneq ($(filter arm64,$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH)),)
     combined_include_paths := $(CFI_INCLUDE_PATHS) \
                               $(PRODUCT_CFI_INCLUDE_PATHS)
 
@@ -106,6 +107,7 @@ ifeq ($(filter cfi, $(my_sanitize)),)
       my_sanitize := cfi $(my_sanitize)
       my_sanitize_diag := cfi $(my_sanitize_diag)
     endif
+  endif
 endif
 
 # If CFI is disabled globally, remove it from my_sanitize.

target/product/core_64_bit.mk

@@ -31,3 +31,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64_32
 
 TARGET_SUPPORTS_32_BIT_APPS := true
 TARGET_SUPPORTS_64_BIT_APPS := true
+
+# Enable CFI for security-sensitive components
+$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
+$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)

target/product/core_64_bit_only.mk

@@ -28,3 +28,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64
 
 TARGET_SUPPORTS_32_BIT_APPS := false
 TARGET_SUPPORTS_64_BIT_APPS := true
+
+# Enable CFI for security-sensitive components
+$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
+$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)