[CMake] Add build configuration option to enable security flags (#8456)

Signed-off-by: Tikhomirova, Kseniya <kseniya.tikhomirova@intel.com>

Author: KseniyaTikhomirova

buildbot/configure.py

@@ -181,6 +181,9 @@ def do_configure(args):
     # Add additional CMake options if provided
     if args.cmake_opt:
       cmake_cmd += args.cmake_opt
+    
+    if args.add_security_flags:
+      cmake_cmd.extend(["-DEXTRA_SECURITY_FLAGS={}".format(args.add_security_flags)])
 
     # Add path to root CMakeLists.txt
     cmake_cmd.append(llvm_dir)
@@ -247,6 +250,7 @@ def main():
     parser.add_argument("--ci-defaults", action="store_true", help="Enable default CI parameters")
     parser.add_argument("--enable-plugin", action='append', help="Enable SYCL plugin")
     parser.add_argument("--disable-fusion", action="store_true", help="Disable the kernel fusion JIT compiler")
+    parser.add_argument("--add_security_flags", type=str, choices=['none', 'default', 'sanitize'], default=None, help="Enables security flags for compile & link. Two values are supported: 'default' and 'sanitize'. 'Sanitize' option is an extension of 'default' set.")
     args = parser.parse_args()
 
     print("args:{}".format(args))

llvm/cmake/modules/AddSecurityFlags.cmake

@@ -0,0 +1,103 @@
+macro(add_compile_option_ext flag name)
+  cmake_parse_arguments(ARG "" "" "" ${ARGN}) 
+  set(CHECK_STRING "${flag}")
+  if (MSVC)
+    set(CHECK_STRING "/WX ${CHECK_STRING}")
+  else()
+    set(CHECK_STRING "-Werror ${CHECK_STRING}")
+  endif()
+
+  check_c_compiler_flag("${CHECK_STRING}" "C_SUPPORTS_${name}")
+  check_cxx_compiler_flag("${CHECK_STRING}" "CXX_SUPPORTS_${name}")
+  if (C_SUPPORTS_${name} AND CXX_SUPPORTS_${name})
+    message(STATUS "Building with ${flag}")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${flag}")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${flag}")
+    set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} ${flag}")
+  else()
+    message(WARNING "${flag} is not supported.")
+  endif()
+endmacro()
+
+macro(add_link_option_ext flag name)
+  include(LLVMCheckLinkerFlag)
+  cmake_parse_arguments(ARG "" "" "" ${ARGN})
+  llvm_check_linker_flag(CXX "${flag}" "LINKER_SUPPORTS_${name}")
+  if(LINKER_SUPPORTS_${name})
+    message(STATUS "Building with ${flag}")
+    append("${flag}" ${ARG_UNPARSED_ARGUMENTS})
+  else()
+    message(WARNING "${flag} is not supported.")
+  endif()
+endmacro()
+
+function(append_common_extra_security_flags)
+  if( LLVM_ON_UNIX )
+    # Fortify Source (strongly recommended):
+    if (CMAKE_BUILD_TYPE STREQUAL "Debug")
+      message(WARNING
+        "-D_FORTIFY_SOURCE=2 can only be used with optimization.")
+      message(WARNING "-D_FORTIFY_SOURCE=2 is not supported.")
+    else()
+      # Sanitizers do not work with checked memory functions,
+      # such as __memset_chk. We do not build release packages
+      # with sanitizers, so just avoid -D_FORTIFY_SOURCE=2
+      # under LLVM_USE_SANITIZER.
+      if (NOT LLVM_USE_SANITIZER)
+        message(STATUS "Building with -D_FORTIFY_SOURCE=2")
+        add_definitions(-D_FORTIFY_SOURCE=2)
+      else()
+        message(WARNING
+          "-D_FORTIFY_SOURCE=2 dropped due to LLVM_USE_SANITIZER.")
+      endif()
+    endif()
+
+    # Format String Defense
+    add_compile_option_ext("-Wformat" WFORMAT)
+    add_compile_option_ext("-Wformat-security" WFORMATSECURITY)
+    add_compile_option_ext("-Werror=format-security" WERRORFORMATSECURITY)
+
+    # Stack Protection
+    add_compile_option_ext("-fstack-protector-strong" FSTACKPROTECTORSTRONG)
+
+    # Full Relocation Read Only
+    add_link_option_ext("-Wl,-z,relro" ZRELRO
+      CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
+      CMAKE_SHARED_LINKER_FLAGS)
+
+    # Immediate Binding (Bindnow)
+    add_link_option_ext("-Wl,-z,now" ZNOW
+      CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
+      CMAKE_SHARED_LINKER_FLAGS)
+  endif()
+endfunction()
+
+if ( EXTRA_SECURITY_FLAGS )
+    if (EXTRA_SECURITY_FLAGS STREQUAL "none")
+    # No actions.
+    elseif (EXTRA_SECURITY_FLAGS STREQUAL "default")
+      append_common_extra_security_flags()
+    elseif (EXTRA_SECURITY_FLAGS STREQUAL "sanitize")
+      append_common_extra_security_flags()
+      if (CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+        add_compile_option_ext("-fsanitize=cfi" FSANITIZE_CFI)
+        add_link_option_ext("-fsanitize=cfi" FSANITIZE_CFI_LINK
+          CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
+          CMAKE_SHARED_LINKER_FLAGS)
+        # Recommended option although linking a DSO with SafeStack is not currently supported by compiler.
+        #add_compile_option_ext("-fsanitize=safe-stack" FSANITIZE_SAFESTACK)
+        #add_link_option_ext("-fsanitize=safe-stack" FSANITIZE_SAFESTACK_LINK
+        #  CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
+        #  CMAKE_SHARED_LINKER_FLAGS)
+      else()
+        add_compile_option_ext("-fcf-protection=full -mcet" FCF_PROTECTION)
+        # need to align compile and link option set, link now is set unconditionally
+        add_link_option_ext("-fcf-protection=full -mcet" FCF_PROTECTION_LINK
+          CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
+          CMAKE_SHARED_LINKER_FLAGS)
+      endif()
+    else()
+      message(FATAL_ERROR "Unsupported value of EXTRA_SECURITY_FLAGS: ${EXTRA_SECURITY_FLAGS}")
+    endif()
+endif()
+

llvm/cmake/modules/HandleLLVMOptions.cmake

@@ -1286,5 +1286,8 @@ if(LLVM_USE_RELATIVE_PATHS_IN_FILES)
   add_flag_if_supported("-no-canonical-prefixes" NO_CANONICAL_PREFIXES)
 endif()
 
+# Add to the end since we need some definitions to be set (LLVM_ON_LINUX)
+include(AddSecurityFlags)
+
 set(LLVM_THIRD_PARTY_DIR  ${CMAKE_CURRENT_SOURCE_DIR}/../third-party CACHE STRING
     "Directory containing third party software used by LLVM (e.g. googletest)")