File _service:obs_scm:0003-add-secure-compilation-op... of Package linux-sgx

File _service:obs_scm:0003-add-secure-compilation-options.patch of Package linux-sgx

From 89a45f1ce701e168dcab9fa0dadec533eff11d6b Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Mon, 30 May 2022 19:18:21 +0800
Subject: [PATCH] add-secure-compilation-options

Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com>
---
 external/ippcp_internal/Makefile              | 20 +------------------
 .../ippcp_internal/ipp-crypto/CMakeLists.txt  |  3 +++
 .../sources/cmake/linux/GNU8.2.0.cmake        |  2 +-
 .../ippcp/crypto_mb/src/cmake/linux/GNU.cmake |  2 +-
 .../openmp/openmp_code/final/CMakeLists.txt   |  2 ++
 .../protobuf_code/cmake/CMakeLists.txt        |  2 ++
 .../protobuf_code/cmake/install.cmake         |  7 -------
 .../le_launch_service_bundle/CMakeLists.txt   |  2 +-
 .../source/core/ipc/CMakeLists.txt            |  1 +
 .../aesm_service/source/utils/CMakeLists.txt  |  2 +-
 10 files changed, 13 insertions(+), 30 deletions(-)

diff --git a/external/ippcp_internal/Makefile b/external/ippcp_internal/Makefile
index 96187ed..7b5ef26 100644
--- a/external/ippcp_internal/Makefile
+++ b/external/ippcp_internal/Makefile
@@ -61,14 +61,6 @@ else ifeq ($(MITIGATION-CVE-2020-0551), CF)
 endif
 OUT_DIR = lib/linux/$(ARCH)/$(SUB_DIR)/
 
-CHECK_SOURCE :=
-# For reproducibility build in docker, the code should be
-# prepared before build. So skip the code check to avoid
-# triggering network request
-ifneq ($(origin NIX_STORE), environment)
-CHECK_SOURCE:= $(IPP_SOURCE)/build
-endif
-
 .PHONY: all build_ipp
 all: build_ipp
 	# copy the built out lib, header files and license to the target folder
@@ -79,19 +71,9 @@ all: build_ipp
 	$(MKDIR) license
 	$(CP) ipp-crypto/LICENSE ./license/
 
-build_ipp: $(CHECK_SOURCE)
+build_ipp:
 	cd $(IPP_SOURCE) && $(PRE_CONFIG) cmake CMakeLists.txt $(IPP_CONFIG) && cd build && make ippcp_s
 
-$(IPP_SOURCE)/build:
-ifeq ($(shell git rev-parse --is-inside-work-tree), true)
-	git submodule update -f --init --recursive --remote -- $(IPP_SOURCE)
-else
-	$(RM) -rf $(IPP_SOURCE)
-	git clone -b ippcp_2021.3 https://github.com/intel/ipp-crypto.git --depth 1 $(IPP_SOURCE)
-endif
-	cd $(IPP_SOURCE) && git apply ../0001-IPP-crypto-for-SGX.patch
-	mkdir -p $(IPP_SOURCE)/build
-
 .PHONY: clean
 clean:
 	$(RM) -rf ipp-crypto/build/*
diff --git a/external/ippcp_internal/ipp-crypto/CMakeLists.txt b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
index f750c7b..6b1eef3 100644
--- a/external/ippcp_internal/ipp-crypto/CMakeLists.txt
+++ b/external/ippcp_internal/ipp-crypto/CMakeLists.txt
@@ -20,6 +20,9 @@
 
 cmake_minimum_required(VERSION 3.12)
 
+set(SGX_PROGRAM_SEARCH_PATH)
+LIST(APPEND CMAKE_PROGRAM_PATH "/usr/local/bin/" ${SGX_PROGRAM_SEARCH_PATH} ...)
+
 include("${CMAKE_CURRENT_SOURCE_DIR}/sources/cmake/ippcp-utils.cmake")
 ippcp_getlibversion("${CMAKE_CURRENT_SOURCE_DIR}/include/ippversion.h")
 if ((NOT DEFINED IPPCP_VERSION_MAJOR) OR
diff --git a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
index 24d7e0f..a137ee6 100644
--- a/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
+++ b/external/ippcp_internal/ipp-crypto/sources/cmake/linux/GNU8.2.0.cmake
@@ -70,7 +70,7 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -flto-report")
 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c99")
 if ((${ARCH} MATCHES "ia32") OR (NOT NONPIC_LIB))
   # Stack-based Buffer Overrun Detection (only when not nonpic intel64)
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-strong")
 endif()
 
 # Security flag that adds compile-time and run-time checks
diff --git a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
index 5d148a1..0c33a20 100644
--- a/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
+++ b/external/ippcp_internal/ipp-crypto/sources/ippcp/crypto_mb/src/cmake/linux/GNU.cmake
@@ -34,7 +34,7 @@ if(${CMAKE_BUILD_TYPE} STREQUAL "Release")
 endif()
 
 # Stack-based Buffer Overrun Detection
-set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector")
+set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-protector-strong")
 # Stack-based Buffer Overrun Detection
 set(CMAKE_C_FLAGS_SECURITY "${CMAKE_C_FLAGS_SECURITY} -fstack-clash-protection")
 # Position Independent Execution (PIE)
diff --git a/external/openmp/openmp_code/final/CMakeLists.txt b/external/openmp/openmp_code/final/CMakeLists.txt
index 597eedc..00ee39e 100644
--- a/external/openmp/openmp_code/final/CMakeLists.txt
+++ b/external/openmp/openmp_code/final/CMakeLists.txt
@@ -1,5 +1,7 @@
 cmake_minimum_required(VERSION 2.8 FATAL_ERROR)
 
+add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
+
 # Add cmake directory to search for custom cmake functions.
 set(CMAKE_MODULE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/cmake ${CMAKE_MODULE_PATH})
 
diff --git a/external/protobuf/protobuf_code/cmake/CMakeLists.txt b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
index 52661f5..ec0b64f 100644
--- a/external/protobuf/protobuf_code/cmake/CMakeLists.txt
+++ b/external/protobuf/protobuf_code/cmake/CMakeLists.txt
@@ -1,6 +1,8 @@
 # Minimum CMake required
 cmake_minimum_required(VERSION 3.5)
 
+add_compile_options(-fstack-protector-strong -O2 -D_FORTIFY_SOURCE=2)
+
 if(protobuf_VERBOSE)
   message(STATUS "Protocol Buffers Configuring...")
 endif()
diff --git a/external/protobuf/protobuf_code/cmake/install.cmake b/external/protobuf/protobuf_code/cmake/install.cmake
index 4e1c5de..5f9c786 100644
--- a/external/protobuf/protobuf_code/cmake/install.cmake
+++ b/external/protobuf/protobuf_code/cmake/install.cmake
@@ -32,13 +32,6 @@ if (protobuf_BUILD_PROTOC_BINARIES)
   install(TARGETS protoc EXPORT protobuf-targets
     RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc
     BUNDLE DESTINATION ${CMAKE_INSTALL_BINDIR} COMPONENT protoc)
-  if (UNIX AND NOT APPLE)
-    set_property(TARGET protoc
-      PROPERTY INSTALL_RPATH "$ORIGIN/../${CMAKE_INSTALL_LIBDIR}")
-  elseif (APPLE)
-    set_property(TARGET protoc
-      PROPERTY INSTALL_RPATH "@loader_path/../lib")
-  endif()
 endif (protobuf_BUILD_PROTOC_BINARIES)
 
 install(FILES ${CMAKE_CURRENT_BINARY_DIR}/protobuf.pc ${CMAKE_CURRENT_BINARY_DIR}/protobuf-lite.pc DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
diff --git a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
index 9f3aba8..87f6582 100644
--- a/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/bundles/le_launch_service_bundle/CMakeLists.txt
@@ -28,4 +28,4 @@ add_custom_command(
 )
 
 target_link_libraries(${bundle} oal utils urts_internal)
-set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs")
+set_property(TARGET ${bundle} APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2")
diff --git a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
index f233595..72e9246 100644
--- a/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/core/ipc/CMakeLists.txt
@@ -25,4 +25,5 @@ target_link_libraries(ipc
     PUBLIC
     ${PROTOBUF_LIBRARIES}
 )
+set_property(TARGET ipc APPEND_STRING PROPERTY LINK_FLAGS " -O2 -D_FORTIFY_SOURCE=2")
 
diff --git a/psw/ae/aesm_service/source/utils/CMakeLists.txt b/psw/ae/aesm_service/source/utils/CMakeLists.txt
index 77aac37..6d17c19 100644
--- a/psw/ae/aesm_service/source/utils/CMakeLists.txt
+++ b/psw/ae/aesm_service/source/utils/CMakeLists.txt
@@ -25,7 +25,7 @@ target_compile_definitions(utils PRIVATE
   $<$<CONFIG:Debug>:DBG_LOG>
 )
 
-set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs")
+set_property(TARGET utils APPEND_STRING PROPERTY LINK_FLAGS " -Wl,-z,defs -O2 -D_FORTIFY_SOURCE=2")
 
 target_link_libraries(utils
     ${OPENSSL_LIBRARIES}
-- 
2.27.0