buildenv.mk - incubator-teaclave-sgx-sdk - Git at Google

 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License..
 #
 #

 # -----------------------------------------------------------------------------
 # Function : parent-dir
 # Arguments: 1: path
 # Returns  : Parent dir or path of $1, with final separator removed.
 # -----------------------------------------------------------------------------
 parent-dir = $(patsubst %/,%,$(dir $(1:%/=%)))

 # -----------------------------------------------------------------------------
 # Macro    : my-dir
 # Returns  : the directory of the current Makefile
 # Usage    : $(my-dir)
 # -----------------------------------------------------------------------------
 my-dir = $(realpath $(call parent-dir,$(lastword $(MAKEFILE_LIST))))


 ROOT_DIR              := $(call my-dir)
 ifneq ($(words $(subst :, ,$(ROOT_DIR))), 1)
   $(error main directory cannot contain spaces nor colons)
 endif

 COMMON_DIR            := $(ROOT_DIR)/common

 CP    := /bin/cp -f
 MKDIR := mkdir -p
 STRIP := strip
 OBJCOPY := objcopy
 CC ?= gcc

 # clean the content of 'INCLUDE' - this variable will be set by vcvars32.bat
 # thus it will cause build error when this variable is used by our Makefile,
 # when compiling the code under Cygwin tainted by MSVC environment settings.
 INCLUDE :=

 # this will return the path to the file that included the buildenv.mk file
 CUR_DIR := $(realpath $(call parent-dir,$(lastword $(wordlist 2,$(words $(MAKEFILE_LIST)),x $(MAKEFILE_LIST)))))

 CC_VERSION := $(shell $(CC) -dumpversion)
 CC_VERSION_MAJOR := $(shell echo $(CC_VERSION) | cut -f1 -d.)
 CC_VERSION_MINOR := $(shell echo $(CC_VERSION) | cut -f2 -d.)
 CC_BELOW_4_9 := $(shell [ $(CC_VERSION_MAJOR) -lt 4 -o \( $(CC_VERSION_MAJOR) -eq 4 -a $(CC_VERSION_MINOR) -le 9 \) ] && echo 1)
 CC_BELOW_5_2 := $(shell [ $(CC_VERSION_MAJOR) -lt 5 -o \( $(CC_VERSION_MAJOR) -eq 5 -a $(CC_VERSION_MINOR) -le 2 \) ] && echo 1)

 # turn on stack protector for SDK
 ifeq ($(CC_BELOW_4_9), 1)
     COMMON_FLAGS += -fstack-protector
 else
     COMMON_FLAGS += -fstack-protector-strong
 endif

 ifdef DEBUG
     COMMON_FLAGS += -O0 -g -DDEBUG -UNDEBUG
 else
     COMMON_FLAGS += -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG
 endif

 # turn on compiler warnings as much as possible
 COMMON_FLAGS += -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type \
 		-Waddress -Wsequence-point -Wformat-security \
 		-Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow \
 		-Wcast-align -Wconversion -Wredundant-decls

 # additional warnings flags for C
 CFLAGS += -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants

 # additional warnings flags for C++
 CXXFLAGS += -Wnon-virtual-dtor

 # for static_assert()
 CXXFLAGS += -std=c++14

 .DEFAULT_GOAL := all
 # this turns off the RCS / SCCS implicit rules of GNU Make
 % : RCS/%,v
 % : RCS/%
 % : %,v
 % : s.%
 % : SCCS/s.%

 # If a rule fails, delete $@.
 .DELETE_ON_ERROR:

 HOST_FILE_PROGRAM := file

 UNAME := $(shell uname -m)
 ifneq (,$(findstring 86,$(UNAME)))
     HOST_ARCH := x86
     ifneq (,$(shell $(HOST_FILE_PROGRAM) -L $(SHELL) | grep 'x86[_-]64'))
         HOST_ARCH := x86_64
     endif
 else
     $(info Unknown host CPU arhitecture $(UNAME))
     $(error Aborting)
 endif


 ifeq "$(findstring __INTEL_COMPILER, $(shell $(CC) -E -dM -xc /dev/null))" "__INTEL_COMPILER"
   ifeq ($(shell test -f /usr/bin/dpkg; echo $$?), 0)
     ADDED_INC := -I /usr/include/$(shell dpkg-architecture -qDEB_BUILD_MULTIARCH)
   endif
 endif

 ARCH := $(HOST_ARCH)
 ifeq "$(findstring -m32, $(CXXFLAGS))" "-m32"
   ARCH := x86
 endif

 ifeq ($(ARCH), x86)
 COMMON_FLAGS += -DITT_ARCH_IA32
 else
 COMMON_FLAGS += -DITT_ARCH_IA64
 endif

 CFLAGS   += $(COMMON_FLAGS)
 CXXFLAGS += $(COMMON_FLAGS)

 # Enable the security flags
 COMMON_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack

 # mitigation options
 MITIGATION_INDIRECT ?= 0
 MITIGATION_RET ?= 0
 MITIGATION_C ?= 0
 MITIGATION_ASM ?= 0
 MITIGATION_AFTERLOAD ?= 0
 MITIGATION_LIB_PATH :=

 ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
     MITIGATION_C := 1
     MITIGATION_ASM := 1
     MITIGATION_INDIRECT := 1
     MITIGATION_RET := 1
     MITIGATION_AFTERLOAD := 1
     MITIGATION_LIB_PATH := cve_2020_0551_load
 else ifeq ($(MITIGATION-CVE-2020-0551), CF)
     MITIGATION_C := 1
     MITIGATION_ASM := 1
     MITIGATION_INDIRECT := 1
     MITIGATION_RET := 1
     MITIGATION_AFTERLOAD := 0
     MITIGATION_LIB_PATH := cve_2020_0551_cf
 endif

 ifeq ($(MITIGATION_C), 1)
 ifeq ($(MITIGATION_INDIRECT), 1)
     MITIGATION_CFLAGS += -mindirect-branch-register
 endif
 ifeq ($(MITIGATION_RET), 1)
 CC_NO_LESS_THAN_8 := $(shell expr $(CC_VERSION) \>\= "8")
 ifeq ($(CC_NO_LESS_THAN_8), 1)
     MITIGATION_CFLAGS += -fcf-protection=none
 endif
     MITIGATION_CFLAGS += -mfunction-return=thunk-extern
 endif
 endif

 ifeq ($(MITIGATION_ASM), 1)
     MITIGATION_ASFLAGS += -fno-plt
 ifeq ($(MITIGATION_AFTERLOAD), 1)
     MITIGATION_ASFLAGS += -Wa,-mlfence-after-load=yes -Wa,-mlfence-before-indirect-branch=memory
 else
     MITIGATION_ASFLAGS += -Wa,-mlfence-before-indirect-branch=all
 endif
 ifeq ($(MITIGATION_RET), 1)
     MITIGATION_ASFLAGS += -Wa,-mlfence-before-ret=shl
 endif
 endif

 MITIGATION_CFLAGS += $(MITIGATION_ASFLAGS)

 # Compiler and linker options for an Enclave
 #
 # We are using '--export-dynamic' so that `g_global_data_sim' etc.
 # will be exported to dynamic symbol table.
 #
 # When `pie' is enabled, the linker (both BFD and Gold) under Ubuntu 14.04
 # will hide all symbols from dynamic symbol table even if they are marked
 # as `global' in the LD version script.
 ENCLAVE_CFLAGS   = -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks
 ENCLAVE_CXXFLAGS = $(ENCLAVE_CFLAGS) -nostdinc++
 ENCLAVE_LDFLAGS  = $(COMMON_LDFLAGS) -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
                    -Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
                    -Wl,--gc-sections \
                    -Wl,--defsym,__ImageBase=0

 ENCLAVE_CFLAGS += $(MITIGATION_CFLAGS)
 ENCLAVE_ASFLAGS = $(MITIGATION_ASFLAGS)
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License..
	#
	#

	# -----------------------------------------------------------------------------
	# Function : parent-dir
	# Arguments: 1: path
	# Returns : Parent dir or path of $1, with final separator removed.
	# -----------------------------------------------------------------------------
	parent-dir = $(patsubst %/,%,$(dir $(1:%/=%)))

	# -----------------------------------------------------------------------------
	# Macro : my-dir
	# Returns : the directory of the current Makefile
	# Usage : $(my-dir)
	# -----------------------------------------------------------------------------
	my-dir = $(realpath $(call parent-dir,$(lastword $(MAKEFILE_LIST))))


	ROOT_DIR := $(call my-dir)
	ifneq ($(words $(subst :, ,$(ROOT_DIR))), 1)
	$(error main directory cannot contain spaces nor colons)
	endif

	COMMON_DIR := $(ROOT_DIR)/common

	CP := /bin/cp -f
	MKDIR := mkdir -p
	STRIP := strip
	OBJCOPY := objcopy
	CC ?= gcc

	# clean the content of 'INCLUDE' - this variable will be set by vcvars32.bat
	# thus it will cause build error when this variable is used by our Makefile,
	# when compiling the code under Cygwin tainted by MSVC environment settings.
	INCLUDE :=

	# this will return the path to the file that included the buildenv.mk file
	CUR_DIR := $(realpath $(call parent-dir,$(lastword $(wordlist 2,$(words $(MAKEFILE_LIST)),x $(MAKEFILE_LIST)))))

	CC_VERSION := $(shell $(CC) -dumpversion)
	CC_VERSION_MAJOR := $(shell echo $(CC_VERSION) \| cut -f1 -d.)
	CC_VERSION_MINOR := $(shell echo $(CC_VERSION) \| cut -f2 -d.)
	CC_BELOW_4_9 := $(shell [ $(CC_VERSION_MAJOR) -lt 4 -o \( $(CC_VERSION_MAJOR) -eq 4 -a $(CC_VERSION_MINOR) -le 9 \) ] && echo 1)
	CC_BELOW_5_2 := $(shell [ $(CC_VERSION_MAJOR) -lt 5 -o \( $(CC_VERSION_MAJOR) -eq 5 -a $(CC_VERSION_MINOR) -le 2 \) ] && echo 1)

	# turn on stack protector for SDK
	ifeq ($(CC_BELOW_4_9), 1)
	COMMON_FLAGS += -fstack-protector
	else
	COMMON_FLAGS += -fstack-protector-strong
	endif

	ifdef DEBUG
	COMMON_FLAGS += -O0 -g -DDEBUG -UNDEBUG
	else
	COMMON_FLAGS += -O2 -D_FORTIFY_SOURCE=2 -UDEBUG -DNDEBUG
	endif

	# turn on compiler warnings as much as possible
	COMMON_FLAGS += -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type \
	-Waddress -Wsequence-point -Wformat-security \
	-Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow \
	-Wcast-align -Wconversion -Wredundant-decls

	# additional warnings flags for C
	CFLAGS += -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants

	# additional warnings flags for C++
	CXXFLAGS += -Wnon-virtual-dtor

	# for static_assert()
	CXXFLAGS += -std=c++14

	.DEFAULT_GOAL := all
	# this turns off the RCS / SCCS implicit rules of GNU Make
	% : RCS/%,v
	% : RCS/%
	% : %,v
	% : s.%
	% : SCCS/s.%

	# If a rule fails, delete $@.
	.DELETE_ON_ERROR:

	HOST_FILE_PROGRAM := file

	UNAME := $(shell uname -m)
	ifneq (,$(findstring 86,$(UNAME)))
	HOST_ARCH := x86
	ifneq (,$(shell $(HOST_FILE_PROGRAM) -L $(SHELL) \| grep 'x86[_-]64'))
	HOST_ARCH := x86_64
	endif
	else
	$(info Unknown host CPU arhitecture $(UNAME))
	$(error Aborting)
	endif


	ifeq "$(findstring __INTEL_COMPILER, $(shell $(CC) -E -dM -xc /dev/null))" "__INTEL_COMPILER"
	ifeq ($(shell test -f /usr/bin/dpkg; echo $$?), 0)
	ADDED_INC := -I /usr/include/$(shell dpkg-architecture -qDEB_BUILD_MULTIARCH)
	endif
	endif

	ARCH := $(HOST_ARCH)
	ifeq "$(findstring -m32, $(CXXFLAGS))" "-m32"
	ARCH := x86
	endif

	ifeq ($(ARCH), x86)
	COMMON_FLAGS += -DITT_ARCH_IA32
	else
	COMMON_FLAGS += -DITT_ARCH_IA64
	endif

	CFLAGS += $(COMMON_FLAGS)
	CXXFLAGS += $(COMMON_FLAGS)

	# Enable the security flags
	COMMON_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack

	# mitigation options
	MITIGATION_INDIRECT ?= 0
	MITIGATION_RET ?= 0
	MITIGATION_C ?= 0
	MITIGATION_ASM ?= 0
	MITIGATION_AFTERLOAD ?= 0
	MITIGATION_LIB_PATH :=

	ifeq ($(MITIGATION-CVE-2020-0551), LOAD)
	MITIGATION_C := 1
	MITIGATION_ASM := 1
	MITIGATION_INDIRECT := 1
	MITIGATION_RET := 1
	MITIGATION_AFTERLOAD := 1
	MITIGATION_LIB_PATH := cve_2020_0551_load
	else ifeq ($(MITIGATION-CVE-2020-0551), CF)
	MITIGATION_C := 1
	MITIGATION_ASM := 1
	MITIGATION_INDIRECT := 1
	MITIGATION_RET := 1
	MITIGATION_AFTERLOAD := 0
	MITIGATION_LIB_PATH := cve_2020_0551_cf
	endif

	ifeq ($(MITIGATION_C), 1)
	ifeq ($(MITIGATION_INDIRECT), 1)
	MITIGATION_CFLAGS += -mindirect-branch-register
	endif
	ifeq ($(MITIGATION_RET), 1)
	CC_NO_LESS_THAN_8 := $(shell expr $(CC_VERSION) \>\= "8")
	ifeq ($(CC_NO_LESS_THAN_8), 1)
	MITIGATION_CFLAGS += -fcf-protection=none
	endif
	MITIGATION_CFLAGS += -mfunction-return=thunk-extern
	endif
	endif

	ifeq ($(MITIGATION_ASM), 1)
	MITIGATION_ASFLAGS += -fno-plt
	ifeq ($(MITIGATION_AFTERLOAD), 1)
	MITIGATION_ASFLAGS += -Wa,-mlfence-after-load=yes -Wa,-mlfence-before-indirect-branch=memory
	else
	MITIGATION_ASFLAGS += -Wa,-mlfence-before-indirect-branch=all
	endif
	ifeq ($(MITIGATION_RET), 1)
	MITIGATION_ASFLAGS += -Wa,-mlfence-before-ret=shl
	endif
	endif

	MITIGATION_CFLAGS += $(MITIGATION_ASFLAGS)

	# Compiler and linker options for an Enclave
	#
	# We are using '--export-dynamic' so that `g_global_data_sim' etc.
	# will be exported to dynamic symbol table.
	#
	# When `pie' is enabled, the linker (both BFD and Gold) under Ubuntu 14.04
	# will hide all symbols from dynamic symbol table even if they are marked
	# as `global' in the LD version script.
	ENCLAVE_CFLAGS = -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks
	ENCLAVE_CXXFLAGS = $(ENCLAVE_CFLAGS) -nostdinc++
	ENCLAVE_LDFLAGS = $(COMMON_LDFLAGS) -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic \
	-Wl,--gc-sections \
	-Wl,--defsym,__ImageBase=0

	ENCLAVE_CFLAGS += $(MITIGATION_CFLAGS)
	ENCLAVE_ASFLAGS = $(MITIGATION_ASFLAGS)