| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License.. |
| # |
| # |
| |
| # ----------------------------------------------------------------------------- |
| # Function : parent-dir |
| # Arguments: 1: path |
| # Returns : Parent dir or path of $1, with final separator removed. |
| # ----------------------------------------------------------------------------- |
| parent-dir = $(patsubst %/,%,$(dir $(1:%/=%))) |
| |
| # ----------------------------------------------------------------------------- |
| # Macro : my-dir |
| # Returns : the directory of the current Makefile |
| # Usage : $(my-dir) |
| # ----------------------------------------------------------------------------- |
| my-dir = $(realpath $(call parent-dir,$(lastword $(MAKEFILE_LIST)))) |
| |
| |
| ROOT_DIR := $(call my-dir) |
| ifneq ($(words $(subst :, ,$(ROOT_DIR))), 1) |
| $(error main directory cannot contain spaces nor colons) |
| endif |
| |
| COMMON_DIR := $(ROOT_DIR)/common |
| |
| CP := cp -f |
| MKDIR := mkdir -p |
| STRIP := strip |
| OBJCOPY := objcopy |
| CC ?= gcc |
| |
| # clean the content of 'INCLUDE' - this variable will be set by vcvars32.bat |
| # thus it will cause build error when this variable is used by our Makefile, |
| # when compiling the code under Cygwin tainted by MSVC environment settings. |
| INCLUDE := |
| |
| # this will return the path to the file that included the buildenv.mk file |
| CUR_DIR := $(realpath $(call parent-dir,$(lastword $(wordlist 2,$(words $(MAKEFILE_LIST)),x $(MAKEFILE_LIST))))) |
| |
| CC_VERSION := $(shell $(CC) -dumpversion) |
| CC_VERSION_MAJOR := $(shell echo $(CC_VERSION) | cut -f1 -d.) |
| CC_VERSION_MINOR := $(shell echo $(CC_VERSION) | cut -f2 -d.) |
| CC_BELOW_4_9 := $(shell [ $(CC_VERSION_MAJOR) -lt 4 -o \( $(CC_VERSION_MAJOR) -eq 4 -a $(CC_VERSION_MINOR) -le 9 \) ] && echo 1) |
| CC_BELOW_5_2 := $(shell [ $(CC_VERSION_MAJOR) -lt 5 -o \( $(CC_VERSION_MAJOR) -eq 5 -a $(CC_VERSION_MINOR) -le 2 \) ] && echo 1) |
| CC_NO_LESS_THAN_8 := $(shell expr $(CC_VERSION) \>\= "8") |
| |
| # turn on stack protector for SDK |
| ifeq ($(CC_BELOW_4_9), 1) |
| COMMON_FLAGS += -fstack-protector |
| else |
| COMMON_FLAGS += -fstack-protector-strong |
| endif |
| |
| COMMON_FLAGS += -ffunction-sections -fdata-sections |
| |
| # turn on compiler warnings as much as possible |
| COMMON_FLAGS += -Wall -Wextra -Winit-self -Wpointer-arith -Wreturn-type \ |
| -Waddress -Wsequence-point -Wformat-security \ |
| -Wmissing-include-dirs -Wfloat-equal -Wundef -Wshadow \ |
| -Wcast-align -Wconversion -Wredundant-decls |
| |
| # additional warnings flags for C |
| CFLAGS += -Wjump-misses-init -Wstrict-prototypes -Wunsuffixed-float-constants |
| |
| # additional warnings flags for C++ |
| CXXFLAGS += -Wnon-virtual-dtor |
| |
| # for static_assert() |
| CXXFLAGS += -std=c++14 |
| |
| .DEFAULT_GOAL := all |
| # this turns off the RCS / SCCS implicit rules of GNU Make |
| % : RCS/%,v |
| % : RCS/% |
| % : %,v |
| % : s.% |
| % : SCCS/s.% |
| |
| # If a rule fails, delete $@. |
| .DELETE_ON_ERROR: |
| |
| HOST_FILE_PROGRAM := file |
| |
| UNAME := $(shell uname -m) |
| ifneq (,$(findstring 86,$(UNAME))) |
| HOST_ARCH := x86 |
| ifneq (,$(shell $(HOST_FILE_PROGRAM) -L $(SHELL) | grep 'x86[_-]64')) |
| HOST_ARCH := x86_64 |
| endif |
| else |
| $(info Unknown host CPU arhitecture $(UNAME)) |
| $(error Aborting) |
| endif |
| |
| |
| ifeq "$(findstring __INTEL_COMPILER, $(shell $(CC) -E -dM -xc /dev/null))" "__INTEL_COMPILER" |
| ifeq ($(shell test -f /usr/bin/dpkg; echo $$?), 0) |
| ADDED_INC := -I /usr/include/$(shell dpkg-architecture -qDEB_BUILD_MULTIARCH) |
| endif |
| endif |
| |
| ARCH := $(HOST_ARCH) |
| ifeq "$(findstring -m32, $(CXXFLAGS))" "-m32" |
| ARCH := x86 |
| endif |
| |
| ifeq ($(ARCH), x86) |
| COMMON_FLAGS += -DITT_ARCH_IA32 |
| else |
| COMMON_FLAGS += -DITT_ARCH_IA64 |
| endif |
| |
| CET_FLAGS := |
| ifeq ($(CC_NO_LESS_THAN_8), 1) |
| CET_FLAGS += -fcf-protection |
| endif |
| |
| CFLAGS += $(COMMON_FLAGS) |
| CXXFLAGS += $(COMMON_FLAGS) |
| |
| # Enable the security flags |
| COMMON_LDFLAGS := -Wl,-z,relro,-z,now,-z,noexecstack |
| |
| # mitigation options |
| MITIGATION_INDIRECT ?= 0 |
| MITIGATION_RET ?= 0 |
| MITIGATION_C ?= 0 |
| MITIGATION_ASM ?= 0 |
| MITIGATION_AFTERLOAD ?= 0 |
| |
| ifeq ($(MITIGATION_CVE_2020_0551), LOAD) |
| MITIGATION_C := 1 |
| MITIGATION_ASM := 1 |
| MITIGATION_INDIRECT := 1 |
| MITIGATION_RET := 1 |
| MITIGATION_AFTERLOAD := 1 |
| else ifeq ($(MITIGATION_CVE_2020_0551), CF) |
| MITIGATION_C := 1 |
| MITIGATION_ASM := 1 |
| MITIGATION_INDIRECT := 1 |
| MITIGATION_RET := 1 |
| MITIGATION_AFTERLOAD := 0 |
| endif |
| |
| ifeq ($(MITIGATION_C), 1) |
| ifeq ($(MITIGATION_INDIRECT), 1) |
| MITIGATION_CFLAGS += -mindirect-branch-register |
| endif |
| ifeq ($(MITIGATION_RET), 1) |
| ifeq ($(CC_NO_LESS_THAN_8), 1) |
| MITIGATION_CFLAGS += -fcf-protection=none |
| endif |
| MITIGATION_CFLAGS += -mfunction-return=thunk-extern |
| endif |
| endif |
| |
| ifeq ($(MITIGATION_ASM), 1) |
| MITIGATION_ASFLAGS += -fno-plt |
| ifeq ($(MITIGATION_AFTERLOAD), 1) |
| MITIGATION_ASFLAGS += -Wa,-mlfence-after-load=yes -Wa,-mlfence-before-indirect-branch=memory |
| else |
| MITIGATION_ASFLAGS += -Wa,-mlfence-before-indirect-branch=all |
| endif |
| ifeq ($(MITIGATION_RET), 1) |
| MITIGATION_ASFLAGS += -Wa,-mlfence-before-ret=shl |
| endif |
| endif |
| |
| MITIGATION_CFLAGS += $(MITIGATION_ASFLAGS) |
| |
| #fcf-protection is not compatible with MITIGATION |
| ifneq ($(MITIGATION_RET), 1) |
| CFLAGS += $(CET_FLAGS) |
| CXXFLAGS += $(CET_FLAGS) |
| endif |
| |
| ifeq ($(MITIGATION_CVE_2020_0551), LOAD) |
| MITIGATION_RUSTFLAGS = "-C target-feature=+rdrnd,+rdseed,+lvi-cfi,+lvi-load-hardening" |
| else ifeq ($(MITIGATION_CVE_2020_0551), CF) |
| MITIGATION_RUSTFLAGS = "-C target-feature=+rdrnd,+rdseed,+lvi-cfi" |
| endif |
| |
| # Compiler and linker options for an Enclave |
| # |
| # We are using '--export-dynamic' so that `g_global_data_sim' etc. |
| # will be exported to dynamic symbol table. |
| # |
| # When `pie' is enabled, the linker (both BFD and Gold) under Ubuntu 14.04 |
| # will hide all symbols from dynamic symbol table even if they are marked |
| # as `global' in the LD version script. |
| ENCLAVE_CFLAGS = -ffreestanding -nostdinc -fvisibility=hidden -fpie -fno-strict-overflow -fno-delete-null-pointer-checks |
| ENCLAVE_CXXFLAGS = $(ENCLAVE_CFLAGS) -nostdinc++ |
| ENCLAVE_LDFLAGS = $(COMMON_LDFLAGS) -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \ |
| -Wl,-pie -Wl,--export-dynamic \ |
| -Wl,--gc-sections |
| |
| # ENCLAVE_LDFLAGS = $(COMMON_LDFLAGS) -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \ |
| # -Wl,-pie,-eenclave_entry -Wl,--export-dynamic \ |
| # -Wl,--gc-sections \ |
| # -Wl,--defsym,ImageBase=0 |
| |
| ENCLAVE_CFLAGS += $(MITIGATION_CFLAGS) |
| ENCLAVE_ASFLAGS = $(MITIGATION_ASFLAGS) |
| ENCLAVE_RUSTFLAGS = $(MITIGATION_RUSTFLAGS) |
| |
| |
| # We have below choices as to math and string libs: |
| # 1. math - optimized (1), open sourced (0) |
| # 2. string - optimized (1), open sourced (0) |
| # |
| # A macro 'USE_OPT_LIBS' is provided to allow users to build |
| # RUST SGX SDK with different library combination by setting different |
| # value to 'USE_OPT_LIBS'. |
| # By default, choose to build SDK using optimized IPP crypto + |
| # open sourced string + open sourced math. |
| # |
| # IPP + open sourced string + open sourced math |
| USE_OPT_LIBS ?= 1 |
| OPT_LIBS_PATH ?= $(ROOT_DIR) |