1From 103c00c8d74a1cd87686850212bd93c0e4d59fc9 Mon Sep 17 00:00:00 2001
2From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
3Date: Wed, 11 Aug 2021 21:34:59 +0200
4Subject: [PATCH] Add MEDIA_BUILD_HARDENING option
5
6Add MEDIA_BUILD_HARDENING option to allow the user to disable hardening
7options such as stack-protector-all or FORTIFY SOURCE 2 which are not
8always available (e.g. fortify source 2 is only available on glibc >= 6
9and not musl/uclibc-ng)
10
11Patch sent upstream: https://github.com/intel/media-driver/pull/1242
12
13Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
14Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
15---
16 cmrtlib/linux/CMakeLists.txt                       | 14 ++++++++++----
17 .../cmake/linux/media_compile_flags_linux.cmake    | 12 ++++++++++--
18 media_driver/media_top_cmake.cmake                 |  8 +++++++-
19 3 files changed, 27 insertions(+), 7 deletions(-)
20
21diff --git a/cmrtlib/linux/CMakeLists.txt b/cmrtlib/linux/CMakeLists.txt
22index 65f71ceef..b066138d9 100644
23--- a/cmrtlib/linux/CMakeLists.txt
24+++ b/cmrtlib/linux/CMakeLists.txt
25@@ -32,12 +32,18 @@ else()
26 endif()
27
28 # Set up compile options that will be used for the Linux build
29-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive -fstack-protector-all")
30-set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fno-strict-aliasing -D_FORTIFY_SOURCE=2")
31+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive")
32+set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fno-strict-aliasing")
33 set(CMAKE_CXX_FLAGS_DEBUG   "${CMAKE_CXX_FLAGS_DEBUG} -D_DEBUG -D__DEBUG -O0")
34-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive -fstack-protector-all")
35-set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -fno-strict-aliasing -D_FORTIFY_SOURCE=2")
36+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive")
37+set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -fno-strict-aliasing")
38 set(CMAKE_C_FLAGS_DEBUG   "${CMAKE_C_FLAGS_DEBUG} -D_DEBUG -D__DEBUG -O0")
39+if(MEDIA_BUILD_HARDENING)
40+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS} -fstack-protector-all")
41+    set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -D_FORTIFY_SOURCE=2")
42+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS} -fstack-protector-all")
43+    set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -D_FORTIFY_SOURCE=2")
44+endif()
45 if(MEDIA_BUILD_FATAL_WARNINGS)
46     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS} -Werror")
47     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS} -Werror")
48diff --git a/media_driver/cmake/linux/media_compile_flags_linux.cmake b/media_driver/cmake/linux/media_compile_flags_linux.cmake
49index 7a2bd64b6..98896b131 100755
50--- a/media_driver/cmake/linux/media_compile_flags_linux.cmake
51+++ b/media_driver/cmake/linux/media_compile_flags_linux.cmake
52@@ -47,7 +47,6 @@ set(MEDIA_COMPILER_FLAGS_COMMON
53     # Other common flags
54     -fmessage-length=0
55     -fvisibility=hidden
56-    -fstack-protector
57     -fdata-sections
58     -ffunction-sections
59     -Wl,--gc-sections
60@@ -64,6 +63,11 @@ set(MEDIA_COMPILER_FLAGS_COMMON
61     -g
62 )
63
64+if(MEDIA_BUILD_HARDENING)
65+    set(MEDIA_COMPILER_FLAGS_COMMON
66+        ${MEDIA_COMPILER_FLAGS_COMMON}
67+        -fstack-protector)
68+endif()
69
70 if(${UFO_MARCH} STREQUAL "slm")
71     set(MEDIA_COMPILER_FLAGS_COMMON
72@@ -119,9 +123,13 @@ if(${UFO_VARIANT} STREQUAL "default")
73     set(MEDIA_COMPILER_FLAGS_RELEASE
74         ${MEDIA_COMPILER_FLAGS_RELEASE}
75         -O2
76-        -D_FORTIFY_SOURCE=2
77         -fno-omit-frame-pointer
78     )
79+    if(MEDIA_BUILD_HARDENING)
80+        set(MEDIA_COMPILER_FLAGS_RELEASE
81+            ${MEDIA_COMPILER_FLAGS_RELEASE}
82+            -D_FORTIFY_SOURCE=2)
83+    endif()
84 endif()
85
86 if(NOT ${PLATFORM} STREQUAL "android")
87diff --git a/media_driver/media_top_cmake.cmake b/media_driver/media_top_cmake.cmake
88index f089ea45f..b0b428914 100755
89--- a/media_driver/media_top_cmake.cmake
90+++ b/media_driver/media_top_cmake.cmake
91@@ -111,7 +111,13 @@ if(MEDIA_BUILD_FATAL_WARNINGS)
92     set_target_properties(${LIB_NAME_OBJ} PROPERTIES COMPILE_FLAGS "-Werror")
93 endif()
94
95-set_target_properties(${LIB_NAME} PROPERTIES LINK_FLAGS "-Wl,--no-as-needed -Wl,--gc-sections -z relro -z now -fstack-protector -fPIC")
96+set(MEDIA_LINK_FLAGS "-Wl,--no-as-needed -Wl,--gc-sections -z relro -z now -fPIC")
97+option(MEDIA_BUILD_HARDENING "Enable hardening (stack-protector, fortify source)" ON)
98+if(MEDIA_BUILD_HARDENING)
99+    set(MEDIA_LINK_FLAGS "${MEDIA_LINK_FLAGS} -fstack-protector")
100+endif()
101+set_target_properties(${LIB_NAME} PROPERTIES LINK_FLAGS ${MEDIA_LINK_FLAGS})
102+
103 set_target_properties(${LIB_NAME}        PROPERTIES PREFIX "")
104 set_target_properties(${LIB_NAME_STATIC} PROPERTIES PREFIX "")
105
106