xref: /OK3568_Linux_fs/buildroot/package/intel-mediadriver/0001-Add-MEDIA-BUILD-HARDENING-option.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981)

From 103c00c8d74a1cd87686850212bd93c0e4d59fc9 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Wed, 11 Aug 2021 21:34:59 +0200
Subject: [PATCH] Add MEDIA_BUILD_HARDENING option

Add MEDIA_BUILD_HARDENING option to allow the user to disable hardening
options such as stack-protector-all or FORTIFY SOURCE 2 which are not
always available (e.g. fortify source 2 is only available on glibc >= 6
and not musl/uclibc-ng)

Patch sent upstream: https://github.com/intel/media-driver/pull/1242

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
 cmrtlib/linux/CMakeLists.txt                       | 14 ++++++++++----
 .../cmake/linux/media_compile_flags_linux.cmake    | 12 ++++++++++--
 media_driver/media_top_cmake.cmake                 |  8 +++++++-
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/cmrtlib/linux/CMakeLists.txt b/cmrtlib/linux/CMakeLists.txt
index 65f71ceef..b066138d9 100644
--- a/cmrtlib/linux/CMakeLists.txt
+++ b/cmrtlib/linux/CMakeLists.txt
@@ -32,12 +32,18 @@ else()
 endif()

 # Set up compile options that will be used for the Linux build
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive -fstack-protector-all")
-set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fno-strict-aliasing -D_FORTIFY_SOURCE=2")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive")
+set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fno-strict-aliasing")
 set(CMAKE_CXX_FLAGS_DEBUG   "${CMAKE_CXX_FLAGS_DEBUG} -D_DEBUG -D__DEBUG -O0")
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive -fstack-protector-all")
-set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -fno-strict-aliasing -D_FORTIFY_SOURCE=2")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CPP_STANDARD_OPTION} -fPIC -fpermissive")
+set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -fno-strict-aliasing")
 set(CMAKE_C_FLAGS_DEBUG   "${CMAKE_C_FLAGS_DEBUG} -D_DEBUG -D__DEBUG -O0")
+if(MEDIA_BUILD_HARDENING)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS} -fstack-protector-all")
+    set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -D_FORTIFY_SOURCE=2")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS} -fstack-protector-all")
+    set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -D_FORTIFY_SOURCE=2")
+endif()
 if(MEDIA_BUILD_FATAL_WARNINGS)
     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS} -Werror")
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS} -Werror")
diff --git a/media_driver/cmake/linux/media_compile_flags_linux.cmake b/media_driver/cmake/linux/media_compile_flags_linux.cmake
index 7a2bd64b6..98896b131 100755
--- a/media_driver/cmake/linux/media_compile_flags_linux.cmake
+++ b/media_driver/cmake/linux/media_compile_flags_linux.cmake
@@ -47,7 +47,6 @@ set(MEDIA_COMPILER_FLAGS_COMMON
     # Other common flags
     -fmessage-length=0
     -fvisibility=hidden
-    -fstack-protector
     -fdata-sections
     -ffunction-sections
     -Wl,--gc-sections
@@ -64,6 +63,11 @@ set(MEDIA_COMPILER_FLAGS_COMMON
     -g
 )

+if(MEDIA_BUILD_HARDENING)
+    set(MEDIA_COMPILER_FLAGS_COMMON
+        ${MEDIA_COMPILER_FLAGS_COMMON}
+        -fstack-protector)
+endif()

 if(${UFO_MARCH} STREQUAL "slm")
     set(MEDIA_COMPILER_FLAGS_COMMON
@@ -119,9 +123,13 @@ if(${UFO_VARIANT} STREQUAL "default")
     set(MEDIA_COMPILER_FLAGS_RELEASE
         ${MEDIA_COMPILER_FLAGS_RELEASE}
         -O2
-        -D_FORTIFY_SOURCE=2
         -fno-omit-frame-pointer
     )
+    if(MEDIA_BUILD_HARDENING)
+        set(MEDIA_COMPILER_FLAGS_RELEASE
+            ${MEDIA_COMPILER_FLAGS_RELEASE}
+            -D_FORTIFY_SOURCE=2)
+    endif()
 endif()

 if(NOT ${PLATFORM} STREQUAL "android")
diff --git a/media_driver/media_top_cmake.cmake b/media_driver/media_top_cmake.cmake
index f089ea45f..b0b428914 100755
--- a/media_driver/media_top_cmake.cmake
+++ b/media_driver/media_top_cmake.cmake
@@ -111,7 +111,13 @@ if(MEDIA_BUILD_FATAL_WARNINGS)
     set_target_properties(${LIB_NAME_OBJ} PROPERTIES COMPILE_FLAGS "-Werror")
 endif()

-set_target_properties(${LIB_NAME} PROPERTIES LINK_FLAGS "-Wl,--no-as-needed -Wl,--gc-sections -z relro -z now -fstack-protector -fPIC")
+set(MEDIA_LINK_FLAGS "-Wl,--no-as-needed -Wl,--gc-sections -z relro -z now -fPIC")
+option(MEDIA_BUILD_HARDENING "Enable hardening (stack-protector, fortify source)" ON)
+if(MEDIA_BUILD_HARDENING)
+    set(MEDIA_LINK_FLAGS "${MEDIA_LINK_FLAGS} -fstack-protector")
+endif()
+set_target_properties(${LIB_NAME} PROPERTIES LINK_FLAGS ${MEDIA_LINK_FLAGS})
+
 set_target_properties(${LIB_NAME}        PROPERTIES PREFIX "")
 set_target_properties(${LIB_NAME_STATIC} PROPERTIES PREFIX "")