cmake/OpenCVCompilerDefenses.cmake

   1 # Enable build defense flags.
   2 # Performance may be affected.
   3 # More information:
   4 # - https://www.owasp.org/index.php/C-Based_Toolchain_Hardening
   5 # - https://wiki.debian.org/Hardening
   6 # - https://wiki.gentoo.org/wiki/Hardened/Toolchain
   7 # - https://docs.microsoft.com/en-us/cpp/build/reference/sdl-enable-additional-security-checks
   8
   9
  10 set(OPENCV_LINKER_DEFENSES_FLAGS_COMMON "")
  11
  12 macro(ocv_add_defense_compiler_flag option)
  13   ocv_check_flag_support(CXX "${option}" _varname "${ARGN}")
  14   if(${_varname})
  15     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${option}")
  16   endif()
  17
  18   ocv_check_flag_support(C "${option}" _varname "${ARGN}")
  19   if(${_varname})
  20     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${option}")
  21   endif()
  22 endmacro()
  23
  24 macro(ocv_add_defense_compiler_flag_release option)
  25   ocv_check_flag_support(CXX "${option}" _varname "${ARGN}")
  26   if(${_varname})
  27     set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} ${option}")
  28   endif()
  29
  30   ocv_check_flag_support(C "${option}" _varname "${ARGN}")
  31   if(${_varname})
  32     set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} ${option}")
  33   endif()
  34 endmacro()
  35
  36 # Define flags
  37
  38 if(MSVC)
  39   ocv_add_defense_compiler_flag("/GS")
  40   ocv_add_defense_compiler_flag("/DynamicBase")
  41   ocv_add_defense_compiler_flag("/SafeSEH")
  42   ocv_add_defense_compiler_flag("/sdl")
  43 elseif(CMAKE_COMPILER_IS_GNUCXX)
  44   if(CMAKE_CXX_COMPILER_VERSION VERSION_LESS "4.9")
  45     ocv_add_defense_compiler_flag("-fstack-protector")
  46   else()
  47     ocv_add_defense_compiler_flag("-fstack-protector-strong")
  48   endif()
  49
  50   # These flags is added by general options: -Wformat -Wformat-security
  51   if(NOT CMAKE_CXX_FLAGS MATCHES "-Wformat" OR NOT CMAKE_CXX_FLAGS MATCHES "format-security")
  52     message(FATAL_ERROR "Defense flags: uncompatible options")
  53   endif()
  54
  55   if(ANDROID)
  56     ocv_add_defense_compiler_flag_release("-D_FORTIFY_SOURCE=2")
  57     if(NOT CMAKE_CXX_FLAGS_RELEASE MATCHES "-D_FORTIFY_SOURCE=2") # TODO Check this
  58       ocv_add_defense_compiler_flag_release("-D_FORTIFY_SOURCE=1")
  59     endif()
  60   else()
  61     ocv_add_defense_compiler_flag_release("-D_FORTIFY_SOURCE=2")
  62   endif()
  63
  64   set(OPENCV_LINKER_DEFENSES_FLAGS_COMMON "${OPENCV_LINKER_DEFENSES_FLAGS_COMMON} -z noexecstack -z relro -z now" )
  65 else()
  66   # not supported
  67 endif()
  68
  69 set(CMAKE_POSITION_INDEPENDENT_CODE TRUE)
  70 if(NOT CMAKE_CXX_FLAGS MATCHES "-fPIC")
  71   ocv_add_defense_compiler_flag("-fPIC")
  72 endif()
  73 if(CMAKE_COMPILER_IS_GNUCXX)
  74   set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fPIE -pie")
  75 endif()
  76
  77 set( CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${OPENCV_LINKER_DEFENSES_FLAGS_COMMON}" )
  78 set( CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${OPENCV_LINKER_DEFENSES_FLAGS_COMMON}" )
  79 set( CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${OPENCV_LINKER_DEFENSES_FLAGS_COMMON}" )
  80
  81 if(CMAKE_COMPILER_IS_GNUCXX)
  82   foreach(flags
  83           CMAKE_CXX_FLAGS CMAKE_CXX_FLAGS_RELEASE CMAKE_CXX_FLAGS_DEBUG
  84           CMAKE_C_FLAGS CMAKE_C_FLAGS_RELEASE CMAKE_C_FLAGS_DEBUG)
  85     string(REPLACE "-O3" "-O2" ${flags} "${${flags}}")
  86   endforeach()
  87 endif()