From 2c41b8e4f390950e0d95d4fb9dcd831f17af5de0 Mon Sep 17 00:00:00 2001 From: Andrey Somsikov Date: Wed, 5 Aug 2020 22:37:16 +0300 Subject: [PATCH] Add support for /INTEGRITYCHECK flag on Windows (#1390) * Build dlls with INTEGRITYCHECK flag if ENABLE_INTEGRITYCHECK=ON INTEGRITYCHECK flag enforces digital signature before loading the binary in Windows. Also, refine /guard:cf flag enabling - MSCV, Intel, clang compilers does support /guard:cf. --- cmake/features.cmake | 2 ++ cmake/sdl.cmake | 21 +++++++++++++-------- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/cmake/features.cmake b/cmake/features.cmake index 026d2518a..5eda5db81 100644 --- a/cmake/features.cmake +++ b/cmake/features.cmake @@ -28,6 +28,8 @@ ie_option (OS_FOLDER "create OS dedicated folder in output" OFF) # FIXME: ARM cross-compiler generates several "false positive" warnings regarding __builtin_memcpy buffer overflow ie_dependent_option (TREAT_WARNING_AS_ERROR "Treat build warnings as errors" ON "X86 OR X86_64" OFF) +ie_option (ENABLE_INTEGRITYCHECK "build DLLs with /INTEGRITYCHECK flag" OFF) + ie_option (ENABLE_SANITIZER "enable checking memory errors via AddressSanitizer" OFF) ie_option (ENABLE_THREAD_SANITIZER "enable checking data races via ThreadSanitizer" OFF) diff --git a/cmake/sdl.cmake b/cmake/sdl.cmake index ff88ccc28..7027a6971 100644 --- a/cmake/sdl.cmake +++ b/cmake/sdl.cmake @@ -14,9 +14,7 @@ if (CMAKE_BUILD_TYPE STREQUAL "Release") endif() if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU") - set(CMAKE_SHARED_LINKER_FLAGS_RELEASE "${CMAKE_SHARED_LINKER_FLAGS_RELEASE} -z noexecstack -z relro -z now") - set(CMAKE_MODULE_LINKER_FLAGS_RELEASE "${CMAKE_MODULE_LINKER_FLAGS_RELEASE} -z noexecstack -z relro -z now") - set(CMAKE_EXE_LINKER_FLAGS_RELEASE "${CMAKE_EXE_LINKER_FLAGS_RELEASE} -z noexecstack -z relro -z now") + set(IE_LINKER_FLAGS "${IE_LINKER_FLAGS} -z noexecstack -z relro -z now") if(CMAKE_CXX_COMPILER_VERSION VERSION_LESS 4.9) set(IE_C_CXX_FLAGS "${IE_C_CXX_FLAGS} -fstack-protector-all") else() @@ -32,14 +30,21 @@ if (CMAKE_BUILD_TYPE STREQUAL "Release") set(IE_C_CXX_FLAGS "${IE_C_CXX_FLAGS} -Wl,--strip-all") endif() set(IE_C_CXX_FLAGS "${IE_C_CXX_FLAGS} -fstack-protector-strong") - set(CMAKE_SHARED_LINKER_FLAGS_RELEASE "${CMAKE_SHARED_LINKER_FLAGS_RELEASE} -z noexecstack -z relro -z now") - set(CMAKE_MODULE_LINKER_FLAGS_RELEASE "${CMAKE_MODULE_LINKER_FLAGS_RELEASE} -z noexecstack -z relro -z now") - set(CMAKE_EXE_LINKER_FLAGS_RELEASE "${CMAKE_EXE_LINKER_FLAGS_RELEASE} -z noexecstack -z relro -z now") + set(IE_LINKER_FLAGS "${IE_LINKER_FLAGS} -z noexecstack -z relro -z now") + endif() + else() + if(CMAKE_CXX_COMPILER_ID STREQUAL "MSVC") + set(IE_C_CXX_FLAGS "${IE_C_CXX_FLAGS} /sdl") + endif() + set(IE_C_CXX_FLAGS "${IE_C_CXX_FLAGS} /guard:cf") + if(ENABLE_INTEGRITYCHECK) + set(CMAKE_SHARED_LINKER_FLAGS_RELEASE "${CMAKE_SHARED_LINKER_FLAGS_RELEASE} /INTEGRITYCHECK") endif() - elseif(CMAKE_CXX_COMPILER_ID STREQUAL "MSVC") - set(IE_C_CXX_FLAGS "${IE_C_CXX_FLAGS} /sdl /guard:cf") endif() set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${IE_C_CXX_FLAGS}") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${IE_C_CXX_FLAGS}") + set(CMAKE_SHARED_LINKER_FLAGS_RELEASE "${CMAKE_SHARED_LINKER_FLAGS_RELEASE} ${IE_LINKER_FLAGS}") + set(CMAKE_MODULE_LINKER_FLAGS_RELEASE "${CMAKE_MODULE_LINKER_FLAGS_RELEASE} ${IE_LINKER_FLAGS}") + set(CMAKE_EXE_LINKER_FLAGS_RELEASE "${CMAKE_EXE_LINKER_FLAGS_RELEASE} ${IE_LINKER_FLAGS}") endif() -- 2.34.1