Gitiles
Code Review Sign In
gerrit.omnirom.org / android_build / 6106a4ead530549c3570f682846ba731b97f81ab^! / .
commit6106a4ead530549c3570f682846ba731b97f81ab[log] [tgz]
authorVishwath Mohan <vishwath@google.com>Thu May 24 18:04:25 2018 -0700
committerVishwath Mohan <vishwath@google.com>Thu May 24 22:14:03 2018 -0700
treefd4f11a82681c11446ed81e74bd9ff8087d05729
parent2dcba6fed754c9c1ff145660386f0485aa062949 [diff]
Enable CFI by default but restrict CFI_INCLUDE_PATHS

This CL enables CFI on security sensitive components for product
configs that inherit core_64_bit.mk (and core_64_bit_only.mk). Note
that this only requests the build system to do so. Internal build
logic will dictate if this is actually enabled on the build or
not (CFI is currently disabled for ARM32 and MIPS for example).

In addition, this also restricts CFI_INCLUDE_PATHS and
PRODUCT_CFI_INCLUDE_PATHS to Arm64 architectures only. This helps
narrow which targets enable CFI out of the box.

Bug: 66301104
Test: CFI is enabled on aosp_* targets
Change-Id: I52af499dc34cd4b42fbfb1175f6a37aaf17b65dd

diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk
index e0f8aca..d570ccd 100644
--- a/core/config_sanitizers.mk
+++ b/core/config_sanitizers.mk

@@ -96,15 +96,17 @@
   my_sanitize_diag :=
 endif
 
-# Enable CFI in included paths.
+# Enable CFI in included paths (for Arm64 only).
 ifeq ($(filter cfi, $(my_sanitize)),)
-  combined_include_paths := $(CFI_INCLUDE_PATHS) \
-                            $(PRODUCT_CFI_INCLUDE_PATHS)
+  ifneq ($(filter arm64,$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH)),)
+    combined_include_paths := $(CFI_INCLUDE_PATHS) \
+                              $(PRODUCT_CFI_INCLUDE_PATHS)
 
-  ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\
-         $(filter $(dir)%,$(LOCAL_PATH)))),)
-    my_sanitize := cfi $(my_sanitize)
-    my_sanitize_diag := cfi $(my_sanitize_diag)
+    ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\
+           $(filter $(dir)%,$(LOCAL_PATH)))),)
+      my_sanitize := cfi $(my_sanitize)
+      my_sanitize_diag := cfi $(my_sanitize_diag)
+    endif
   endif
 endif
 

diff --git a/target/product/core_64_bit.mk b/target/product/core_64_bit.mk
index 76e2a36..e6fd97c 100644
--- a/target/product/core_64_bit.mk
+++ b/target/product/core_64_bit.mk

@@ -31,3 +31,7 @@
 
 TARGET_SUPPORTS_32_BIT_APPS := true
 TARGET_SUPPORTS_64_BIT_APPS := true
+
+# Enable CFI for security-sensitive components
+$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
+$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)

diff --git a/target/product/core_64_bit_only.mk b/target/product/core_64_bit_only.mk
index 72d30f5..0690713 100644
--- a/target/product/core_64_bit_only.mk
+++ b/target/product/core_64_bit_only.mk

@@ -28,3 +28,7 @@
 
 TARGET_SUPPORTS_32_BIT_APPS := false
 TARGET_SUPPORTS_64_BIT_APPS := true
+
+# Enable CFI for security-sensitive components
+$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
+$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)