xref: /build/config/security/security_config.gni (revision 5f9996aa) 
15f9996aaSopenharmony_ci# Copyright (c) 2022 Huawei Device Co., Ltd.
25f9996aaSopenharmony_ci# Licensed under the Apache License, Version 2.0 (the "License");
35f9996aaSopenharmony_ci# you may not use this file except in compliance with the License.
45f9996aaSopenharmony_ci# You may obtain a copy of the License at
55f9996aaSopenharmony_ci#
65f9996aaSopenharmony_ci#     http://www.apache.org/licenses/LICENSE-2.0
75f9996aaSopenharmony_ci#
85f9996aaSopenharmony_ci# Unless required by applicable law or agreed to in writing, software
95f9996aaSopenharmony_ci# distributed under the License is distributed on an "AS IS" BASIS,
105f9996aaSopenharmony_ci# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
115f9996aaSopenharmony_ci# See the License for the specific language governing permissions and
125f9996aaSopenharmony_ci# limitations under the License.
135f9996aaSopenharmony_ciimport("//build/config/clang/clang.gni")
145f9996aaSopenharmony_ci
155f9996aaSopenharmony_cideclare_args() {
165f9996aaSopenharmony_ci  # Enable the config that variables are automatically initialized by default.
175f9996aaSopenharmony_ci  enable_auto_var_init = false
185f9996aaSopenharmony_ci  support_stack_protector_ret = false
195f9996aaSopenharmony_ci  support_branch_protector_pac_ret = false
205f9996aaSopenharmony_ci  use_pac_ret = true
215f9996aaSopenharmony_ci  support_branch_protector_bti = false
225f9996aaSopenharmony_ci}
235f9996aaSopenharmony_ci
245f9996aaSopenharmony_ciusing_security_flag = enable_auto_var_init
255f9996aaSopenharmony_ci
265f9996aaSopenharmony_ciif (!is_ohos) {
275f9996aaSopenharmony_ci  using_security_flag = false
285f9996aaSopenharmony_ci}
295f9996aaSopenharmony_ci
305f9996aaSopenharmony_ci# support_stack_protector_ret = true if clang support -fstack-protector-ret-all
315f9996aaSopenharmony_ciclang_bin = rebase_path("${default_clang_base_path}/bin/clang", root_build_dir)
325f9996aaSopenharmony_cicmd = "${clang_bin} --help | grep fstack-protector-ret-all | wc -l"
335f9996aaSopenharmony_ci
345f9996aaSopenharmony_ci# exec_script returns 1 if grep -fstack-protector-ret-all failed, indicating -fstack-protector-ret-all not supported
355f9996aaSopenharmony_cires = exec_script("//build/scripts/run_shell_cmd.py", [ cmd ], "value")
365f9996aaSopenharmony_ciif (target_cpu == "arm64" && res == 1 && is_ohos && is_standard_system &&
375f9996aaSopenharmony_ci    !is_mingw) {
385f9996aaSopenharmony_ci  support_stack_protector_ret = true
395f9996aaSopenharmony_ci} else {
405f9996aaSopenharmony_ci  support_stack_protector_ret = false
415f9996aaSopenharmony_ci}
425f9996aaSopenharmony_ci
435f9996aaSopenharmony_ci# pac_ret is supported in armv8.
445f9996aaSopenharmony_ci# bti is supported in armv8.5
455f9996aaSopenharmony_ciif (target_cpu == "arm64" && is_ohos && is_standard_system && !is_mingw) {
465f9996aaSopenharmony_ci  if (use_pac_ret) {
475f9996aaSopenharmony_ci    support_branch_protector_pac_ret = true
485f9996aaSopenharmony_ci  }
495f9996aaSopenharmony_ci  support_branch_protector_bti = true
505f9996aaSopenharmony_ci}
515f9996aaSopenharmony_ci
525f9996aaSopenharmony_ciassert(
535f9996aaSopenharmony_ci    !using_security_flag || is_clang,
545f9996aaSopenharmony_ci    "automatic variable initialization requires setting is_clang = true in 'gn args'")
555f9996aaSopenharmony_ci
565f9996aaSopenharmony_citemplate("ohos_auto_initialize_config") {
575f9996aaSopenharmony_ci  config(target_name) {
585f9996aaSopenharmony_ci    forward_variables_from(invoker, [ "auto_var_init" ])
595f9996aaSopenharmony_ci
605f9996aaSopenharmony_ci    configs = []
615f9996aaSopenharmony_ci
625f9996aaSopenharmony_ci    # Currently, only the clang compiler and standard system support automatic variable initialization.
635f9996aaSopenharmony_ci    if (is_clang && is_standard_system) {
645f9996aaSopenharmony_ci      if (defined(auto_var_init)) {
655f9996aaSopenharmony_ci        assert(
665f9996aaSopenharmony_ci            auto_var_init == "pattern" || auto_var_init == "zero" ||
675f9996aaSopenharmony_ci                auto_var_init == "uninit",
685f9996aaSopenharmony_ci            "auto_var_init can only be set to pattern, zero or uninit, for example, auto_var_init = \"pattern\"")
695f9996aaSopenharmony_ci
705f9996aaSopenharmony_ci        if (auto_var_init == "pattern") {
715f9996aaSopenharmony_ci          configs += [ "//build/config/security:auto_var_pattern_init_config" ]
725f9996aaSopenharmony_ci        } else if (auto_var_init == "zero") {
735f9996aaSopenharmony_ci          configs += [ "//build/config/security:auto_var_zero_init_config" ]
745f9996aaSopenharmony_ci        } else if (auto_var_init == "uninit") {
755f9996aaSopenharmony_ci          configs += [ "//build/config/security:auto_var_uninit_config" ]
765f9996aaSopenharmony_ci        }
775f9996aaSopenharmony_ci      } else {
785f9996aaSopenharmony_ci        configs += [ "//build/config/security:auto_var_zero_init_config" ]
795f9996aaSopenharmony_ci      }
805f9996aaSopenharmony_ci    }
815f9996aaSopenharmony_ci  }
825f9996aaSopenharmony_ci}
835f9996aaSopenharmony_ci
845f9996aaSopenharmony_citemplate("ohos_security_config") {
855f9996aaSopenharmony_ci  config(target_name) {
865f9996aaSopenharmony_ci    configs = []
875f9996aaSopenharmony_ci    _auto_initialize_config_target = "${target_name}__auto_initialize_config"
885f9996aaSopenharmony_ci    ohos_auto_initialize_config(_auto_initialize_config_target) {
895f9996aaSopenharmony_ci      forward_variables_from(invoker, [ "auto_var_init" ])
905f9996aaSopenharmony_ci    }
915f9996aaSopenharmony_ci
925f9996aaSopenharmony_ci    configs += [ ":$_auto_initialize_config_target" ]
935f9996aaSopenharmony_ci  }
945f9996aaSopenharmony_ci}
95