Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6106a4ea authored by Vishwath Mohan's avatar Vishwath Mohan
Browse files

Enable CFI by default but restrict CFI_INCLUDE_PATHS 

This CL enables CFI on security sensitive components for product
configs that inherit core_64_bit.mk (and core_64_bit_only.mk). Note
that this only requests the build system to do so. Internal build
logic will dictate if this is actually enabled on the build or
not (CFI is currently disabled for ARM32 and MIPS for example).

In addition, this also restricts CFI_INCLUDE_PATHS and
PRODUCT_CFI_INCLUDE_PATHS to Arm64 architectures only. This helps
narrow which targets enable CFI out of the box.

Bug: 66301104
Test: CFI is enabled on aosp_* targets
Change-Id: I52af499dc34cd4b42fbfb1175f6a37aaf17b65dd
parent 2dcba6fe

core/config_sanitizers.mk

+10 −8
Original line number Diff line number Diff line
@@ -96,8 +96,9 @@ ifeq ($(LOCAL_SANITIZE),never) 
  my_sanitize_diag :=

endif



# Enable CFI in included paths.

# Enable CFI in included paths (for Arm64 only).

ifeq ($(filter cfi, $(my_sanitize)),)

  ifneq ($(filter arm64,$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH)),)

    combined_include_paths := $(CFI_INCLUDE_PATHS) \

                              $(PRODUCT_CFI_INCLUDE_PATHS)
@@ -107,6 +108,7 @@ ifeq ($(filter cfi, $(my_sanitize)),) 
      my_sanitize_diag := cfi $(my_sanitize_diag)

    endif

  endif

endif



# If CFI is disabled globally, remove it from my_sanitize.

ifeq ($(strip $(ENABLE_CFI)),false)

target/product/core_64_bit.mk

+4 −0
Original line number Diff line number Diff line
@@ -31,3 +31,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64_32 


TARGET_SUPPORTS_32_BIT_APPS := true

TARGET_SUPPORTS_64_BIT_APPS := true



# Enable CFI for security-sensitive components

$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)

$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)

target/product/core_64_bit_only.mk

+4 −0
Original line number Diff line number Diff line
@@ -28,3 +28,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64 


TARGET_SUPPORTS_32_BIT_APPS := false

TARGET_SUPPORTS_64_BIT_APPS := true



# Enable CFI for security-sensitive components

$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)

$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)