Commit 56556007 authored by Alvin Wong's avatar Alvin Wong

Enable MinGW Windows hardening flags for 3rdparty deps

Maniphest Tasks: T6505, T3917
parent 207791f3
......@@ -55,6 +55,33 @@ if (MINGW)
option(QT_ENABLE_DEBUG_INFO "Build Qt with debug info included" OFF)
endif (MINGW)
set(SECURITY_EXE_LINKER_FLAGS "")
set(SECURITY_SHARED_LINKER_FLAGS "")
set(SECURITY_MODULE_LINKER_FLAGS "")
if (MINGW)
option(USE_MINGW_HARDENING_LINKER "Enable DEP (NX), ASLR and high-entropy ASLR linker flags (mingw-w64)" ON)
if (USE_MINGW_HARDENING_LINKER)
set(SECURITY_EXE_LINKER_FLAGS "-Wl,--dynamicbase -Wl,--nxcompat -Wl,--disable-auto-image-base")
set(SECURITY_SHARED_LINKER_FLAGS "-Wl,--dynamicbase -Wl,--nxcompat -Wl,--disable-auto-image-base")
set(SECURITY_MODULE_LINKER_FLAGS "-Wl,--dynamicbase -Wl,--nxcompat -Wl,--disable-auto-image-base")
if ("${CMAKE_SIZEOF_VOID_P}" EQUAL "8")
# Enable high-entropy ASLR for 64-bit
# The image base has to be >4GB for HEASLR to be enabled.
# The values used here are kind of arbitrary.
set(SECURITY_EXE_LINKER_FLAGS "${SECURITY_EXE_LINKER_FLAGS} -Wl,--high-entropy-va -Wl,--image-base,0x140000000")
set(SECURITY_SHARED_LINKER_FLAGS "${SECURITY_SHARED_LINKER_FLAGS} -Wl,--high-entropy-va -Wl,--image-base,0x180000000")
set(SECURITY_MODULE_LINKER_FLAGS "${SECURITY_MODULE_LINKER_FLAGS} -Wl,--high-entropy-va -Wl,--image-base,0x180000000")
set(GLOBAL_PROFILE ${GLOBAL_PROFILE}
-DCMAKE_EXE_LINKER_FLAGS=${SECURITY_EXE_LINKER_FLAGS}
-DCMAKE_SHARED_LINKER_FLAGS=${SECURITY_SHARED_LINKER_FLAGS}
-DCMAKE_MODULE_LINKER_FLAGS=${SECURITY_MODULE_LINKER_FLAGS}
)
endif ("${CMAKE_SIZEOF_VOID_P}" EQUAL "8")
else (USE_MINGW_HARDENING_LINKER)
message(WARNING "Linker Security Flags not enabled!")
endif (USE_MINGW_HARDENING_LINKER)
endif (MINGW)
if (DEFINED EP_PREFIX)
set_directory_properties(PROPERTIES EP_PREFIX ${EP_PREFIX})
endif (DEFINED EP_PREFIX)
......
......@@ -56,7 +56,7 @@ elseif(MINGW)
URL_MD5 015ae4afa6f3e597232bfe1dab949ace
CONFIGURE_COMMAND <SOURCE_DIR>/bootstrap.bat gcc --prefix=${PREFIX_ext_boost}
BUILD_COMMAND <SOURCE_DIR>/b2.exe -j${SUBMAKE_JOBS} --with-system --build-dir=build-dir --prefix=${PREFIX_ext_boost} toolset=gcc variant=release link=shared threading=multi architecture=x86 variant=release install
BUILD_COMMAND <SOURCE_DIR>/b2.exe -j${SUBMAKE_JOBS} linkflags=${SECURITY_SHARED_LINKER_FLAGS} --with-system --build-dir=build-dir --prefix=${PREFIX_ext_boost} toolset=gcc variant=release link=shared threading=multi architecture=x86 variant=release install
INSTALL_COMMAND ""
INSTALL_DIR ${EXTPREFIX_boost}
......
......@@ -35,7 +35,7 @@ elseif(MINGW)
PATCH_COMMAND ${PATCH_COMMAND} -p1 -i ${CMAKE_CURRENT_SOURCE_DIR}/pyqt-configure-fix.patch
CONFIGURE_COMMAND python.exe <SOURCE_DIR>/configure.py ${_PYQT_conf}
BUILD_COMMAND mingw32-make -j${SUBMAKE_JOBS} CXXFLAGS=-D_hypot=hypot
BUILD_COMMAND mingw32-make -j${SUBMAKE_JOBS} CXXFLAGS=-D_hypot=hypot LDFLAGS=${SECURITY_SHARED_LINKER_FLAGS}
INSTALL_COMMAND mingw32-make -j${SUBMAKE_JOBS} install
BUILD_IN_SOURCE 1
......
......@@ -16,6 +16,9 @@ if (WIN32)
-opensource -confirm-license
#
-release -platform win32-g++ -prefix ${EXTPREFIX_qt}
QMAKE_LFLAGS_APP+=${SECURITY_EXE_LINKER_FLAGS}
QMAKE_LFLAGS_SHLIB+=${SECURITY_SHARED_LINKER_FLAGS}
QMAKE_LFLAGS_SONAME+=${SECURITY_SHARED_LINKER_FLAGS}
)
if (QT_ENABLE_DEBUG_INFO)
# Set the option to build Qt with debugging info enabled
......
......@@ -28,7 +28,7 @@ elseif (MINGW)
URL_MD5 1098da9ee1915354fedf38fd6fbe22ce
CONFIGURE_COMMAND python.exe <SOURCE_DIR>/configure.py ${_SIP_conf}
BUILD_COMMAND mingw32-make -j${SUBMAKE_JOBS}
BUILD_COMMAND mingw32-make -j${SUBMAKE_JOBS} LDFLAGS=${SECURITY_SHARED_LINKER_FLAGS}
INSTALL_COMMAND mingw32-make -j${SUBMAKE_JOBS} install
BUILD_IN_SOURCE 1
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment