From f8d4dc57879f302b253268d61ec0e326d2d88a35 Mon Sep 17 00:00:00 2001 From: Vishwath Mohan Date: Mon, 28 May 2018 13:38:24 -0700 Subject: [PATCH] Apply CFI include paths to all product configs. The current VNDK ABI snapshot expects that CFI is disabled for components that either in the include paths (from cfi-common.mk) OR enabled directly in the makefile/blueprint. However, on non-arm64 architectures, the build system was only disabling CFI for vendor components in the include paths. This topic corrects it by (a) removing the include paths check to disable CFI for vendor variants, and (b) inheriting the CFI include paths in all product configs to ensure that when we update the ABI we're able to move to relying exclusively on (PRODUCT_)CFI_INCLUDE_PATHS. Bug: 66301104 Test: ABI matches for all architectures. Change-Id: I4d845cd9925354d565e06020c479cc3f7ab28f61 --- target/product/aosp_arm64_ab.mk | 4 ---- target/product/core_64_bit.mk | 4 ---- target/product/core_64_bit_only.mk | 4 ---- target/product/core_minimal.mk | 4 ++++ 4 files changed, 4 insertions(+), 12 deletions(-) diff --git a/target/product/aosp_arm64_ab.mk b/target/product/aosp_arm64_ab.mk index 63de7a222..c96cb9180 100644 --- a/target/product/aosp_arm64_ab.mk +++ b/target/product/aosp_arm64_ab.mk @@ -27,10 +27,6 @@ PRODUCT_PACKAGES += \ update_engine \ update_verifier -# Enable control-flow integrity (CFI) for security sensitive components -$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk) -$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk) - PRODUCT_NAME := aosp_arm64_ab PRODUCT_DEVICE := generic_arm64_ab PRODUCT_BRAND := Android diff --git a/target/product/core_64_bit.mk b/target/product/core_64_bit.mk index e6fd97c24..76e2a36a3 100644 --- a/target/product/core_64_bit.mk +++ b/target/product/core_64_bit.mk @@ -31,7 +31,3 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64_32 TARGET_SUPPORTS_32_BIT_APPS := true TARGET_SUPPORTS_64_BIT_APPS := true - -# Enable CFI for security-sensitive components -$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk) -$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk) diff --git a/target/product/core_64_bit_only.mk b/target/product/core_64_bit_only.mk index 06907131d..72d30f52b 100644 --- a/target/product/core_64_bit_only.mk +++ b/target/product/core_64_bit_only.mk @@ -28,7 +28,3 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64 TARGET_SUPPORTS_32_BIT_APPS := false TARGET_SUPPORTS_64_BIT_APPS := true - -# Enable CFI for security-sensitive components -$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk) -$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk) diff --git a/target/product/core_minimal.mk b/target/product/core_minimal.mk index df4d56a12..85646c1af 100644 --- a/target/product/core_minimal.mk +++ b/target/product/core_minimal.mk @@ -178,3 +178,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += \ $(call inherit-product, $(SRC_TARGET_DIR)/product/runtime_libart.mk) $(call inherit-product, $(SRC_TARGET_DIR)/product/base.mk) + +# Enable CFI for security-sensitive components +$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk) +$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)