Merge pull request erlang#9441 from garazdawi/lukas/otp/ossf-compiler…

…-flags/OTP-19519 Enable OSSF compiler hardening flags by default
garazdawi · Mar 4, 2025 · 057cc09 · 057cc09
2 parents 9143386 + 9c916ab
commit 057cc09
Show file tree

Hide file tree

Showing 28 changed files with 12,809 additions and 5,292 deletions.
diff --git a/.github/actions/ossf-compiler-flags-scanner/action.yaml b/.github/actions/ossf-compiler-flags-scanner/action.yaml
@@ -0,0 +1,50 @@
+# %CopyrightBegin%
+#
+# SPDX-FileCopyrightText: Copyright Ericsson AB 2023-2025. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# %CopyrightEnd%
+
+name: Open Source Security Foundation
+
+inputs:
+    upload:
+        description: 'Upload sarif results using codeql'
+        default: false
+
+runs:
+    using: composite
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
+        with:
+            repository: ossf/wg-best-practices-os-developers
+            sparse-checkout: docs/Compiler-Hardening-Guides/compiler-options-scraper
+            path: ossf
+
+      - name: Setup compiler options scraper
+        shell: bash -eo pipefail {0}
+        run: |
+          pip3 install -r ossf/docs/Compiler-Hardening-Guides/compiler-options-scraper/requirements.txt
+          python3 ossf/docs/Compiler-Hardening-Guides/compiler-options-scraper/main.py
+          cat compiler-options.json
+
+      - name: Run compiler flag comparison
+        shell: bash -eo pipefail {0}
+        run: |
+          docker run -v `pwd`/.github/scripts:/github --entrypoint "" otp \
+            bash -c "/github/ossf-sarif-generator.es '$(cat compiler-options.json)'" > results.sarif
+
+      - name: "Upload artifact"
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # ratchet:actions/[email protected]
+        with:
+            name: SARIF file
+            path: results.sarif
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        if: ${{ !cancelled() && inputs.upload == 'true' }}
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # ratchet:github/codeql-action/[email protected]
+        with:
+            sarif_file: results.sarif
diff --git a/.github/dockerfiles/Dockerfile.64-bit b/.github/dockerfiles/Dockerfile.64-bit
@@ -14,10 +14,8 @@ WORKDIR /buildroot/otp/
 
 ENV CFLAGS="-O2 -g -Werror -DwxSTC_DISABLE_MACRO_DEPRECATIONS=1"
 ENV CFLAGS="${CFLAGS} -Wall -Wformat -Wformat=2 -Wno-conversion -Wimplicit-fallthrough \
-    -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS \
-    -fstack-clash-protection -fstack-protector-strong -Wtrampolines \
-    -fcf-protection=full -fexceptions -fno-strict-overflow -fno-delete-null-pointer-checks \
-    -D_GLIBCXX_ASSERTIONS"
+    -Werror=format-security -Wtrampolines -fsanitize=signed-integer-overflow"
+ENV CXXFLAGS="-Wno-maybe-uninitialized"
 ## OpenSSF recommended CFLAGS, skipped are:
 ##  -Wconversion -Wextra -Wsign-conversion - As we have way too many of these warnings
 ##  -fstrict-flex-arrays=3 -Wbidi-chars=any - As gcc 11 does not support it
@@ -26,7 +24,7 @@ ENV CFLAGS="${CFLAGS} -Wall -Wformat -Wformat=2 -Wno-conversion -Wimplicit-fallt
 ENV SKIPPED_OSSF_CFLAGS="-Wconversion -mbranch-protection=standard \
     -Wextra  -Werror=implicit -Werror=incompatible-pointer-types -Werror=int-conversion \
     -Wsign-conversion"
-ENV LDFLAGS="-Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -Wl,--no-copy-dt-needed-entries"
+ENV LDFLAGS=""
 ## OpenSSF recommended LDFLAGS, skipped are:
 ## -Wl,-z,nodlopen - as opening drivers/nifs needs this
 ## -fPIE - not needed with gcc 11
@@ -46,6 +44,7 @@ RUN if [ ! -f Makefile ]; then \
 ## Disable -Werror as testcases do not compile with it on
 ENV CFLAGS="-O2 -g"
 ENV LDFLAGS=""
+ENV CXXFLAGS=""
 
 ## Update init.sh with correct env vars
 RUN echo "export MAKEFLAGS=$MAKEFLAGS" > /buildroot/env.sh && \

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -59,7 +59,6 @@ jobs:
     name: Build Erlang/OTP (64-bit)
     runs-on: ubuntu-latest
     outputs:
-        BASE_BUILD: ${{ steps.base-build.outputs.BASE_BUILD }}
         changes: ${{ steps.changes.outputs.changes }}
         c-code-changes: ${{ steps.c-code-changes.outputs.changes }}
         all: ${{ steps.apps.outputs.all }}
@@ -385,28 +384,53 @@ jobs:
     needs: pack
     if: needs.pack.outputs.c-code-changes
 
+    strategy:
+      matrix:
+        flavor: [jit, emu]
+      fail-fast: false
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
       - uses: ./.github/actions/build-base-image
         with:
             BASE_BRANCH: ${{ env.BASE_BRANCH }}
       - name: Build Erlang/OTP flavors and types
         run: |
-            TYPES="opt debug lcnt"
-            FLAVORS="emu jit"
+            TYPES="opt debug lcnt asan gcov valgrind"
+            FLAVORS="${{ matrix.flavor }}"
             for TYPE in ${TYPES}; do
               for FLAVOR in ${FLAVORS}; do
                 echo "::group::{TYPE=$TYPE FLAVOR=$FLAVOR}"
-                docker run otp "make TYPE=$TYPE FLAVOR=$FLAVOR"
+                docker run otp \
+                  "if [ ${TYPE} = \"valgrind\" ]; then sudo apt-get install -y valgrind bc; fi && \
+                   make TYPE=$TYPE FLAVOR=$FLAVOR && \
+                   cerl -$TYPE -emu_flavor $FLAVOR -noshell -s init stop"
                 echo "::endgroup::"
               done
             done
       - name: Build Erlang/OTP JIT Win32 ABI
+        if: ${{ matrix.flavor == 'jit' }}
         run: >
             docker run otp './configure CFLAGS="$CFLAGS -DERTS_JIT_ABI_WIN32=1" &&
                  make && make TYPE=debug &&
                  cerl -noshell -s init stop && cerl -debug -noshell -s init stop'
 
+      - name: Build Erlang/OTP with LTTNG
+        if: ${{ matrix.flavor == 'jit' }}
+        run: >
+            docker run otp 'sudo apt-get install -y lttng-tools &&
+                 ./configure --enable-dynamic-trace=lttng &&
+                 make && make TYPE=debug &&
+                 cerl -noshell -s init stop && cerl -debug -noshell -s init stop'
+
+      - name: Start Erlang with various start options
+        if: ${{ matrix.flavor == 'jit' }}
+        run: |
+            OPTIONS=("+JPperf true" "+JMsingle true" "+JDdump true")
+            for OPTION in "${OPTIONS[@]}"; do
+                docker run otp "erl ${OPTION} -noshell -s init stop"
+            done
+
   build:
     name: Build Erlang/OTP
     runs-on: ubuntu-latest
@@ -524,6 +548,8 @@ jobs:
         ## Run dialyzer
       - name: Run dialyzer
         run: docker run -v $PWD/:/github otp '/github/scripts/run-dialyzer'
+      - name: Check OSSF compiler flags
+        uses: ./.github/actions/ossf-compiler-flags-scanner
 
   test:
     name: Test Erlang/OTP

diff --git a/.github/workflows/ossf-compiler-flags-scanner.yaml b/.github/workflows/ossf-compiler-flags-scanner.yaml
@@ -45,39 +45,10 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
       - name: Create initial pre-release tar
         run: .github/scripts/init-pre-release.sh otp_src.tar.gz
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
-        with:
-            repository: ossf/wg-best-practices-os-developers
-            sparse-checkout: docs/Compiler-Hardening-Guides/compiler-options-scraper
-            path: ossf
-
-      - name: Setup compiler options scraper
-        run: |
-          pip3 install -r ossf/docs/Compiler-Hardening-Guides/compiler-options-scraper/requirements.txt
-          python3 ossf/docs/Compiler-Hardening-Guides/compiler-options-scraper/main.py
-          cat compiler-options.json
-
       - uses: ./.github/actions/build-base-image
         with:
           BASE_BRANCH: master
-          BUILD_IMAGE: true
-
-      - name: Run compiler flag comparison
-        run: |
-          docker run -v `pwd`/.github/scripts:/github --entrypoint "" otp \
-            bash -c "/github/ossf-sarif-generator.es '$(cat compiler-options.json)'" > results.sarif
-
-      - name: "Upload artifact"
-        if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.4.3 ratchet:actions/upload-artifact@v4
-        with:
-            name: SARIF file
-            path: results.sarif
 
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        if: ${{ !cancelled() }}
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # ratchet:github/codeql-action/upload-sarif@v3
+      - uses: ./.github/actions/ossf-compiler-flags-scanner
         with:
-            sarif_file: results.sarif
-
+            upload: true
diff --git a/HOWTO/INSTALL.md b/HOWTO/INSTALL.md
@@ -428,6 +428,10 @@ Some of the available `configure` options are:
     option which will enable `configure` to continue without support for
     timestamps after mid-January 2038. This is typically only an issue on 32-bit
     platforms.
+*   `--disable-security-hardening-flags` - Disable all security hardening
+    flags when compiling Erlang/OTP. This can be useful in some scenarios
+    when the flags either causes Erlang/OTP not to build, or unacceptable
+    performance degradations.
 
 If you or your system has special requirements please read the `Makefile` for
 additional configuration information.