From 7798bcacf0094ef3eaf4ee8fecf67e5c00d510f4 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:16:25 +0300 Subject: [PATCH 01/22] add SDLE flags for windows build --- CMake/windows_config.cmake | 28 +++++++++++++++++++++++++ include/librealsense2/hpp/rs_export.hpp | 2 +- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/CMake/windows_config.cmake b/CMake/windows_config.cmake index 3bd808b07a..f81775a913 100644 --- a/CMake/windows_config.cmake +++ b/CMake/windows_config.cmake @@ -40,6 +40,34 @@ macro(os_set_flags) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /MP") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /MP") + ############### + # According to SDLE we need to add the following flags for additional security: + # Debug & Release: + # /Gy: Enables function-level linking to reduce executable size. + # /DYNAMICBASE: Enables Address Space Layout Randomization (ASLR) to improve security. + # /GS: Enables buffer security checks to prevent buffer overflows. + + # Release only: + # /WX: Treats all warnings as errors. + # /LTCG (/GL): Enables Link Time Code Generation to improve performance. + # /sdl: Enables additional security checks. + # /NXCOMPAT: Enables Data Execution Prevention (DEP) to prevent code execution in data areas. + + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /Gy /DYNAMICBASE /GS") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Gy /DYNAMICBASE /GS") + + if(CMAKE_BUILD_TYPE STREQUAL "Debug") + message(STATUS "Configuring for Debug build") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") + else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) + message(STATUS "Configuring for Release build") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /WX /sdl") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX /sdl") + set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} /INCREMENTAL:NO /LTCG /NXCOMPAT") # ignoring '/INCREMENTAL' due to '/LTCG' specification + endif() + + ################# + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /bigobj /wd4819") set(LRS_TRY_USE_AVX true) add_definitions(-D_UNICODE) diff --git a/include/librealsense2/hpp/rs_export.hpp b/include/librealsense2/hpp/rs_export.hpp index 6e7d097791..337d34bc61 100644 --- a/include/librealsense2/hpp/rs_export.hpp +++ b/include/librealsense2/hpp/rs_export.hpp @@ -81,7 +81,7 @@ namespace rs2 bool use_normals = get_option(OPTION_PLY_NORMALS) != 0; const auto verts = p.get_vertices(); const auto texcoords = p.get_texture_coordinates(); - const uint8_t* texture_data; + const uint8_t* texture_data = nullptr; if (use_texcoords) // texture might be on the gpu, get pointer to data before for-loop to avoid repeated access texture_data = reinterpret_cast(color.get_data()); std::vector new_verts; From bdb030497b468f4b198756d81288f1ab87949ab8 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:17:04 +0300 Subject: [PATCH 02/22] add SDLE flags for linux build --- CMake/unix_config.cmake | 38 ++++++++++++++++++++++++++++++++++++++ CMake/windows_config.cmake | 3 +++ 2 files changed, 41 insertions(+) diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index 711434c2ef..bf7155b908 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -47,6 +47,44 @@ macro(os_set_flags) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pthread") endif() + ############### + # According to SDLE we need to add the following flags for additional security: + # Debug & Release: + # -Wformat: Checks for format string vulnerabilities. + # -Wformat-security: Ensures format strings are not vulnerable to attacks. + # -fPIC: Generates position-independent code (PIC) suitable for shared libraries. + # -fPIE: Generates position-independent executable (PIE) code. + # -pie: Links the output as a position-independent executable. + # -D_FORTIFY_SOURCE=2: Adds extra checks for buffer overflows. + # -mfunction-return=thunk: Mitigates return-oriented programming (ROP) attacks. (Added flag -fcf-protection=none to allow it) + # -mindirect-branch=thunk: Mitigates indirect branch attacks. + # -mindirect-branch-register: Uses registers for indirect branches to mitigate attacks. + # -fstack-protector: Adds stack protection to detect buffer overflows. + + # Release only + # -Werror: Treats all warnings as errors. + # -Werror=format-security: Treats format security warnings as errors. + # -z noexecstack: Marks the stack as non-executable to prevent certain types of attacks. + # -Wl,-z,relro,-z,now: Enables read-only relocations and immediate binding for security. + # -fstack-protector-strong: Provides stronger stack protection than -fstack-protector. + + # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details + + + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wformat -Wformat-security -fPIC -fPIE -pie -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") + #‘-mfunction-return’ and ‘-fcf-protection’ are not compatible, so specifing -fcf-protection=none + set(CMAKE_C_FLAGS "${CMAKE_CXX_FLAGS} -Werror -Werror=format-security -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") + + if(CMAKE_BUILD_TYPE STREQUAL "Debug") + message(STATUS "Configuring for Debug build") + else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) + message(STATUS "Configuring for Release build") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Werror -Werror=format-security -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") + set(CMAKE_C_FLAGS "${CMAKE_CXX_FLAGS} -Werror -Werror=format-security -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") + endif() + + ################# + if(APPLE) set(FORCE_RSUSB_BACKEND ON) endif() diff --git a/CMake/windows_config.cmake b/CMake/windows_config.cmake index f81775a913..93762b8073 100644 --- a/CMake/windows_config.cmake +++ b/CMake/windows_config.cmake @@ -53,6 +53,9 @@ macro(os_set_flags) # /sdl: Enables additional security checks. # /NXCOMPAT: Enables Data Execution Prevention (DEP) to prevent code execution in data areas. + # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details + + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /Gy /DYNAMICBASE /GS") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Gy /DYNAMICBASE /GS") From 6035a790ab858fdd50aa32c16f6d115cb3af0dcc Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:23:09 +0300 Subject: [PATCH 03/22] fix for C flags --- CMake/unix_config.cmake | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index bf7155b908..71d846f478 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -73,14 +73,14 @@ macro(os_set_flags) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wformat -Wformat-security -fPIC -fPIE -pie -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") #‘-mfunction-return’ and ‘-fcf-protection’ are not compatible, so specifing -fcf-protection=none - set(CMAKE_C_FLAGS "${CMAKE_CXX_FLAGS} -Werror -Werror=format-security -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat -Wformat-security -fPIC -fPIE -pie -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") if(CMAKE_BUILD_TYPE STREQUAL "Debug") message(STATUS "Configuring for Debug build") else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) message(STATUS "Configuring for Release build") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Werror -Werror=format-security -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") - set(CMAKE_C_FLAGS "${CMAKE_CXX_FLAGS} -Werror -Werror=format-security -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror -Werror=format-security -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") endif() ################# From 86aafea15655a47580fbcb88ce99469d573e4db8 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Wed, 25 Sep 2024 17:07:56 +0300 Subject: [PATCH 04/22] modify Jetson and fPIE flag --- CMake/unix_config.cmake | 12 +++++++++--- examples/CMakeLists.txt | 4 ++++ tools/CMakeLists.txt | 4 ++++ 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index 71d846f478..9e8d9a63b4 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -70,10 +70,16 @@ macro(os_set_flags) # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details + if (CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|armv7l") # Jetson system, some flags are not recognized + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fstack-protector") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fstack-protector") + else() + #‘-mfunction-return’ and ‘-fcf-protection’ are not compatible, so specifing -fcf-protection=none + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") + endif() + set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -pie") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wformat -Wformat-security -fPIC -fPIE -pie -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") - #‘-mfunction-return’ and ‘-fcf-protection’ are not compatible, so specifing -fcf-protection=none - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat -Wformat-security -fPIC -fPIE -pie -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") if(CMAKE_BUILD_TYPE STREQUAL "Debug") message(STATUS "Configuring for Debug build") diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt index 652656e589..b8ee580d08 100644 --- a/examples/CMakeLists.txt +++ b/examples/CMakeLists.txt @@ -7,6 +7,8 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1) # View the makefile commands during build #set(CMAKE_VERBOSE_MAKEFILE on) +string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # examples are exeutables so we want position indepandent exeutables and not libraries + set( DEPENDENCIES ${LRS_TARGET} ) if(BUILD_GRAPHICAL_EXAMPLES) include(${CMAKE_SOURCE_DIR}/CMake/opengl_config.cmake) @@ -40,3 +42,5 @@ add_subdirectory(record-playback) add_subdirectory(motion) add_subdirectory(gl) add_subdirectory(hdr) + +string(REPLACE "-fPIE" "-fPIC" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index 99807a4602..bca5cdf6f9 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -7,6 +7,8 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1) # View the makefile commands during build #set(CMAKE_VERBOSE_MAKEFILE on) +string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # tools are exeutables so we want position indepandent exeutables and not libraries + list( APPEND DEPENDENCIES ${LRS_TARGET} tclap ) if(BUILD_TOOLS) @@ -45,3 +47,5 @@ if(BUILD_EXAMPLES) endif() endif() endif() + +string(REPLACE "-fPIE" "-fPIC" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") From 8d8daa9deda9e83cd58f418516f70b38da69a59f Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Thu, 26 Sep 2024 12:42:11 +0300 Subject: [PATCH 05/22] fix libcurl not compiling and other warnings --- CMake/external_libcurl.cmake | 5 +++++ CMake/unix_config.cmake | 4 ++-- CMake/windows_config.cmake | 4 ++-- src/hid/hid-device.cpp | 2 +- src/uvc/uvc-device.cpp | 6 +++--- src/uvc/uvc-streamer.cpp | 2 +- 6 files changed, 14 insertions(+), 9 deletions(-) diff --git a/CMake/external_libcurl.cmake b/CMake/external_libcurl.cmake index ac967e1cd2..2fce83548d 100644 --- a/CMake/external_libcurl.cmake +++ b/CMake/external_libcurl.cmake @@ -1,4 +1,8 @@ if(CHECK_FOR_UPDATES) + + set(FLAGS_ORIGIN "${CMAKE_C_FLAGS}") + string(REPLACE "-Werror" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") # -Werror causes libcurl build to fail + include(ExternalProject) message(STATUS "Building libcurl enabled") @@ -60,4 +64,5 @@ if(CHECK_FOR_UPDATES) endif() endif() + set(CMAKE_C_FLAGS "${FLAGS_ORIGIN}") endif() #CHECK_FOR_UPDATES diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index 9e8d9a63b4..dbb4cc9a10 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -85,8 +85,8 @@ macro(os_set_flags) message(STATUS "Configuring for Debug build") else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) message(STATUS "Configuring for Release build") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Werror -Werror=format-security -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror -Werror=format-security -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") endif() ################# diff --git a/CMake/windows_config.cmake b/CMake/windows_config.cmake index 93762b8073..614c7e9f96 100644 --- a/CMake/windows_config.cmake +++ b/CMake/windows_config.cmake @@ -56,8 +56,8 @@ macro(os_set_flags) # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /Gy /DYNAMICBASE /GS") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Gy /DYNAMICBASE /GS") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /Gy /DYNAMICBASE /GS /wd4101") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Gy /DYNAMICBASE /GS /wd4101") if(CMAKE_BUILD_TYPE STREQUAL "Debug") message(STATUS "Configuring for Debug build") diff --git a/src/hid/hid-device.cpp b/src/hid/hid-device.cpp index aaa3a18a40..c903016967 100644 --- a/src/hid/hid-device.cpp +++ b/src/hid/hid-device.cpp @@ -334,7 +334,7 @@ namespace librealsense //we want to change the sensitivity values only in gyro, for FW version >= 5.16 if( featureReport.reportId == REPORT_ID_GYROMETER_3D && _realsense_hid_report_actual_size == sizeof( REALSENSE_HID_REPORT ) ) - featureReport.sensitivity = sensitivity; + featureReport.sensitivity = (unsigned short)sensitivity; res = dev->control_transfer(USB_REQUEST_CODE_SET, diff --git a/src/uvc/uvc-device.cpp b/src/uvc/uvc-device.cpp index 84897e0163..765d72210b 100644 --- a/src/uvc/uvc-device.cpp +++ b/src/uvc/uvc-device.cpp @@ -177,7 +177,7 @@ namespace librealsense switch(state) { case D0: - _messenger = _usb_device->open(_info.mi); + _messenger = _usb_device->open((uint8_t)_info.mi); if (_messenger) { try{ @@ -654,7 +654,7 @@ namespace librealsense void rs_uvc_device::listen_to_interrupts() { - auto ctrl_interface = _usb_device->get_interface(_info.mi); + auto ctrl_interface = _usb_device->get_interface((uint8_t)_info.mi); if (!ctrl_interface) return; auto iep = ctrl_interface->first_endpoint(RS2_USB_ENDPOINT_DIRECTION_READ, RS2_USB_ENDPOINT_INTERRUPT); @@ -856,7 +856,7 @@ namespace librealsense req, probe ? (UVC_VS_PROBE_CONTROL << 8) : (UVC_VS_COMMIT_CONTROL << 8), ctrl->bInterfaceNumber, // When requestType is directed to an interface, the driver automatically passes the interface number in the low byte of index - buf, len, transferred, 0); + buf, (uint32_t)len, transferred, 0); } while (sts != RS2_USB_STATUS_SUCCESS && retries++ < 5); } }, [this](){ return !_messenger; }); diff --git a/src/uvc/uvc-streamer.cpp b/src/uvc/uvc-streamer.cpp index 3e1c7aa487..974aff5c52 100644 --- a/src/uvc/uvc-streamer.cpp +++ b/src/uvc/uvc-streamer.cpp @@ -28,7 +28,7 @@ namespace librealsense _action_dispatcher.start(); - _watchdog_timeout = (1000.0 / _context.profile.fps) * 10; + _watchdog_timeout = (int64_t)((1000.0 / _context.profile.fps) * 10); init(); } From 97fb66589277b363763673cee3a213ec9b7a3e67 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Thu, 26 Sep 2024 13:23:45 +0300 Subject: [PATCH 06/22] remove additional flags from third party --- CMake/external_fastdds.cmake | 5 ++++- CMake/external_foonathan_memory.cmake | 6 ++++++ CMake/external_json.cmake | 5 +++++ CMake/external_libcurl.cmake | 7 ++++--- CMake/unix_config.cmake | 12 ++++++------ CMake/windows_config.cmake | 11 +++++------ third-party/CMakeLists.txt | 5 +++++ 7 files changed, 35 insertions(+), 16 deletions(-) diff --git a/CMake/external_fastdds.cmake b/CMake/external_fastdds.cmake index 856e0dbfc7..7cd817544a 100644 --- a/CMake/external_fastdds.cmake +++ b/CMake/external_fastdds.cmake @@ -67,7 +67,10 @@ function(get_fastdds) message(CHECK_PASS "Done") endfunction() +string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") +string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") # Trigger the FastDDS build get_fastdds() - +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") diff --git a/CMake/external_foonathan_memory.cmake b/CMake/external_foonathan_memory.cmake index f6c4938267..2bd26fe1c6 100644 --- a/CMake/external_foonathan_memory.cmake +++ b/CMake/external_foonathan_memory.cmake @@ -41,4 +41,10 @@ function(get_foonathan_memory) endfunction() +string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") +string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + get_foonathan_memory() + +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") diff --git a/CMake/external_json.cmake b/CMake/external_json.cmake index 69c84ffeec..5c55114e7a 100644 --- a/CMake/external_json.cmake +++ b/CMake/external_json.cmake @@ -46,5 +46,10 @@ function(get_nlohmann_json) endfunction() +string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") +string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") # Trigger the build get_nlohmann_json() + +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") diff --git a/CMake/external_libcurl.cmake b/CMake/external_libcurl.cmake index 2fce83548d..64f57b178a 100644 --- a/CMake/external_libcurl.cmake +++ b/CMake/external_libcurl.cmake @@ -1,7 +1,7 @@ if(CHECK_FOR_UPDATES) - set(FLAGS_ORIGIN "${CMAKE_C_FLAGS}") - string(REPLACE "-Werror" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") # -Werror causes libcurl build to fail + string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") + string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") include(ExternalProject) message(STATUS "Building libcurl enabled") @@ -64,5 +64,6 @@ if(CHECK_FOR_UPDATES) endif() endif() - set(CMAKE_C_FLAGS "${FLAGS_ORIGIN}") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") endif() #CHECK_FOR_UPDATES diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index dbb4cc9a10..e05bfc59b7 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -71,12 +71,10 @@ macro(os_set_flags) # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details if (CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|armv7l") # Jetson system, some flags are not recognized - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fstack-protector") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fstack-protector") + set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fstack-protector") else() #‘-mfunction-return’ and ‘-fcf-protection’ are not compatible, so specifing -fcf-protection=none - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") + set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") endif() set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -pie") @@ -85,9 +83,11 @@ macro(os_set_flags) message(STATUS "Configuring for Debug build") else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) message(STATUS "Configuring for Release build") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") + set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") endif() + + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") ################# diff --git a/CMake/windows_config.cmake b/CMake/windows_config.cmake index 614c7e9f96..97244907e2 100644 --- a/CMake/windows_config.cmake +++ b/CMake/windows_config.cmake @@ -55,20 +55,19 @@ macro(os_set_flags) # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details - - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /Gy /DYNAMICBASE /GS /wd4101") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Gy /DYNAMICBASE /GS /wd4101") + set(ADDITIONAL_COMPILER_FLAGS "/Gy /DYNAMICBASE /GS /wd4101") if(CMAKE_BUILD_TYPE STREQUAL "Debug") message(STATUS "Configuring for Debug build") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) message(STATUS "Configuring for Release build") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /WX /sdl") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX /sdl") + set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} /WX /sdl") set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} /INCREMENTAL:NO /LTCG /NXCOMPAT") # ignoring '/INCREMENTAL' due to '/LTCG' specification endif() + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") + ################# set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /bigobj /wd4819") diff --git a/third-party/CMakeLists.txt b/third-party/CMakeLists.txt index c70314062e..6bf02b578e 100644 --- a/third-party/CMakeLists.txt +++ b/third-party/CMakeLists.txt @@ -1,5 +1,8 @@ string(REPLACE ${PROJECT_SOURCE_DIR}/ "" _rel_path ${CMAKE_CURRENT_LIST_DIR}) +string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") +string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + include(CMake/external_json.cmake) add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/rsutils" ) @@ -18,3 +21,5 @@ if( BUILD_WITH_DDS ) add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/realdds" ) endif() +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") From dd66948a4fbf90c1377e9f136351de5fdd539edc Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Thu, 26 Sep 2024 15:32:18 +0300 Subject: [PATCH 07/22] avoid using flags on old gcc --- CMake/unix_config.cmake | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index e05bfc59b7..6b9c92eb9a 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -70,7 +70,8 @@ macro(os_set_flags) # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details - if (CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|armv7l") # Jetson system, some flags are not recognized + if (CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|armv7l" OR # Some flags are not recognized or Jetson systems or on GCC version < 9 + (CMAKE_CXX_COMPILER_ID STREQUAL "GNU" AND CMAKE_CXX_COMPILER_VERSION VERSION_LESS "9.0")) # set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fstack-protector") else() #‘-mfunction-return’ and ‘-fcf-protection’ are not compatible, so specifing -fcf-protection=none From 9cc5ad60ee1e18e80a63c31d702f552a4b2d72df Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Thu, 26 Sep 2024 15:41:42 +0300 Subject: [PATCH 08/22] disable flags on glfw --- CMakeLists.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 467c844b09..9e0a3f4283 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -83,6 +83,8 @@ global_target_config() include(CMake/install_config.cmake) +string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") +string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") add_subdirectory(wrappers) if ( ( BUILD_EXAMPLES OR BUILD_PC_STITCHING ) AND BUILD_GLSL_EXTENSIONS ) find_package(glfw3 3.3 QUIET) @@ -93,6 +95,8 @@ if ( ( BUILD_EXAMPLES OR BUILD_PC_STITCHING ) AND BUILD_GLSL_EXTENSIONS ) endif() add_subdirectory(src/gl) endif() +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") if(BUILD_EXAMPLES) add_subdirectory(examples) From 6cc2b954b122525e054ad0e5b1e8cc5dce08d9c7 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Thu, 26 Sep 2024 15:47:24 +0300 Subject: [PATCH 09/22] remove some flags unrecognized on mac --- CMake/unix_config.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index 6b9c92eb9a..603adda0fc 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -70,7 +70,7 @@ macro(os_set_flags) # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details - if (CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|armv7l" OR # Some flags are not recognized or Jetson systems or on GCC version < 9 + if (CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|armv7l" OR APPLE OR # Some flags are not recognized or some systems / gcc versions (CMAKE_CXX_COMPILER_ID STREQUAL "GNU" AND CMAKE_CXX_COMPILER_VERSION VERSION_LESS "9.0")) # set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fstack-protector") else() From 04259b321d4a6cc0ea4951aa5cc03a9b54c57d12 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:47:20 +0300 Subject: [PATCH 10/22] try replace resize with assign to avoid warning --- src/hid-sensor.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/hid-sensor.cpp b/src/hid-sensor.cpp index 03f831aeeb..f62ba07a8f 100644 --- a/src/hid-sensor.cpp +++ b/src/hid-sensor.cpp @@ -145,7 +145,7 @@ void hid_sensor::close() std::lock_guard< std::mutex > lock( _configure_lock ); _configured_profiles.clear(); _is_configured_stream.clear(); - _is_configured_stream.resize( RS2_STREAM_COUNT ); + _is_configured_stream.assign(RS2_STREAM_COUNT, false); } _is_opened = false; if( Is< librealsense::global_time_interface >( _owner ) ) From b17297f39c04fd44a199931434cce90c2511c277 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Sun, 29 Sep 2024 09:44:14 +0300 Subject: [PATCH 11/22] conditionally add FORTIFY_SOURCE --- CMake/unix_config.cmake | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index 603adda0fc..fdabb32a2d 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -72,13 +72,17 @@ macro(os_set_flags) if (CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|armv7l" OR APPLE OR # Some flags are not recognized or some systems / gcc versions (CMAKE_CXX_COMPILER_ID STREQUAL "GNU" AND CMAKE_CXX_COMPILER_VERSION VERSION_LESS "9.0")) # - set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fstack-protector") + set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fstack-protector") else() #‘-mfunction-return’ and ‘-fcf-protection’ are not compatible, so specifing -fcf-protection=none - set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -D_FORTIFY_SOURCE=2 -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") + set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") endif() set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -pie") + string(FIND "${CMAKE_CXX_FLAGS}" "-D_FORTIFY_SOURCE" _index) + if (${_index} EQUAL -1) # Define D_FORTIFY_SOURCE is undefined + set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} -D_FORTIFY_SOURCE=2") + endif() if(CMAKE_BUILD_TYPE STREQUAL "Debug") message(STATUS "Configuring for Debug build") From e66f7a7fddcf1e721613771df16b79d9216e90ee Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Sun, 29 Sep 2024 15:02:37 +0300 Subject: [PATCH 12/22] trying to ignore third party differently --- CMake/external_fastdds.cmake | 4 ---- CMake/external_foonathan_memory.cmake | 4 ---- CMake/external_json.cmake | 4 ---- CMake/external_libcurl.cmake | 5 ----- CMake/unix_config.cmake | 4 ++++ CMake/windows_config.cmake | 4 ++++ CMakeLists.txt | 4 ---- third-party/CMakeLists.txt | 5 ----- 8 files changed, 8 insertions(+), 26 deletions(-) diff --git a/CMake/external_fastdds.cmake b/CMake/external_fastdds.cmake index 7cd817544a..c3752ae41b 100644 --- a/CMake/external_fastdds.cmake +++ b/CMake/external_fastdds.cmake @@ -67,10 +67,6 @@ function(get_fastdds) message(CHECK_PASS "Done") endfunction() -string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") -string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") # Trigger the FastDDS build get_fastdds() -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") diff --git a/CMake/external_foonathan_memory.cmake b/CMake/external_foonathan_memory.cmake index 2bd26fe1c6..41c56018f6 100644 --- a/CMake/external_foonathan_memory.cmake +++ b/CMake/external_foonathan_memory.cmake @@ -41,10 +41,6 @@ function(get_foonathan_memory) endfunction() -string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") -string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") get_foonathan_memory() -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") diff --git a/CMake/external_json.cmake b/CMake/external_json.cmake index 5c55114e7a..dc76ec96cb 100644 --- a/CMake/external_json.cmake +++ b/CMake/external_json.cmake @@ -46,10 +46,6 @@ function(get_nlohmann_json) endfunction() -string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") -string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") # Trigger the build get_nlohmann_json() -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") diff --git a/CMake/external_libcurl.cmake b/CMake/external_libcurl.cmake index 64f57b178a..0f8580d4f1 100644 --- a/CMake/external_libcurl.cmake +++ b/CMake/external_libcurl.cmake @@ -1,8 +1,5 @@ if(CHECK_FOR_UPDATES) - string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") - string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") - include(ExternalProject) message(STATUS "Building libcurl enabled") @@ -64,6 +61,4 @@ if(CHECK_FOR_UPDATES) endif() endif() - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") endif() #CHECK_FOR_UPDATES diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index fdabb32a2d..245781ab55 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -93,6 +93,10 @@ macro(os_set_flags) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") + + + set_directory_properties(PROPERTIES DIRECTORY third-party/ COMPILE_OPTIONS "-w") + set_source_files_properties(third-party/*.* PROPERTIES COMPILE_OPTIONS "-w") ################# diff --git a/CMake/windows_config.cmake b/CMake/windows_config.cmake index 97244907e2..37cffdf50f 100644 --- a/CMake/windows_config.cmake +++ b/CMake/windows_config.cmake @@ -68,6 +68,10 @@ macro(os_set_flags) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") + + set_directory_properties(PROPERTIES DIRECTORY third-party/ COMPILE_OPTIONS "/W0") + set_source_files_properties(third-party/*.* PROPERTIES COMPILE_OPTIONS "/W0") + ################# set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /bigobj /wd4819") diff --git a/CMakeLists.txt b/CMakeLists.txt index 9e0a3f4283..467c844b09 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -83,8 +83,6 @@ global_target_config() include(CMake/install_config.cmake) -string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") -string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") add_subdirectory(wrappers) if ( ( BUILD_EXAMPLES OR BUILD_PC_STITCHING ) AND BUILD_GLSL_EXTENSIONS ) find_package(glfw3 3.3 QUIET) @@ -95,8 +93,6 @@ if ( ( BUILD_EXAMPLES OR BUILD_PC_STITCHING ) AND BUILD_GLSL_EXTENSIONS ) endif() add_subdirectory(src/gl) endif() -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") if(BUILD_EXAMPLES) add_subdirectory(examples) diff --git a/third-party/CMakeLists.txt b/third-party/CMakeLists.txt index 6bf02b578e..c70314062e 100644 --- a/third-party/CMakeLists.txt +++ b/third-party/CMakeLists.txt @@ -1,8 +1,5 @@ string(REPLACE ${PROJECT_SOURCE_DIR}/ "" _rel_path ${CMAKE_CURRENT_LIST_DIR}) -string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") -string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") - include(CMake/external_json.cmake) add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/rsutils" ) @@ -21,5 +18,3 @@ if( BUILD_WITH_DDS ) add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/realdds" ) endif() -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") From 486594207299df4994b1cd6d70bdbc60d9412e34 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Mon, 30 Sep 2024 09:35:06 +0300 Subject: [PATCH 13/22] disable -Werror on libcurl build --- CMake/external_libcurl.cmake | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CMake/external_libcurl.cmake b/CMake/external_libcurl.cmake index 0f8580d4f1..69a068ea1a 100644 --- a/CMake/external_libcurl.cmake +++ b/CMake/external_libcurl.cmake @@ -1,5 +1,7 @@ if(CHECK_FOR_UPDATES) + string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") + string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") include(ExternalProject) message(STATUS "Building libcurl enabled") @@ -61,4 +63,6 @@ if(CHECK_FOR_UPDATES) endif() endif() + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") endif() #CHECK_FOR_UPDATES From a39b5afd8cf9ebea43d1906a2e8831f95d9aedc1 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Mon, 30 Sep 2024 10:33:21 +0300 Subject: [PATCH 14/22] try ignore warning on release flow --- CMake/unix_config.cmake | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index 245781ab55..ca923fd92d 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -78,6 +78,8 @@ macro(os_set_flags) set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") endif() set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -pie") + + set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} -Wno-error=stringop-overflow") string(FIND "${CMAKE_CXX_FLAGS}" "-D_FORTIFY_SOURCE" _index) if (${_index} EQUAL -1) # Define D_FORTIFY_SOURCE is undefined From 0acabd3711ac7b02e610f8e88063ecb6e48b0487 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Mon, 30 Sep 2024 11:04:01 +0300 Subject: [PATCH 15/22] fix C# warning --- CMake/external_fastdds.cmake | 1 + CMake/external_foonathan_memory.cmake | 2 -- CMake/external_json.cmake | 1 - CMake/windows_config.cmake | 1 - wrappers/csharp/Intel.RealSense/Devices/AutoCalibratedDevice.cs | 2 +- 5 files changed, 2 insertions(+), 5 deletions(-) diff --git a/CMake/external_fastdds.cmake b/CMake/external_fastdds.cmake index c3752ae41b..856e0dbfc7 100644 --- a/CMake/external_fastdds.cmake +++ b/CMake/external_fastdds.cmake @@ -70,3 +70,4 @@ endfunction() # Trigger the FastDDS build get_fastdds() + diff --git a/CMake/external_foonathan_memory.cmake b/CMake/external_foonathan_memory.cmake index 41c56018f6..f6c4938267 100644 --- a/CMake/external_foonathan_memory.cmake +++ b/CMake/external_foonathan_memory.cmake @@ -41,6 +41,4 @@ function(get_foonathan_memory) endfunction() - get_foonathan_memory() - diff --git a/CMake/external_json.cmake b/CMake/external_json.cmake index dc76ec96cb..69c84ffeec 100644 --- a/CMake/external_json.cmake +++ b/CMake/external_json.cmake @@ -48,4 +48,3 @@ endfunction() # Trigger the build get_nlohmann_json() - diff --git a/CMake/windows_config.cmake b/CMake/windows_config.cmake index 37cffdf50f..4481173b45 100644 --- a/CMake/windows_config.cmake +++ b/CMake/windows_config.cmake @@ -68,7 +68,6 @@ macro(os_set_flags) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") - set_directory_properties(PROPERTIES DIRECTORY third-party/ COMPILE_OPTIONS "/W0") set_source_files_properties(third-party/*.* PROPERTIES COMPILE_OPTIONS "/W0") diff --git a/wrappers/csharp/Intel.RealSense/Devices/AutoCalibratedDevice.cs b/wrappers/csharp/Intel.RealSense/Devices/AutoCalibratedDevice.cs index 4233d36e75..4b198cda57 100644 --- a/wrappers/csharp/Intel.RealSense/Devices/AutoCalibratedDevice.cs +++ b/wrappers/csharp/Intel.RealSense/Devices/AutoCalibratedDevice.cs @@ -11,7 +11,7 @@ public class AutoCalibratedDevice : CalibratedDevice internal AutoCalibratedDevice(IntPtr dev) : base(dev) { } - public static AutoCalibratedDevice FromDevice(Device dev) + public static new AutoCalibratedDevice FromDevice(Device dev) { object error; if (NativeMethods.rs2_is_device_extendable_to(dev.Handle, Extension.AutoCalibratedDevice, out error) == 0) From dcba20817377139938e2d1f80d88399d39e6d98d Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Thu, 10 Oct 2024 12:36:50 +0300 Subject: [PATCH 16/22] ignore rsutils on third-party folder, fix typo and static_cast --- CMake/external_libcurl.cmake | 8 +-- CMake/unix_config.cmake | 87 +++++++++++++----------------- CMake/windows_config.cmake | 22 ++++---- examples/CMakeLists.txt | 2 +- src/hid/hid-device.cpp | 2 +- src/uvc/uvc-device.cpp | 6 +-- src/uvc/uvc-streamer.cpp | 2 +- third-party/CMakeLists.txt | 7 +++ third-party/rsutils/CMakeLists.txt | 1 + tools/CMakeLists.txt | 2 +- 10 files changed, 69 insertions(+), 70 deletions(-) diff --git a/CMake/external_libcurl.cmake b/CMake/external_libcurl.cmake index 69a068ea1a..36750d47fb 100644 --- a/CMake/external_libcurl.cmake +++ b/CMake/external_libcurl.cmake @@ -1,7 +1,7 @@ if(CHECK_FOR_UPDATES) - string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") - string(REPLACE "${ADDITIONAL_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # remove flags + string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") include(ExternalProject) message(STATUS "Building libcurl enabled") @@ -63,6 +63,6 @@ if(CHECK_FOR_UPDATES) endif() endif() - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") endif() #CHECK_FOR_UPDATES diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index ca923fd92d..bc88fcb408 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -47,60 +47,49 @@ macro(os_set_flags) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pthread") endif() - ############### - # According to SDLE we need to add the following flags for additional security: - # Debug & Release: - # -Wformat: Checks for format string vulnerabilities. - # -Wformat-security: Ensures format strings are not vulnerable to attacks. - # -fPIC: Generates position-independent code (PIC) suitable for shared libraries. - # -fPIE: Generates position-independent executable (PIE) code. - # -pie: Links the output as a position-independent executable. - # -D_FORTIFY_SOURCE=2: Adds extra checks for buffer overflows. - # -mfunction-return=thunk: Mitigates return-oriented programming (ROP) attacks. (Added flag -fcf-protection=none to allow it) - # -mindirect-branch=thunk: Mitigates indirect branch attacks. - # -mindirect-branch-register: Uses registers for indirect branches to mitigate attacks. - # -fstack-protector: Adds stack protection to detect buffer overflows. + + if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU") + # Due to security reasons we need to add the following flags for additional security: + # Debug & Release: + # -Wformat: Checks for format string vulnerabilities. + # -Wformat-security: Ensures format strings are not vulnerable to attacks. + # -fPIC: Generates position-independent code during the compilation phase. + # -fPIE: Generates position-independent executables during the compilation phase. + # -D_FORTIFY_SOURCE=2: Adds extra checks for buffer overflows. + # -fstack-protector: Adds stack protection to detect buffer overflows. - # Release only - # -Werror: Treats all warnings as errors. - # -Werror=format-security: Treats format security warnings as errors. - # -z noexecstack: Marks the stack as non-executable to prevent certain types of attacks. - # -Wl,-z,relro,-z,now: Enables read-only relocations and immediate binding for security. - # -fstack-protector-strong: Provides stronger stack protection than -fstack-protector. - - # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details + # Release only + # -Werror: Treats all warnings as errors. + # -Werror=format-security: Treats format security warnings as errors. + # -z noexecstack: Marks the stack as non-executable to prevent certain types of attacks. + # -Wl,-z,relro,-z,now: Enables read-only relocations and immediate binding for security. + # -fstack-protector-strong: Provides stronger stack protection than -fstack-protector. + + # Linker flags + # -pie: Produces position-independent executables during the linking phase. + + # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details - if (CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|armv7l" OR APPLE OR # Some flags are not recognized or some systems / gcc versions - (CMAKE_CXX_COMPILER_ID STREQUAL "GNU" AND CMAKE_CXX_COMPILER_VERSION VERSION_LESS "9.0")) # - set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fstack-protector") - else() - #‘-mfunction-return’ and ‘-fcf-protection’ are not compatible, so specifing -fcf-protection=none - set(ADDITIONAL_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fcf-protection=none -mfunction-return=thunk -mindirect-branch=thunk -mindirect-branch-register -fstack-protector") - endif() - set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -pie") - - set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} -Wno-error=stringop-overflow") + set(SECURITY_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fstack-protector -Wno-error=stringop-overflow") - string(FIND "${CMAKE_CXX_FLAGS}" "-D_FORTIFY_SOURCE" _index) - if (${_index} EQUAL -1) # Define D_FORTIFY_SOURCE is undefined - set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} -D_FORTIFY_SOURCE=2") - endif() + string(FIND "${CMAKE_CXX_FLAGS}" "-D_FORTIFY_SOURCE" _index) + if (${_index} EQUAL -1) # Define D_FORTIFY_SOURCE if undefined + set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} -D_FORTIFY_SOURCE=2") + endif() - if(CMAKE_BUILD_TYPE STREQUAL "Debug") - message(STATUS "Configuring for Debug build") - else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) - message(STATUS "Configuring for Release build") - set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") - endif() - - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") - - - set_directory_properties(PROPERTIES DIRECTORY third-party/ COMPILE_OPTIONS "-w") - set_source_files_properties(third-party/*.* PROPERTIES COMPILE_OPTIONS "-w") + if(CMAKE_BUILD_TYPE STREQUAL "Debug") + message(STATUS "Configuring for Debug build") + else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) + message(STATUS "Configuring for Release build") + set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") + endif() + + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") + + set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -pie") - ################# + endif() if(APPLE) set(FORCE_RSUSB_BACKEND ON) diff --git a/CMake/windows_config.cmake b/CMake/windows_config.cmake index 4481173b45..4b94d06133 100644 --- a/CMake/windows_config.cmake +++ b/CMake/windows_config.cmake @@ -41,7 +41,7 @@ macro(os_set_flags) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /MP") ############### - # According to SDLE we need to add the following flags for additional security: + # Due to security reasons we need to add the following flags for additional security: # Debug & Release: # /Gy: Enables function-level linking to reduce executable size. # /DYNAMICBASE: Enables Address Space Layout Randomization (ASLR) to improve security. @@ -49,27 +49,29 @@ macro(os_set_flags) # Release only: # /WX: Treats all warnings as errors. - # /LTCG (/GL): Enables Link Time Code Generation to improve performance. # /sdl: Enables additional security checks. + + # Release only linker flags: + # /LTCG (/GL): Enables Link Time Code Generation to improve performance. # /NXCOMPAT: Enables Data Execution Prevention (DEP) to prevent code execution in data areas. # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details - set(ADDITIONAL_COMPILER_FLAGS "/Gy /DYNAMICBASE /GS /wd4101") + set(SECURITY_COMPILER_FLAGS "/Gy /DYNAMICBASE /GS /wd4101") if(CMAKE_BUILD_TYPE STREQUAL "Debug") message(STATUS "Configuring for Debug build") else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) message(STATUS "Configuring for Release build") - set(ADDITIONAL_COMPILER_FLAGS "${ADDITIONAL_COMPILER_FLAGS} /WX /sdl") - set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} /INCREMENTAL:NO /LTCG /NXCOMPAT") # ignoring '/INCREMENTAL' due to '/LTCG' specification + set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} /WX /sdl") endif() - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${ADDITIONAL_COMPILER_FLAGS}") - - set_directory_properties(PROPERTIES DIRECTORY third-party/ COMPILE_OPTIONS "/W0") - set_source_files_properties(third-party/*.* PROPERTIES COMPILE_OPTIONS "/W0") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") + + if(NOT CMAKE_BUILD_TYPE STREQUAL "Debug") + set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} /INCREMENTAL:NO /LTCG /NXCOMPAT") # ignoring '/INCREMENTAL' due to '/LTCG' specification + endif() ################# diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt index b8ee580d08..aaf3c1d369 100644 --- a/examples/CMakeLists.txt +++ b/examples/CMakeLists.txt @@ -7,7 +7,7 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1) # View the makefile commands during build #set(CMAKE_VERBOSE_MAKEFILE on) -string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # examples are exeutables so we want position indepandent exeutables and not libraries +string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # examples are executables so we want position indepandent executables and not libraries set( DEPENDENCIES ${LRS_TARGET} ) if(BUILD_GRAPHICAL_EXAMPLES) diff --git a/src/hid/hid-device.cpp b/src/hid/hid-device.cpp index c903016967..01d79ad3fd 100644 --- a/src/hid/hid-device.cpp +++ b/src/hid/hid-device.cpp @@ -334,7 +334,7 @@ namespace librealsense //we want to change the sensitivity values only in gyro, for FW version >= 5.16 if( featureReport.reportId == REPORT_ID_GYROMETER_3D && _realsense_hid_report_actual_size == sizeof( REALSENSE_HID_REPORT ) ) - featureReport.sensitivity = (unsigned short)sensitivity; + featureReport.sensitivity = static_cast(sensitivity); res = dev->control_transfer(USB_REQUEST_CODE_SET, diff --git a/src/uvc/uvc-device.cpp b/src/uvc/uvc-device.cpp index 765d72210b..a23615ae74 100644 --- a/src/uvc/uvc-device.cpp +++ b/src/uvc/uvc-device.cpp @@ -177,7 +177,7 @@ namespace librealsense switch(state) { case D0: - _messenger = _usb_device->open((uint8_t)_info.mi); + _messenger = _usb_device->open(static_cast(_info.mi)); if (_messenger) { try{ @@ -654,7 +654,7 @@ namespace librealsense void rs_uvc_device::listen_to_interrupts() { - auto ctrl_interface = _usb_device->get_interface((uint8_t)_info.mi); + auto ctrl_interface = _usb_device->get_interface(static_cast(_info.mi)); if (!ctrl_interface) return; auto iep = ctrl_interface->first_endpoint(RS2_USB_ENDPOINT_DIRECTION_READ, RS2_USB_ENDPOINT_INTERRUPT); @@ -856,7 +856,7 @@ namespace librealsense req, probe ? (UVC_VS_PROBE_CONTROL << 8) : (UVC_VS_COMMIT_CONTROL << 8), ctrl->bInterfaceNumber, // When requestType is directed to an interface, the driver automatically passes the interface number in the low byte of index - buf, (uint32_t)len, transferred, 0); + buf, static_cast(len), transferred, 0); } while (sts != RS2_USB_STATUS_SUCCESS && retries++ < 5); } }, [this](){ return !_messenger; }); diff --git a/src/uvc/uvc-streamer.cpp b/src/uvc/uvc-streamer.cpp index 974aff5c52..01ccf9998e 100644 --- a/src/uvc/uvc-streamer.cpp +++ b/src/uvc/uvc-streamer.cpp @@ -28,7 +28,7 @@ namespace librealsense _action_dispatcher.start(); - _watchdog_timeout = (int64_t)((1000.0 / _context.profile.fps) * 10); + _watchdog_timeout = static_cast(((1000.0 / _context.profile.fps) * 10)); init(); } diff --git a/third-party/CMakeLists.txt b/third-party/CMakeLists.txt index c70314062e..9eb1a680b8 100644 --- a/third-party/CMakeLists.txt +++ b/third-party/CMakeLists.txt @@ -1,5 +1,12 @@ string(REPLACE ${PROJECT_SOURCE_DIR}/ "" _rel_path ${CMAKE_CURRENT_LIST_DIR}) +# ignore warnings on third party files +if (MSVC) + add_compile_options(/W0) +elseif (CMAKE_CXX_COMPILER_ID STREQUAL "GNU") + add_compile_options(-w) +endif() + include(CMake/external_json.cmake) add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/rsutils" ) diff --git a/third-party/rsutils/CMakeLists.txt b/third-party/rsutils/CMakeLists.txt index b0fc310497..386a8c1ba9 100644 --- a/third-party/rsutils/CMakeLists.txt +++ b/third-party/rsutils/CMakeLists.txt @@ -3,6 +3,7 @@ cmake_minimum_required(VERSION 3.8.0) # source_group(TREE) project( rsutils ) +set_directory_properties(PROPERTIES COMPILE_FLAGS "") # unignore warnings on rsutils - remove flag applied at third-party folder add_library( ${PROJECT_NAME} STATIC "" ) # We cannot directly interface with nlohmann_json (doesn't work on bionic) #target_link_libraries( ${PROJECT_NAME} PUBLIC nlohmann_json ) diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index bca5cdf6f9..d758cd01c4 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -7,7 +7,7 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1) # View the makefile commands during build #set(CMAKE_VERBOSE_MAKEFILE on) -string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # tools are exeutables so we want position indepandent exeutables and not libraries +string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # tools are executables so we want position indepandent executables and not libraries list( APPEND DEPENDENCIES ${LRS_TARGET} tclap ) From 24c4dcc135fdc7d1a1f098dd1b61b900856d6736 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Mon, 14 Oct 2024 10:47:34 +0300 Subject: [PATCH 17/22] fix compile options --- CMake/external_fastdds.cmake | 5 +++++ CMakeLists.txt | 6 ++++++ third-party/CMakeLists.txt | 15 +++++++-------- third-party/rsutils/CMakeLists.txt | 1 - third-party/rsutils/src/json.cpp | 4 ++-- 5 files changed, 20 insertions(+), 11 deletions(-) diff --git a/CMake/external_fastdds.cmake b/CMake/external_fastdds.cmake index 856e0dbfc7..00f8d7b8b9 100644 --- a/CMake/external_fastdds.cmake +++ b/CMake/external_fastdds.cmake @@ -60,6 +60,11 @@ function(get_fastdds) add_library(dds INTERFACE) target_link_libraries( dds INTERFACE fastcdr fastrtps ) + if (MSVC) + target_compile_options( dds INTERFACE "/W0" ) + elseif (CMAKE_CXX_COMPILER_ID STREQUAL "GNU") + target_compile_options( dds INTERFACE "-w" ) + endif() add_definitions(-DBUILD_WITH_DDS) diff --git a/CMakeLists.txt b/CMakeLists.txt index 467c844b09..3f9fd95030 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -61,11 +61,17 @@ target_link_libraries( ${LRS_TARGET} PUBLIC rsutils ) if(BUILD_WITH_DDS) if (CMAKE_SYSTEM MATCHES "Windows" OR CMAKE_SYSTEM MATCHES "Linux") + string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # remove security flags + string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + message(STATUS "Building with FastDDS") include(CMake/external_foonathan_memory.cmake) include(CMake/external_fastdds.cmake) target_link_libraries( ${LRS_TARGET} PRIVATE realdds ) + + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") else() MESSAGE(STATUS "Turning off `BUILD_WITH_DDS` as it's only supported on Windows & Linux and not on ${CMAKE_SYSTEM}") diff --git a/third-party/CMakeLists.txt b/third-party/CMakeLists.txt index 9eb1a680b8..47164ed9a4 100644 --- a/third-party/CMakeLists.txt +++ b/third-party/CMakeLists.txt @@ -1,16 +1,12 @@ string(REPLACE ${PROJECT_SOURCE_DIR}/ "" _rel_path ${CMAKE_CURRENT_LIST_DIR}) -# ignore warnings on third party files -if (MSVC) - add_compile_options(/W0) -elseif (CMAKE_CXX_COMPILER_ID STREQUAL "GNU") - add_compile_options(-w) -endif() - -include(CMake/external_json.cmake) add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/rsutils" ) +string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # remove security flags +string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + +include(CMake/external_json.cmake) # Add additional include directories to allow file to include rosbag headers include(${_rel_path}/realsense-file/config.cmake) @@ -25,3 +21,6 @@ if( BUILD_WITH_DDS ) add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/realdds" ) endif() +# restore flags +set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") diff --git a/third-party/rsutils/CMakeLists.txt b/third-party/rsutils/CMakeLists.txt index 386a8c1ba9..b0fc310497 100644 --- a/third-party/rsutils/CMakeLists.txt +++ b/third-party/rsutils/CMakeLists.txt @@ -3,7 +3,6 @@ cmake_minimum_required(VERSION 3.8.0) # source_group(TREE) project( rsutils ) -set_directory_properties(PROPERTIES COMPILE_FLAGS "") # unignore warnings on rsutils - remove flag applied at third-party folder add_library( ${PROJECT_NAME} STATIC "" ) # We cannot directly interface with nlohmann_json (doesn't work on bionic) #target_link_libraries( ${PROJECT_NAME} PUBLIC nlohmann_json ) diff --git a/third-party/rsutils/src/json.cpp b/third-party/rsutils/src/json.cpp index 81653ada1d..6428bc7003 100644 --- a/third-party/rsutils/src/json.cpp +++ b/third-party/rsutils/src/json.cpp @@ -411,7 +411,7 @@ class serializer { dump( *i, pretty_print_width, ensure_ascii, indent_step, new_indent ); _o.put( ',' ); - if( need_to_indent || pretty_print_width && _line_width > pretty_print_width ) + if( need_to_indent || (pretty_print_width && _line_width > pretty_print_width )) { newline(); _o.write( _indent_string.c_str(), new_indent ); @@ -1100,7 +1100,7 @@ class serializer } }; - JSON_ASSERT(byte < utf8d.size()); + JSON_ASSERT(static_cast(byte) < utf8d.size()); const std::uint8_t type = utf8d[byte]; codep = (state != UTF8_ACCEPT) From a64cc1f74af1fb599069d2f9dae361178737436b Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Sun, 27 Oct 2024 16:05:46 +0200 Subject: [PATCH 18/22] add helper function, unignore warnings on dds target --- CMake/external_fastdds.cmake | 5 ----- CMake/external_libcurl.cmake | 7 +++---- CMake/security_flags_helper_functions.cmake | 20 ++++++++++++++++++++ CMake/unix_config.cmake | 3 +-- CMake/windows_config.cmake | 3 +-- CMakeLists.txt | 9 +++++---- examples/CMakeLists.txt | 4 ++-- third-party/CMakeLists.txt | 8 +++----- tools/CMakeLists.txt | 4 ++-- 9 files changed, 37 insertions(+), 26 deletions(-) create mode 100644 CMake/security_flags_helper_functions.cmake diff --git a/CMake/external_fastdds.cmake b/CMake/external_fastdds.cmake index 00f8d7b8b9..856e0dbfc7 100644 --- a/CMake/external_fastdds.cmake +++ b/CMake/external_fastdds.cmake @@ -60,11 +60,6 @@ function(get_fastdds) add_library(dds INTERFACE) target_link_libraries( dds INTERFACE fastcdr fastrtps ) - if (MSVC) - target_compile_options( dds INTERFACE "/W0" ) - elseif (CMAKE_CXX_COMPILER_ID STREQUAL "GNU") - target_compile_options( dds INTERFACE "-w" ) - endif() add_definitions(-DBUILD_WITH_DDS) diff --git a/CMake/external_libcurl.cmake b/CMake/external_libcurl.cmake index 36750d47fb..61f804814b 100644 --- a/CMake/external_libcurl.cmake +++ b/CMake/external_libcurl.cmake @@ -1,7 +1,7 @@ if(CHECK_FOR_UPDATES) - string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # remove flags - string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + pop_security_flags() # remove security flags + include(ExternalProject) message(STATUS "Building libcurl enabled") @@ -63,6 +63,5 @@ if(CHECK_FOR_UPDATES) endif() endif() - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") + push_security_flags() endif() #CHECK_FOR_UPDATES diff --git a/CMake/security_flags_helper_functions.cmake b/CMake/security_flags_helper_functions.cmake new file mode 100644 index 0000000000..5dc52e16e2 --- /dev/null +++ b/CMake/security_flags_helper_functions.cmake @@ -0,0 +1,20 @@ +macro(push_security_flags) # remove security flags + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") +endmacro() + +macro(pop_security_flags) # append security flags + string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") + string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") +endmacro() + +macro(set_security_flags_for_executable) # replace flag fPIC (Position-Independent Code) with fPIE (Position-Independent Executable) + string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") + string(REPLACE "-fPIC" "-fPIE" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") +endmacro() + +macro(unset_security_flags_for_executable) # replace flag fPIE (Position-Independent Executable) with fPIC (Position-Independent Code) + string(REPLACE "-fPIE" "-fPIC" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") + string(REPLACE "-fPIE" "-fPIC" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") +endmacro() + diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index bc88fcb408..1e22852d0f 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -84,8 +84,7 @@ macro(os_set_flags) set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong") endif() - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") + push_security_flags() set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -pie") diff --git a/CMake/windows_config.cmake b/CMake/windows_config.cmake index 4b94d06133..dd2a9dfe80 100644 --- a/CMake/windows_config.cmake +++ b/CMake/windows_config.cmake @@ -66,8 +66,7 @@ macro(os_set_flags) set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} /WX /sdl") endif() - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") + push_security_flags() if(NOT CMAKE_BUILD_TYPE STREQUAL "Debug") set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} /INCREMENTAL:NO /LTCG /NXCOMPAT") # ignoring '/INCREMENTAL' due to '/LTCG' specification diff --git a/CMakeLists.txt b/CMakeLists.txt index 3f9fd95030..8c4f51966c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -29,6 +29,9 @@ endif() list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_LIST_DIR}/CMake) +# include security flags helper functions +include(CMake/security_flags_helper_functions.cmake) + # include librealsense general configuration include(CMake/global_config.cmake) @@ -61,8 +64,7 @@ target_link_libraries( ${LRS_TARGET} PUBLIC rsutils ) if(BUILD_WITH_DDS) if (CMAKE_SYSTEM MATCHES "Windows" OR CMAKE_SYSTEM MATCHES "Linux") - string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # remove security flags - string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + pop_security_flags() message(STATUS "Building with FastDDS") include(CMake/external_foonathan_memory.cmake) @@ -70,8 +72,7 @@ if(BUILD_WITH_DDS) target_link_libraries( ${LRS_TARGET} PRIVATE realdds ) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") + push_security_flags() else() MESSAGE(STATUS "Turning off `BUILD_WITH_DDS` as it's only supported on Windows & Linux and not on ${CMAKE_SYSTEM}") diff --git a/examples/CMakeLists.txt b/examples/CMakeLists.txt index aaf3c1d369..b43469404d 100644 --- a/examples/CMakeLists.txt +++ b/examples/CMakeLists.txt @@ -7,7 +7,7 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1) # View the makefile commands during build #set(CMAKE_VERBOSE_MAKEFILE on) -string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # examples are executables so we want position indepandent executables and not libraries +set_security_flags_for_executable() # examples are executables so we want position indepandent executables and not libraries set( DEPENDENCIES ${LRS_TARGET} ) if(BUILD_GRAPHICAL_EXAMPLES) @@ -43,4 +43,4 @@ add_subdirectory(motion) add_subdirectory(gl) add_subdirectory(hdr) -string(REPLACE "-fPIE" "-fPIC" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") +unset_security_flags_for_executable() diff --git a/third-party/CMakeLists.txt b/third-party/CMakeLists.txt index 47164ed9a4..708ffc8439 100644 --- a/third-party/CMakeLists.txt +++ b/third-party/CMakeLists.txt @@ -3,8 +3,7 @@ string(REPLACE ${PROJECT_SOURCE_DIR}/ "" _rel_path ${CMAKE_CURRENT_LIST_DIR}) add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/rsutils" ) -string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # remove security flags -string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") +pop_security_flags() include(CMake/external_json.cmake) # Add additional include directories to allow file to include rosbag headers @@ -21,6 +20,5 @@ if( BUILD_WITH_DDS ) add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/realdds" ) endif() -# restore flags -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}") -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}") +# restore security flags +push_security_flags() diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index d758cd01c4..7098757b98 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -7,7 +7,7 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1) # View the makefile commands during build #set(CMAKE_VERBOSE_MAKEFILE on) -string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # tools are executables so we want position indepandent executables and not libraries +set_security_flags_for_executable() # tools are executables so we want position indepandent executables and not libraries list( APPEND DEPENDENCIES ${LRS_TARGET} tclap ) @@ -48,4 +48,4 @@ if(BUILD_EXAMPLES) endif() endif() -string(REPLACE "-fPIE" "-fPIC" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") +unset_security_flags_for_executable() From 4ce2041cc043a9fcd01e16b2d608319a1cf65019 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Tue, 29 Oct 2024 11:22:20 +0200 Subject: [PATCH 19/22] add ENABLE_SECURITY_FLAGS option --- .github/workflows/buildsCI.yaml | 105 ++++++++++++++++++++++++++++++++ CMake/lrs_options.cmake | 1 + CMake/unix_config.cmake | 2 +- CMake/windows_config.cmake | 62 +++++++++---------- 4 files changed, 138 insertions(+), 32 deletions(-) diff --git a/.github/workflows/buildsCI.yaml b/.github/workflows/buildsCI.yaml index bc46e5bed6..515bd53196 100644 --- a/.github/workflows/buildsCI.yaml +++ b/.github/workflows/buildsCI.yaml @@ -215,6 +215,55 @@ jobs: run: | python3 unit-tests/run-unit-tests.py --no-color --debug --stdout --not-live --context "dds windows" ${{env.WIN_BUILD_DIR}}/Release +#-------------------------------------------------------------------------------- + Win_SH_Py_DDS_CI_SEC: # Windows, Shared, Python, Tools, DDS, libCI without executables, additional security checks + runs-on: windows-2019 + timeout-minutes: 60 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: '3.8.1' + + - name: Enable Long Paths + shell: powershell + run: | + New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name "LongPathsEnabled" -Value 1 -PropertyType DWORD -Force + + - name: Check_API + shell: bash + run: | + cd scripts + ./api_check.sh + cd .. + + - name: PreBuild + shell: bash + run: | + mkdir ${{env.WIN_BUILD_DIR}} + python3 -m pip install numpy + + - name: Configure CMake + shell: bash + run: | + LRS_SRC_DIR=$(pwd) + cd ${{env.WIN_BUILD_DIR}} + cmake ${LRS_SRC_DIR} -G "Visual Studio 16 2019" -DBUILD_SHARED_LIBS=true -DBUILD_EXAMPLES=false -DBUILD_TOOLS=true -DBUILD_UNIT_TESTS=false -DCHECK_FOR_UPDATES=false -DBUILD_WITH_DDS=true -DPYTHON_EXECUTABLE=${{env.PYTHON_PATH}} -DBUILD_PYTHON_BINDINGS=true -DENABLE_SECURITY_FLAGS=true + + - name: Build + # Build your program with the given configuration + shell: bash + run: | + cd ${{env.WIN_BUILD_DIR}} + cmake --build . --config ${{env.LRS_RUN_CONFIG}} -- -m + + - name: LibCI + # Note: we specifically disable BUILD_UNIT_TESTS so the executable C++ unit-tests won't run + # This is to save time as DDS already lengthens the build... + shell: bash + run: | + python3 unit-tests/run-unit-tests.py --no-color --debug --stdout --not-live --context "dds windows" ${{env.WIN_BUILD_DIR}}/Release + #-------------------------------------------------------------------------------- Win_SH_Py_RSUSB_Csharp: # Windows, Shared, Python, RSUSB backend, C# bindings @@ -394,6 +443,62 @@ jobs: python3 unit-tests/run-unit-tests.py --no-color --debug --stdout --not-live --context "dds linux" --tag dds + #-------------------------------------------------------------------------------- + U20_ST_Py_DDS_RSUSB_CI_SEC: # Ubuntu 2020, Static, Python, DDS, RSUSB, LibCI without executables, additional security checks + runs-on: ubuntu-20.04 + timeout-minutes: 60 + steps: + - uses: actions/checkout@v4 + + - name: Prebuild + shell: bash + run: | + sudo apt-get update; + sudo apt-get install -qq build-essential xorg-dev libgl1-mesa-dev libglu1-mesa-dev libglew-dev libglm-dev; + sudo apt-get install -qq libusb-1.0-0-dev; + sudo apt-get install -qq libgtk-3-dev; + sudo apt-get install libglfw3-dev libglfw3; + # We force compiling with GCC 7 because the default installed GCC 9 compiled with LTO and gives an internal compiler error + sudo apt-get install gcc-7 g++-7; + sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 60 --slave /usr/bin/g++ g++ /usr/bin/g++-7; + python3 -m pip install numpy + + - name: Check_API + shell: bash + run: | + cd scripts + ./api_check.sh + ./pr_check.sh + cd .. + mkdir build + + - name: Build + # Note: we force RSUSB because, on Linux, the context creation will fail on GHA: + # (backend-v4l2.cpp:555) Cannot access /sys/class/video4linux) + # And, well, we don't need any specific platform for DDS! + shell: bash + run: | + cd build + cmake .. -DCMAKE_BUILD_TYPE=${{env.LRS_RUN_CONFIG}} -DBUILD_SHARED_LIBS=false -DBUILD_EXAMPLES=false -DBUILD_TOOLS=false -DBUILD_UNIT_TESTS=false -DCHECK_FOR_UPDATES=false -DBUILD_WITH_DDS=true -DBUILD_PYTHON_BINDINGS=true -DPYTHON_EXECUTABLE=$(which python3) -DFORCE_RSUSB_BACKEND=true -DENABLE_SECURITY_FLAGS=true + cmake --build . -- -j4 + + - name: Client for realsense2-all + shell: bash + run: | + mkdir build/rs-all-client + cd build/rs-all-client + cmake ../../.github/workflows/rs-all-client -DBUILD_WITH_DDS=ON -DFORCE_RSUSB_BACKEND=ON + cmake --build . -- -j4 + ./rs-all-client + + - name: LibCI + # Note: we specifically disable BUILD_UNIT_TESTS so the executable C++ unit-tests won't run + # This is to save time as DDS already lengthens the build... + shell: bash + run: | + python3 unit-tests/run-unit-tests.py --no-color --debug --stdout --not-live --context "dds linux" --tag dds + + #-------------------------------------------------------------------------------- U22_U24_SH_Py_DDS_CI: # Ubuntu, Shared, Python, DDS, LibCI without executables runs-on: ${{ matrix.os }} diff --git a/CMake/lrs_options.cmake b/CMake/lrs_options.cmake index cc2b21de13..02ca70796b 100644 --- a/CMake/lrs_options.cmake +++ b/CMake/lrs_options.cmake @@ -47,4 +47,5 @@ endif() option(BUILD_PC_STITCHING "Build pointcloud-stitching example" OFF) option(BUILD_WITH_DDS "Access camera devices through DDS topics (requires CMake 3.16.3)" OFF) option(BUILD_RS2_ALL "Build realsense2-all static bundle containing all realsense libraries (with BUILD_SHARED_LIBS=OFF)" ON) +option(ENABLE_SECURITY_FLAGS "Enable additional compiler security flags to enhance the build's security" OFF) diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index 1e22852d0f..e6d02574dd 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -48,7 +48,7 @@ macro(os_set_flags) endif() - if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU") + if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU" AND ENABLE_SECURITY_FLAGS) # Due to security reasons we need to add the following flags for additional security: # Debug & Release: # -Wformat: Checks for format string vulnerabilities. diff --git a/CMake/windows_config.cmake b/CMake/windows_config.cmake index dd2a9dfe80..c01189b729 100644 --- a/CMake/windows_config.cmake +++ b/CMake/windows_config.cmake @@ -40,39 +40,39 @@ macro(os_set_flags) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /MP") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /MP") - ############### - # Due to security reasons we need to add the following flags for additional security: - # Debug & Release: - # /Gy: Enables function-level linking to reduce executable size. - # /DYNAMICBASE: Enables Address Space Layout Randomization (ASLR) to improve security. - # /GS: Enables buffer security checks to prevent buffer overflows. - - # Release only: - # /WX: Treats all warnings as errors. - # /sdl: Enables additional security checks. - - # Release only linker flags: - # /LTCG (/GL): Enables Link Time Code Generation to improve performance. - # /NXCOMPAT: Enables Data Execution Prevention (DEP) to prevent code execution in data areas. - - # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details - - set(SECURITY_COMPILER_FLAGS "/Gy /DYNAMICBASE /GS /wd4101") + if (ENABLE_SECURITY_FLAGS) + # Due to security reasons we need to add the following flags for additional security: + # Debug & Release: + # /Gy: Enables function-level linking to reduce executable size. + # /DYNAMICBASE: Enables Address Space Layout Randomization (ASLR) to improve security. + # /GS: Enables buffer security checks to prevent buffer overflows. + + # Release only: + # /WX: Treats all warnings as errors. + # /sdl: Enables additional security checks. + + # Release only linker flags: + # /LTCG (/GL): Enables Link Time Code Generation to improve performance. + # /NXCOMPAT: Enables Data Execution Prevention (DEP) to prevent code execution in data areas. + + # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details + + set(SECURITY_COMPILER_FLAGS "/Gy /DYNAMICBASE /GS /wd4101") + + if(CMAKE_BUILD_TYPE STREQUAL "Debug") + message(STATUS "Configuring for Debug build") + else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) + message(STATUS "Configuring for Release build") + set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} /WX /sdl") + endif() + + push_security_flags() + + if(NOT CMAKE_BUILD_TYPE STREQUAL "Debug") + set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} /INCREMENTAL:NO /LTCG /NXCOMPAT") # ignoring '/INCREMENTAL' due to '/LTCG' specification + endif() - if(CMAKE_BUILD_TYPE STREQUAL "Debug") - message(STATUS "Configuring for Debug build") - else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS) - message(STATUS "Configuring for Release build") - set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} /WX /sdl") endif() - - push_security_flags() - - if(NOT CMAKE_BUILD_TYPE STREQUAL "Debug") - set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} /INCREMENTAL:NO /LTCG /NXCOMPAT") # ignoring '/INCREMENTAL' due to '/LTCG' specification - endif() - - ################# set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /bigobj /wd4819") set(LRS_TRY_USE_AVX true) From 6b0b06a4e42e50f515bec2115e7f9eb93d496c79 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Wed, 30 Oct 2024 12:47:08 +0200 Subject: [PATCH 20/22] move security flags change into projects' cmake --- CMake/external_fastdds.cmake | 5 ++++- CMake/external_foonathan_memory.cmake | 4 ++++ CMakeLists.txt | 4 ---- third-party/CMakeLists.txt | 2 +- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/CMake/external_fastdds.cmake b/CMake/external_fastdds.cmake index 856e0dbfc7..59e16290b9 100644 --- a/CMake/external_fastdds.cmake +++ b/CMake/external_fastdds.cmake @@ -67,7 +67,10 @@ function(get_fastdds) message(CHECK_PASS "Done") endfunction() + +pop_security_flags() + # Trigger the FastDDS build get_fastdds() - +push_security_flags() diff --git a/CMake/external_foonathan_memory.cmake b/CMake/external_foonathan_memory.cmake index f6c4938267..de91069005 100644 --- a/CMake/external_foonathan_memory.cmake +++ b/CMake/external_foonathan_memory.cmake @@ -41,4 +41,8 @@ function(get_foonathan_memory) endfunction() +pop_security_flags() + get_foonathan_memory() + +push_security_flags() diff --git a/CMakeLists.txt b/CMakeLists.txt index 8c4f51966c..24cfb79587 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -63,16 +63,12 @@ target_link_libraries( ${LRS_TARGET} PUBLIC rsutils ) if(BUILD_WITH_DDS) if (CMAKE_SYSTEM MATCHES "Windows" OR CMAKE_SYSTEM MATCHES "Linux") - - pop_security_flags() message(STATUS "Building with FastDDS") include(CMake/external_foonathan_memory.cmake) include(CMake/external_fastdds.cmake) target_link_libraries( ${LRS_TARGET} PRIVATE realdds ) - - push_security_flags() else() MESSAGE(STATUS "Turning off `BUILD_WITH_DDS` as it's only supported on Windows & Linux and not on ${CMAKE_SYSTEM}") diff --git a/third-party/CMakeLists.txt b/third-party/CMakeLists.txt index 708ffc8439..c28e66c84d 100644 --- a/third-party/CMakeLists.txt +++ b/third-party/CMakeLists.txt @@ -3,7 +3,7 @@ string(REPLACE ${PROJECT_SOURCE_DIR}/ "" _rel_path ${CMAKE_CURRENT_LIST_DIR}) add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/rsutils" ) -pop_security_flags() +pop_security_flags() # remove security flags for third party, as we cannot guarantee their security enforcment include(CMake/external_json.cmake) # Add additional include directories to allow file to include rosbag headers From dcc624bb6fb5cdcf2db197f74e5d698767f7e085 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Wed, 30 Oct 2024 12:52:25 +0200 Subject: [PATCH 21/22] remove libci from security builds --- .github/workflows/buildsCI.yaml | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/.github/workflows/buildsCI.yaml b/.github/workflows/buildsCI.yaml index 515bd53196..78d4f98436 100644 --- a/.github/workflows/buildsCI.yaml +++ b/.github/workflows/buildsCI.yaml @@ -216,7 +216,7 @@ jobs: python3 unit-tests/run-unit-tests.py --no-color --debug --stdout --not-live --context "dds windows" ${{env.WIN_BUILD_DIR}}/Release #-------------------------------------------------------------------------------- - Win_SH_Py_DDS_CI_SEC: # Windows, Shared, Python, Tools, DDS, libCI without executables, additional security checks + Win_SH_Py_DDS_SEC: # Windows, Shared, Python, Tools, DDS, additional security checks runs-on: windows-2019 timeout-minutes: 60 steps: @@ -257,13 +257,6 @@ jobs: cd ${{env.WIN_BUILD_DIR}} cmake --build . --config ${{env.LRS_RUN_CONFIG}} -- -m - - name: LibCI - # Note: we specifically disable BUILD_UNIT_TESTS so the executable C++ unit-tests won't run - # This is to save time as DDS already lengthens the build... - shell: bash - run: | - python3 unit-tests/run-unit-tests.py --no-color --debug --stdout --not-live --context "dds windows" ${{env.WIN_BUILD_DIR}}/Release - #-------------------------------------------------------------------------------- Win_SH_Py_RSUSB_Csharp: # Windows, Shared, Python, RSUSB backend, C# bindings @@ -444,7 +437,7 @@ jobs: #-------------------------------------------------------------------------------- - U20_ST_Py_DDS_RSUSB_CI_SEC: # Ubuntu 2020, Static, Python, DDS, RSUSB, LibCI without executables, additional security checks + U20_ST_Py_DDS_RSUSB_SEC: # Ubuntu 2020, Static, Python, DDS, RSUSB, additional security checks runs-on: ubuntu-20.04 timeout-minutes: 60 steps: @@ -490,13 +483,6 @@ jobs: cmake ../../.github/workflows/rs-all-client -DBUILD_WITH_DDS=ON -DFORCE_RSUSB_BACKEND=ON cmake --build . -- -j4 ./rs-all-client - - - name: LibCI - # Note: we specifically disable BUILD_UNIT_TESTS so the executable C++ unit-tests won't run - # This is to save time as DDS already lengthens the build... - shell: bash - run: | - python3 unit-tests/run-unit-tests.py --no-color --debug --stdout --not-live --context "dds linux" --tag dds #-------------------------------------------------------------------------------- From fcb9d0fa0ce320ab5450ef56eaaa0a0b5ff48345 Mon Sep 17 00:00:00 2001 From: Avia Avraham <145359432+AviaAv@users.noreply.github.com> Date: Wed, 30 Oct 2024 14:23:00 +0200 Subject: [PATCH 22/22] explicitly init SECURITY_COMPILER_FLAGS --- CMake/unix_config.cmake | 2 +- CMake/windows_config.cmake | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CMake/unix_config.cmake b/CMake/unix_config.cmake index e6d02574dd..c038809d51 100644 --- a/CMake/unix_config.cmake +++ b/CMake/unix_config.cmake @@ -47,7 +47,7 @@ macro(os_set_flags) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pthread") endif() - + set(SECURITY_COMPILER_FLAGS "") if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU" AND ENABLE_SECURITY_FLAGS) # Due to security reasons we need to add the following flags for additional security: # Debug & Release: diff --git a/CMake/windows_config.cmake b/CMake/windows_config.cmake index c01189b729..8f87a59942 100644 --- a/CMake/windows_config.cmake +++ b/CMake/windows_config.cmake @@ -40,6 +40,7 @@ macro(os_set_flags) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /MP") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /MP") + set(SECURITY_COMPILER_FLAGS "") if (ENABLE_SECURITY_FLAGS) # Due to security reasons we need to add the following flags for additional security: # Debug & Release: