From 8455a0f38d690bcf04c3fb6e53c02672bcb7a0f3 Mon Sep 17 00:00:00 2001 From: Donghee Na Date: Fri, 19 Jul 2024 10:22:41 +0900 Subject: [PATCH 1/5] gh-121996: Introduce --disable-safty and --enable-slower-safty --- Doc/using/configure.rst | 19 +++++++ ...-07-19-10-14-31.gh-issue-121996.IEb2sz.rst | 2 + configure | 49 +++++++++++++++++-- configure.ac | 25 ++++++++-- 4 files changed, 89 insertions(+), 6 deletions(-) create mode 100644 Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst index 8eaba84e159a40..576e1821f8d400 100644 --- a/Doc/using/configure.rst +++ b/Doc/using/configure.rst @@ -907,6 +907,25 @@ Security Options The settings ``python`` and *STRING* also set TLS 1.2 as minimum protocol version. +.. option:: --disable-safty + + Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead. + If this option is not enabled, CPython will be built based on safty compiler options with no slow down. + + .. _OpenSSF: https://openssf.org/ + + .. versionadded:: 3.14 + +.. option:: --enable-slower-safty + + Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead. + If this option is not enabled, CPython will not be built based on safty compiler options which performance impact. + + .. _OpenSSF: https://openssf.org/ + + .. versionadded:: 3.14 + + macOS Options ------------- diff --git a/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst b/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst new file mode 100644 index 00000000000000..6ef6cccda4ee18 --- /dev/null +++ b/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst @@ -0,0 +1,2 @@ +Introduce ./configure --disable-safty and --enable-slower-safty options. +Patch by Donghee Na. diff --git a/configure b/configure index 36f4bf7c05f7f3..94a288fa0beb1f 100755 --- a/configure +++ b/configure @@ -1092,6 +1092,8 @@ enable_optimizations with_lto enable_bolt with_strict_overflow +enable_safty +enable_slower_safty with_dsymutil with_address_sanitizer with_memory_sanitizer @@ -1824,6 +1826,10 @@ Optional Features: (default is no) --enable-bolt enable usage of the llvm-bolt post-link optimizer (default is no) + --disable-safty disable usage of the security compiler options with + no performance overhead + --enable-slower-safty enable usage of the security compiler options with + performance overhead --enable-loadable-sqlite-extensions support loadable extensions in the sqlite3 module, see Doc/library/sqlite3.rst (default is no) @@ -9613,7 +9619,28 @@ fi # Enable flags that warn and protect for potential security vulnerabilities. # These flags should be enabled by default for all builds. -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5 + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for --disable-safty" >&5 +printf %s "checking for --disable-safty... " >&6; } +# Check whether --enable-safty was given. +if test ${enable_safty+y} +then : + enableval=$enable_safty; if test "x$enable_safty" = xyes +then : + disable_safty=no +else $as_nop + disable_safty=yes +fi +else $as_nop + disable_safty=no +fi + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $disable_safty" >&5 +printf "%s\n" "$disable_safty" >&6; } + +if test "$disable_safty" = "no" +then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5 printf %s "checking whether C compiler accepts -fstack-protector-strong... " >&6; } if test ${ax_cv_check_cflags__Werror__fstack_protector_strong+y} then : @@ -9652,7 +9679,7 @@ else $as_nop printf "%s\n" "$as_me: WARNING: -fstack-protector-strong not supported" >&2;} fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5 printf %s "checking whether C compiler accepts -Wtrampolines... " >&6; } if test ${ax_cv_check_cflags__Werror__Wtrampolines+y} then : @@ -9691,7 +9718,22 @@ else $as_nop printf "%s\n" "$as_me: WARNING: -Wtrampolines not supported" >&2;} fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -D_FORTIFY_SOURCE=3" >&5 +fi + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for --enable-slower-safty" >&5 +printf %s "checking for --enable-slower-safty... " >&6; } +# Check whether --enable-slower-safty was given. +if test ${enable_slower_safty+y} +then : + enableval=$enable_slower_safty; +fi + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $enable_slower_safty" >&5 +printf "%s\n" "$enable_slower_safty" >&6; } + +if test "$enable_slower_safty" = "yes" +then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -D_FORTIFY_SOURCE=3" >&5 printf %s "checking whether C compiler accepts -D_FORTIFY_SOURCE=3... " >&6; } if test ${ax_cv_check_cflags___D_FORTIFY_SOURCE_3+y} then : @@ -9730,6 +9772,7 @@ else $as_nop printf "%s\n" "$as_me: WARNING: -D_FORTIFY_SOURCE=3 not supported" >&2;} fi +fi case $GCC in yes) diff --git a/configure.ac b/configure.ac index 5873002039886a..4adb348d4ffdd2 100644 --- a/configure.ac +++ b/configure.ac @@ -2458,9 +2458,28 @@ AS_VAR_IF([with_strict_overflow], [yes], # Enable flags that warn and protect for potential security vulnerabilities. # These flags should be enabled by default for all builds. -AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror]) -AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror]) -AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])]) + +AC_MSG_CHECKING([for --disable-safty]) +AC_ARG_ENABLE([safty], + [AS_HELP_STRING([--disable-safty], [disable usage of the security compiler options with no performance overhead])], + [AS_VAR_IF([enable_safty], [yes], [disable_safty=no], [disable_safty=yes])], [disable_safty=no]) +AC_MSG_RESULT([$disable_safty]) + +if test "$disable_safty" = "no" +then + AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror]) + AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror]) +fi + +AC_MSG_CHECKING([for --enable-slower-safty]) +AC_ARG_ENABLE([slower-safty], + [AS_HELP_STRING([--enable-slower-safty], [enable usage of the security compiler options with performance overhead])],[]) +AC_MSG_RESULT([$enable_slower_safty]) + +if test "$enable_slower_safty" = "yes" +then + AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])]) +fi case $GCC in yes) From eefbcac92702b47a22ab6c47da07a9e90e7a5a91 Mon Sep 17 00:00:00 2001 From: Donghee Na Date: Sat, 20 Jul 2024 18:50:06 +0900 Subject: [PATCH 2/5] Update GA --- .github/workflows/build.yml | 5 ++++- .github/workflows/reusable-macos.yml | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0298d0467fe35f..14f5fb6636596b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -252,6 +252,7 @@ jobs: ../cpython-ro-srcdir/configure \ --config-cache \ --with-pydebug \ + --enable-slower-safty \ --with-openssl=$OPENSSL_DIR build_ubuntu_free_threading: @@ -265,6 +266,7 @@ jobs: ../cpython-ro-srcdir/configure \ --config-cache \ --with-pydebug \ + --enable-slower-safty \ --with-openssl=$OPENSSL_DIR \ --disable-gil @@ -318,7 +320,7 @@ jobs: with: save: false - name: Configure CPython - run: ./configure --config-cache --with-pydebug --with-openssl=$OPENSSL_DIR + run: ./configure --config-cache --enable-slower-safty --with-pydebug --with-openssl=$OPENSSL_DIR - name: Build CPython run: make -j4 - name: Display build info @@ -391,6 +393,7 @@ jobs: ../cpython-ro-srcdir/configure \ --config-cache \ --with-pydebug \ + --enable-slower-safty \ --with-openssl=$OPENSSL_DIR - name: Build CPython out-of-tree working-directory: ${{ env.CPYTHON_BUILDDIR }} diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml index f825d1a7b3f69a..c6f4e2f2943821 100644 --- a/.github/workflows/reusable-macos.yml +++ b/.github/workflows/reusable-macos.yml @@ -53,6 +53,7 @@ jobs: ./configure \ --config-cache \ --with-pydebug \ + --with-slower-safty \ ${{ inputs.free-threading && '--disable-gil' || '' }} \ --prefix=/opt/python-dev \ --with-openssl="$(brew --prefix openssl@3.0)" From 70bed1906449d622cbfb94fa4b776499922b6fbe Mon Sep 17 00:00:00 2001 From: Donghee Na Date: Sat, 20 Jul 2024 19:03:19 +0900 Subject: [PATCH 3/5] fix --- .github/workflows/reusable-macos.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml index c6f4e2f2943821..10eee877d3ea35 100644 --- a/.github/workflows/reusable-macos.yml +++ b/.github/workflows/reusable-macos.yml @@ -53,7 +53,7 @@ jobs: ./configure \ --config-cache \ --with-pydebug \ - --with-slower-safty \ + --enable-slower-safty \ ${{ inputs.free-threading && '--disable-gil' || '' }} \ --prefix=/opt/python-dev \ --with-openssl="$(brew --prefix openssl@3.0)" From 558813e2df6ade3e978acf986b9fe9f77e319726 Mon Sep 17 00:00:00 2001 From: Donghee Na Date: Mon, 22 Jul 2024 19:56:24 +0900 Subject: [PATCH 4/5] Address code review --- .github/workflows/build.yml | 8 ++-- .github/workflows/reusable-macos.yml | 2 +- Doc/using/configure.rst | 8 ++-- ...-07-19-10-14-31.gh-issue-121996.IEb2sz.rst | 2 +- configure | 46 +++++++++---------- configure.ac | 22 ++++----- 6 files changed, 44 insertions(+), 44 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 14f5fb6636596b..95141a95151a39 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -252,7 +252,7 @@ jobs: ../cpython-ro-srcdir/configure \ --config-cache \ --with-pydebug \ - --enable-slower-safty \ + --enable-slower-safety \ --with-openssl=$OPENSSL_DIR build_ubuntu_free_threading: @@ -266,7 +266,7 @@ jobs: ../cpython-ro-srcdir/configure \ --config-cache \ --with-pydebug \ - --enable-slower-safty \ + --enable-slower-safety \ --with-openssl=$OPENSSL_DIR \ --disable-gil @@ -320,7 +320,7 @@ jobs: with: save: false - name: Configure CPython - run: ./configure --config-cache --enable-slower-safty --with-pydebug --with-openssl=$OPENSSL_DIR + run: ./configure --config-cache --enable-slower-safety --with-pydebug --with-openssl=$OPENSSL_DIR - name: Build CPython run: make -j4 - name: Display build info @@ -393,7 +393,7 @@ jobs: ../cpython-ro-srcdir/configure \ --config-cache \ --with-pydebug \ - --enable-slower-safty \ + --enable-slower-safety \ --with-openssl=$OPENSSL_DIR - name: Build CPython out-of-tree working-directory: ${{ env.CPYTHON_BUILDDIR }} diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml index 10eee877d3ea35..0f189960dbea61 100644 --- a/.github/workflows/reusable-macos.yml +++ b/.github/workflows/reusable-macos.yml @@ -53,7 +53,7 @@ jobs: ./configure \ --config-cache \ --with-pydebug \ - --enable-slower-safty \ + --enable-slower-safety \ ${{ inputs.free-threading && '--disable-gil' || '' }} \ --prefix=/opt/python-dev \ --with-openssl="$(brew --prefix openssl@3.0)" diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst index 576e1821f8d400..a001ace9aa6b14 100644 --- a/Doc/using/configure.rst +++ b/Doc/using/configure.rst @@ -907,19 +907,19 @@ Security Options The settings ``python`` and *STRING* also set TLS 1.2 as minimum protocol version. -.. option:: --disable-safty +.. option:: --disable-safety Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead. - If this option is not enabled, CPython will be built based on safty compiler options with no slow down. + If this option is not enabled, CPython will be built based on safety compiler options with no slow down. .. _OpenSSF: https://openssf.org/ .. versionadded:: 3.14 -.. option:: --enable-slower-safty +.. option:: --enable-slower-safety Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead. - If this option is not enabled, CPython will not be built based on safty compiler options which performance impact. + If this option is not enabled, CPython will not be built based on safety compiler options which performance impact. .. _OpenSSF: https://openssf.org/ diff --git a/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst b/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst index 6ef6cccda4ee18..171efe8388bc0d 100644 --- a/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst +++ b/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst @@ -1,2 +1,2 @@ -Introduce ./configure --disable-safty and --enable-slower-safty options. +Introduce ./configure --disable-safety and --enable-slower-safety options. Patch by Donghee Na. diff --git a/configure b/configure index 94a288fa0beb1f..7a6ce51e2ef035 100755 --- a/configure +++ b/configure @@ -1092,8 +1092,8 @@ enable_optimizations with_lto enable_bolt with_strict_overflow -enable_safty -enable_slower_safty +enable_safety +enable_slower_safety with_dsymutil with_address_sanitizer with_memory_sanitizer @@ -1826,9 +1826,9 @@ Optional Features: (default is no) --enable-bolt enable usage of the llvm-bolt post-link optimizer (default is no) - --disable-safty disable usage of the security compiler options with + --disable-safety disable usage of the security compiler options with no performance overhead - --enable-slower-safty enable usage of the security compiler options with + --enable-slower-safety enable usage of the security compiler options with performance overhead --enable-loadable-sqlite-extensions support loadable extensions in the sqlite3 module, @@ -9620,25 +9620,25 @@ fi # Enable flags that warn and protect for potential security vulnerabilities. # These flags should be enabled by default for all builds. -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for --disable-safty" >&5 -printf %s "checking for --disable-safty... " >&6; } -# Check whether --enable-safty was given. -if test ${enable_safty+y} +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for --disable-safety" >&5 +printf %s "checking for --disable-safety... " >&6; } +# Check whether --enable-safety was given. +if test ${enable_safety+y} then : - enableval=$enable_safty; if test "x$enable_safty" = xyes + enableval=$enable_safety; if test "x$enable_safety" = xyes then : - disable_safty=no + disable_safety=no else $as_nop - disable_safty=yes + disable_saftey=yes fi else $as_nop - disable_safty=no + disable_saftey=no fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $disable_safty" >&5 -printf "%s\n" "$disable_safty" >&6; } +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $disable_safety" >&5 +printf "%s\n" "$disable_safety" >&6; } -if test "$disable_safty" = "no" +if test "$disable_safety" = "no" then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5 printf %s "checking whether C compiler accepts -fstack-protector-strong... " >&6; } @@ -9720,18 +9720,18 @@ fi fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for --enable-slower-safty" >&5 -printf %s "checking for --enable-slower-safty... " >&6; } -# Check whether --enable-slower-safty was given. -if test ${enable_slower_safty+y} +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for --enable-slower-safety" >&5 +printf %s "checking for --enable-slower-safety... " >&6; } +# Check whether --enable-slower-safety was given. +if test ${enable_slower_safety+y} then : - enableval=$enable_slower_safty; + enableval=$enable_slower_safety; fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $enable_slower_safty" >&5 -printf "%s\n" "$enable_slower_safty" >&6; } +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $enable_slower_safety" >&5 +printf "%s\n" "$enable_slower_safety" >&6; } -if test "$enable_slower_safty" = "yes" +if test "$enable_slower_safety" = "yes" then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -D_FORTIFY_SOURCE=3" >&5 printf %s "checking whether C compiler accepts -D_FORTIFY_SOURCE=3... " >&6; } diff --git a/configure.ac b/configure.ac index 4adb348d4ffdd2..724f573d8c388a 100644 --- a/configure.ac +++ b/configure.ac @@ -2459,24 +2459,24 @@ AS_VAR_IF([with_strict_overflow], [yes], # Enable flags that warn and protect for potential security vulnerabilities. # These flags should be enabled by default for all builds. -AC_MSG_CHECKING([for --disable-safty]) -AC_ARG_ENABLE([safty], - [AS_HELP_STRING([--disable-safty], [disable usage of the security compiler options with no performance overhead])], - [AS_VAR_IF([enable_safty], [yes], [disable_safty=no], [disable_safty=yes])], [disable_safty=no]) -AC_MSG_RESULT([$disable_safty]) +AC_MSG_CHECKING([for --disable-safety]) +AC_ARG_ENABLE([safety], + [AS_HELP_STRING([--disable-safety], [disable usage of the security compiler options with no performance overhead])], + [AS_VAR_IF([enable_safety], [yes], [disable_safety=no], [disable_saftey=yes])], [disable_saftey=no]) +AC_MSG_RESULT([$disable_safety]) -if test "$disable_safty" = "no" +if test "$disable_safety" = "no" then AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror]) AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror]) fi -AC_MSG_CHECKING([for --enable-slower-safty]) -AC_ARG_ENABLE([slower-safty], - [AS_HELP_STRING([--enable-slower-safty], [enable usage of the security compiler options with performance overhead])],[]) -AC_MSG_RESULT([$enable_slower_safty]) +AC_MSG_CHECKING([for --enable-slower-safety]) +AC_ARG_ENABLE([slower-safety], + [AS_HELP_STRING([--enable-slower-safety], [enable usage of the security compiler options with performance overhead])],[]) +AC_MSG_RESULT([$enable_slower_safety]) -if test "$enable_slower_safty" = "yes" +if test "$enable_slower_safety" = "yes" then AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])]) fi From b1ae877650d1fc5a111c20fa5a99904e7bd7efb3 Mon Sep 17 00:00:00 2001 From: Donghee Na Date: Mon, 22 Jul 2024 20:03:54 +0900 Subject: [PATCH 5/5] Update CI --- .github/workflows/reusable-ubuntu.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml index 018a1d80497659..54d7765d159d49 100644 --- a/.github/workflows/reusable-ubuntu.yml +++ b/.github/workflows/reusable-ubuntu.yml @@ -69,6 +69,7 @@ jobs: ../cpython-ro-srcdir/configure --config-cache --with-pydebug + --enable-slower-safety --with-openssl=$OPENSSL_DIR ${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }} - name: Build CPython out-of-tree