More secure_features work:

- Add initial support for secure_features on SDK artifacts; validation will follow in subsequent CLs.
- Suppress applying the "pointer_authentication" feature to Apple builds that aren't specifically requesting the arm64e architecture. All splits off of "deps" besides the arm64e ones will have the feature removed if it is set.
- Add a separate starlark build config to handle the act of dropping arm64e architectures when "pointer_authentication" isn't requested, allowing for onboarding of users that are using arm64e without "pointer_authentication".

Cherry-pick: 917dc39

Author: nglevin

apple/apple_binary.bzl

@@ -78,6 +78,11 @@ Resolved Xcode is version {xcode_version}.
     bundle_loader = ctx.attr.bundle_loader
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
 
+    secure_features = ctx.attr.secure_features
+    if secure_features:
+        if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
+            fail("secure_features are still a work in progress and not yet supported in the rules.")
+
     extra_linkopts = []
 
     if binary_type == "dylib":
@@ -197,6 +202,12 @@ linking as if it were one of the dynamic libraries the bundle was linked with.
                 providers = [AppleExecutableBinaryInfo],
             ),
             "data": attr.label_list(allow_files = True),
+            "secure_features": attr.string_list(
+                doc = """
+A list of strings representing Apple Enhanced Security crosstool features that should be enabled for
+this target.
+""",
+            ),
             "sdk_dylibs": attr.string_list(
                 allow_empty = True,
                 doc = """

apple/apple_static_library.bzl

@@ -19,6 +19,10 @@ load(
     "//apple:providers.bzl",
     "ApplePlatformInfo",
 )
+load(
+    "//apple/internal:apple_toolchains.bzl",
+    "AppleXPlatToolsToolchainInfo",
+)
 load(
     "//apple/internal:linking_support.bzl",
     "linking_support",
@@ -41,6 +45,8 @@ load(
 )
 
 def _apple_static_library_impl(ctx):
+    apple_xplat_toolchain_info = ctx.attr._xplat_toolchain[AppleXPlatToolsToolchainInfo]
+
     if ctx.attr.platform_type == "visionos":
         xcode_version_config = ctx.attr._xcode_config[apple_common.XcodeVersionConfig]
         if xcode_version_config.xcode_version() < apple_common.dotted_version("15.1"):
@@ -54,6 +60,11 @@ Resolved Xcode is version {xcode_version}.
     # `transition_support.apple_platform_split_transition`, either implicitly through native
     # `dotted_version` or explicitly through `fail` on an unrecognized platform type value.
 
+    secure_features = ctx.attr.secure_features
+    if secure_features:
+        if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
+            fail("secure_features are still a work in progress and not yet supported in the rules.")
+
     # Validate that the resolved platform matches the platform_type attr.
     for toolchain_key, resolved_toolchain in ctx.split_attr._cc_toolchain_forwarder.items():
         if resolved_toolchain[ApplePlatformInfo].target_os != ctx.attr.platform_type:
@@ -94,7 +105,7 @@ Expected Apple platform type of "{platform_type}", but that was not found in {to
     return providers
 
 apple_static_library = rule_factory.create_apple_rule(
-    cfg = None,
+    cfg = transition_support.apple_rule_transition,
     doc = """
 This rule produces single- or multi-architecture ("fat") static libraries targeting
 Apple platforms.
@@ -175,6 +186,12 @@ binaries/libraries will be created combining all architectures specified by
 *   `tvos`: architectures gathered from `--tvos_cpus`.
 *   `visionos`: architectures gathered from `--visionos_cpus`.
 *   `watchos`: architectures gathered from `--watchos_cpus`.
+""",
+            ),
+            "secure_features": attr.string_list(
+                doc = """
+A list of strings representing Apple Enhanced Security crosstool features that should be enabled for
+this target.
 """,
             ),
             "sdk_frameworks": attr.string_list(

apple/build_settings/build_settings.bzl

@@ -89,6 +89,14 @@ at any time, that is only ready for automated testing now.
 
 This could indicate functionality intended for a future release of the Apple BUILD rules, or
 functionality that is never intended to be production-ready but is required of automated testing.
+""",
+        default = False,
+    ),
+    "require_pointer_authentication_attribute": struct(
+        doc = """
+Enables functionality that requires pointer authentication, where any reference to arm64e will be
+dropped by top level Apple BUILD rules if the "pointer_authentication" is not requested via the
+"secure_features" attribute.
 """,
         default = False,
     ),

apple/internal/BUILD

@@ -223,6 +223,7 @@ bzl_library(
         "//apple:common",
         "//apple/internal/utils:defines",
         "@build_bazel_apple_support//lib:apple_support",
+        "@rules_cc//cc/common",
     ],
 )
 

apple/internal/entitlements_support.bzl

@@ -18,6 +18,7 @@ load(
     "@build_bazel_apple_support//lib:apple_support.bzl",
     "apple_support",
 )
+load("@rules_cc//cc/common:cc_common.bzl", "cc_common")
 load(
     "//apple:common.bzl",
     "entitlements_validation_mode",
@@ -30,6 +31,10 @@ load(
     "//apple/internal:bundling_support.bzl",
     "bundling_support",
 )
+load(
+    "//apple/internal:providers.bzl",
+    "ApplePlatformInfo",
+)
 load(
     "//apple/internal:resource_actions.bzl",
     "resource_actions",
@@ -201,9 +206,7 @@ def _process_entitlements(
         apple_xplat_toolchain_info,
         bundle_id,
         cc_configured_features_init,
-        cc_toolchain,
-        disabled_features,
-        enabled_features,
+        cc_toolchains,
         entitlements_file,
         platform_prerequisites,
         product_type,
@@ -238,9 +241,7 @@ def _process_entitlements(
         bundle_id: The bundle identifier.
         cc_configured_features_init: The function to initialize the feature configuration for a
             given cc_toolchain.
-        cc_toolchain: A cc_toolchain as found from the rule context's toolchains.
-        disabled_features: The features requested to be disabled for the target.
-        enabled_features: The features requested for the target.
+        cc_toolchains: The cc_toolchain_forwarder target with its providers.
         entitlements_file: The `File` containing the unprocessed entitlements
             (or `None` if none were provided).
         platform_prerequisites: The platform prerequisites.
@@ -283,25 +284,36 @@ def _process_entitlements(
         app_clip = {"com.apple.developer.on-demand-install-capable": True}
         forced_plists.append(struct(**app_clip))
     if secure_features:
-        if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
-            fail("secure_features are still a work in progress and not yet supported in the rules.")
-
-        # Calculate the effective set of Crosstool features for this target, as we do want to double
-        # check that the secure features are supported and enabled.
-        feature_configuration = cc_configured_features_init(
-            cc_toolchain = cc_toolchain,
-            requested_features = enabled_features,
-            unsupported_features = disabled_features,
-        )
+        all_secure_features_entitlements = dict()
+        for cc_toolchain in cc_toolchains.values():
+            cc_toolchain_info = cc_toolchain[cc_common.CcToolchainInfo]
+
+            # Calculate the effective set of Crosstool features for this toolchain, as we do want to
+            # double check that the secure features are supported and enabled.
+            feature_configuration = cc_configured_features_init(
+                cc_toolchain = cc_toolchain_info,
+                language = "objc",
+            )
 
-        # Retrieve the entitlements required by the requested secure features, if there are any.
-        secure_features_entitlements = secure_features_support.entitlements_from_secure_features(
-            feature_configuration = feature_configuration,
-            rule_label = rule_label,
-            secure_features = secure_features,
-            xcode_version = platform_prerequisites.xcode_version_config.xcode_version(),
-        )
-        forced_plists.append(struct(**secure_features_entitlements))
+            # Check that the requested secure features are supported and enabled for the toolchain.
+            secure_features_support.validate_secure_features_support(
+                cc_toolchain_info = cc_toolchain_info,
+                feature_configuration = feature_configuration,
+                platform_info = cc_toolchain[ApplePlatformInfo],
+                rule_label = rule_label,
+                secure_features = secure_features,
+            )
+
+            # Retrieve the entitlements required by the requested secure features, if there are any.
+            secure_features_entitlements = (
+                secure_features_support.entitlements_from_secure_features(
+                    secure_features = secure_features,
+                    xcode_version = platform_prerequisites.xcode_version_config.xcode_version(),
+                )
+            )
+            all_secure_features_entitlements.update(secure_features_entitlements)
+        if all_secure_features_entitlements:
+            forced_plists.append(struct(**all_secure_features_entitlements))
 
     inputs = list(plists)
 

apple/internal/features_support.bzl

@@ -46,7 +46,13 @@ def _make_cc_configured_features_init(ctx):
         context as the `ctx` argument of `cc_common.configure_features(...)` and will forward any
         arguments it is given to `cc_common.configure_features(...)`.
     """
-    return lambda *args, **kwargs: cc_common.configure_features(ctx = ctx, *args, **kwargs)
+    return lambda *args, **kwargs: cc_common.configure_features(
+        ctx = ctx,
+        requested_features = ctx.features,
+        unsupported_features = ctx.disabled_features,
+        *args,
+        **kwargs
+    )
 
 features_support = struct(
     compute_enabled_features = _compute_enabled_features,

apple/internal/ios_rules.bzl

@@ -180,7 +180,6 @@ def _ios_application_impl(ctx):
         shared_capabilities = ctx.attr.shared_capabilities,
     )
     bundle_verification_targets = [struct(target = ext) for ext in ctx.attr.extensions]
-    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     embeddable_targets = (
         ctx.attr.frameworks +
@@ -236,9 +235,7 @@ def _ios_application_impl(ctx):
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
-        cc_toolchain = cc_toolchain,
-        disabled_features = ctx.disabled_features,
-        enabled_features = ctx.features,
+        cc_toolchains = cc_toolchain_forwarder,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -583,7 +580,6 @@ def _ios_app_clip_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
-    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     bundle_verification_targets = [struct(target = ext) for ext in ctx.attr.extensions]
     embeddable_targets = (
@@ -635,9 +631,7 @@ def _ios_app_clip_impl(ctx):
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
-        cc_toolchain = cc_toolchain,
-        disabled_features = ctx.disabled_features,
-        enabled_features = ctx.features,
+        cc_toolchains = cc_toolchain_forwarder,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -913,7 +907,6 @@ def _ios_framework_impl(ctx):
         bundle_name = bundle_name,
         suffix_default = ctx.attr._bundle_id_suffix_default,
     )
-    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
@@ -1067,9 +1060,7 @@ def _ios_framework_impl(ctx):
             bundle_only = ctx.attr.bundle_only,
             cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
             cc_linking_contexts = linking_contexts,
-            cc_toolchain = cc_toolchain,
-            features = features,
-            disabled_features = ctx.disabled_features,
+            cc_toolchain = find_cpp_toolchain(ctx),
             rule_label = label,
         ),
         partials.resources_partial(
@@ -1168,7 +1159,6 @@ def _ios_extension_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
-    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     features = features_support.compute_enabled_features(
         requested_features = ctx.features,
@@ -1215,9 +1205,7 @@ def _ios_extension_impl(ctx):
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
-        cc_toolchain = cc_toolchain,
-        disabled_features = ctx.disabled_features,
-        enabled_features = ctx.features,
+        cc_toolchains = cc_toolchain_forwarder,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -1654,8 +1642,6 @@ def _ios_dynamic_framework_impl(ctx):
             cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
             cc_linking_contexts = linking_contexts,
             cc_toolchain = cc_toolchain,
-            features = features,
-            disabled_features = ctx.disabled_features,
             rule_label = label,
         ),
         partials.resources_partial(
@@ -1896,6 +1882,22 @@ def _ios_static_framework_impl(ctx):
 
 def _ios_imessage_application_impl(ctx):
     """Experimental implementation of ios_imessage_application."""
+
+    # Using "deps" to compute binary architectures, entitlements and features, but we're using a
+    # stub binary to handle the actual binary, just like a rule for a watchOS 2 app bundle.
+    if ctx.attr.deps:
+        fail("""
+ios_imessage_application does not support `deps`.
+
+This rule is merely a container for an iMessage extension with limited functionality. If this \
+iMessage extension requires a hosting binary, it should be assigned as one of the `extensions` \
+of an `ios_application` rather than an `ios_imessage_application`.
+
+If you mean to use this for packaging an iMessage extension and nothing more, please assign a \
+reference to an ios_imessage_extension target to the `extension` attribute instead, to give this \
+app an implementation.
+""")
+
     rule_descriptor = rule_support.rule_descriptor(
         platform_type = ctx.attr.platform_type,
         product_type = apple_product_type.messages_application,
@@ -1922,7 +1924,7 @@ def _ios_imessage_application_impl(ctx):
         unsupported_features = ctx.disabled_features,
     )
     bundle_verification_targets = [struct(target = ctx.attr.extension)]
-    cc_toolchain = find_cpp_toolchain(ctx)
+    cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     embeddable_targets = [ctx.attr.extension]
     label = ctx.label
     platform_prerequisites = platform_support.platform_prerequisites(
@@ -1963,9 +1965,7 @@ def _ios_imessage_application_impl(ctx):
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
-        cc_toolchain = cc_toolchain,
-        disabled_features = ctx.disabled_features,
-        enabled_features = ctx.features,
+        cc_toolchains = cc_toolchain_forwarder,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -2133,7 +2133,6 @@ def _ios_imessage_extension_impl(ctx):
         shared_capabilities = ctx.attr.shared_capabilities,
     )
     executable_name = ctx.attr.executable_name
-    cc_toolchain = find_cpp_toolchain(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     features = features_support.compute_enabled_features(
         requested_features = ctx.features,
@@ -2178,9 +2177,7 @@ def _ios_imessage_extension_impl(ctx):
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
-        cc_toolchain = cc_toolchain,
-        disabled_features = ctx.disabled_features,
-        enabled_features = ctx.features,
+        cc_toolchains = cc_toolchain_forwarder,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -2412,7 +2409,7 @@ def _ios_sticker_pack_extension_impl(ctx):
         suffix_default = ctx.attr._bundle_id_suffix_default,
         shared_capabilities = ctx.attr.shared_capabilities,
     )
-    cc_toolchain = find_cpp_toolchain(ctx)
+    cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     executable_name = ctx.attr.executable_name
     features = features_support.compute_enabled_features(
         requested_features = ctx.features,
@@ -2457,9 +2454,7 @@ def _ios_sticker_pack_extension_impl(ctx):
         apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
-        cc_toolchain = cc_toolchain,
-        disabled_features = ctx.disabled_features,
-        enabled_features = ctx.features,
+        cc_toolchains = cc_toolchain_forwarder,
         entitlements_file = ctx.file.entitlements,
         platform_prerequisites = platform_prerequisites,
         product_type = rule_descriptor.product_type,
@@ -3105,6 +3100,15 @@ for either an iOS iMessage extension or a Sticker Pack extension.""",
             icon_extension = ".appiconset",
             icon_parent_extension = ".xcassets",
         ),
+        rule_attrs.binary_linking_attrs(
+            deps_cfg = transition_support.apple_platform_split_transition,
+            extra_deps_aspects = [
+                apple_resource_aspect,
+                framework_provider_aspect,
+            ],
+            is_test_supporting_rule = False,
+            requires_legacy_cc_toolchain = True,
+        ),
         rule_attrs.common_bundle_attrs(deps_cfg = transition_support.apple_platform_split_transition),
         rule_attrs.common_tool_attrs(),
         rule_attrs.device_family_attrs(