Skip to content

Commit 6e8e8b8

Browse files
nglevinluispadron
authored andcommitted
More secure_features work:
- Add initial support for secure_features on SDK artifacts; validation will follow in subsequent CLs. - Suppress applying the "pointer_authentication" feature to Apple builds that aren't specifically requesting the arm64e architecture. All splits off of "deps" besides the arm64e ones will have the feature removed if it is set. - Add a separate starlark build config to handle the act of dropping arm64e architectures when "pointer_authentication" isn't requested, allowing for onboarding of users that are using arm64e without "pointer_authentication". Cherry-pick: 917dc39
1 parent 6f8a9cc commit 6e8e8b8

32 files changed

Lines changed: 444 additions & 321 deletions

apple/apple_binary.bzl

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,11 @@ Resolved Xcode is version {xcode_version}.
7878
bundle_loader = ctx.attr.bundle_loader
7979
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
8080

81+
secure_features = ctx.attr.secure_features
82+
if secure_features:
83+
if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
84+
fail("secure_features are still a work in progress and not yet supported in the rules.")
85+
8186
extra_linkopts = []
8287

8388
if binary_type == "dylib":
@@ -197,6 +202,12 @@ linking as if it were one of the dynamic libraries the bundle was linked with.
197202
providers = [AppleExecutableBinaryInfo],
198203
),
199204
"data": attr.label_list(allow_files = True),
205+
"secure_features": attr.string_list(
206+
doc = """
207+
A list of strings representing Apple Enhanced Security crosstool features that should be enabled for
208+
this target.
209+
""",
210+
),
200211
"sdk_dylibs": attr.string_list(
201212
allow_empty = True,
202213
doc = """

apple/apple_static_library.bzl

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,10 @@ load(
1919
"//apple:providers.bzl",
2020
"ApplePlatformInfo",
2121
)
22+
load(
23+
"//apple/internal:apple_toolchains.bzl",
24+
"AppleXPlatToolsToolchainInfo",
25+
)
2226
load(
2327
"//apple/internal:linking_support.bzl",
2428
"linking_support",
@@ -41,6 +45,8 @@ load(
4145
)
4246

4347
def _apple_static_library_impl(ctx):
48+
apple_xplat_toolchain_info = ctx.attr._xplat_toolchain[AppleXPlatToolsToolchainInfo]
49+
4450
if ctx.attr.platform_type == "visionos":
4551
xcode_version_config = ctx.attr._xcode_config[apple_common.XcodeVersionConfig]
4652
if xcode_version_config.xcode_version() < apple_common.dotted_version("15.1"):
@@ -54,6 +60,11 @@ Resolved Xcode is version {xcode_version}.
5460
# `transition_support.apple_platform_split_transition`, either implicitly through native
5561
# `dotted_version` or explicitly through `fail` on an unrecognized platform type value.
5662

63+
secure_features = ctx.attr.secure_features
64+
if secure_features:
65+
if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
66+
fail("secure_features are still a work in progress and not yet supported in the rules.")
67+
5768
# Validate that the resolved platform matches the platform_type attr.
5869
for toolchain_key, resolved_toolchain in ctx.split_attr._cc_toolchain_forwarder.items():
5970
if resolved_toolchain[ApplePlatformInfo].target_os != ctx.attr.platform_type:
@@ -94,7 +105,7 @@ Expected Apple platform type of "{platform_type}", but that was not found in {to
94105
return providers
95106

96107
apple_static_library = rule_factory.create_apple_rule(
97-
cfg = None,
108+
cfg = transition_support.apple_rule_transition,
98109
doc = """
99110
This rule produces single- or multi-architecture ("fat") static libraries targeting
100111
Apple platforms.
@@ -175,6 +186,12 @@ binaries/libraries will be created combining all architectures specified by
175186
* `tvos`: architectures gathered from `--tvos_cpus`.
176187
* `visionos`: architectures gathered from `--visionos_cpus`.
177188
* `watchos`: architectures gathered from `--watchos_cpus`.
189+
""",
190+
),
191+
"secure_features": attr.string_list(
192+
doc = """
193+
A list of strings representing Apple Enhanced Security crosstool features that should be enabled for
194+
this target.
178195
""",
179196
),
180197
"sdk_frameworks": attr.string_list(

apple/build_settings/build_settings.bzl

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,14 @@ at any time, that is only ready for automated testing now.
8989
9090
This could indicate functionality intended for a future release of the Apple BUILD rules, or
9191
functionality that is never intended to be production-ready but is required of automated testing.
92+
""",
93+
default = False,
94+
),
95+
"require_pointer_authentication_attribute": struct(
96+
doc = """
97+
Enables functionality that requires pointer authentication, where any reference to arm64e will be
98+
dropped by top level Apple BUILD rules if the "pointer_authentication" is not requested via the
99+
"secure_features" attribute.
92100
""",
93101
default = False,
94102
),

apple/internal/BUILD

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -223,6 +223,7 @@ bzl_library(
223223
"//apple:common",
224224
"//apple/internal/utils:defines",
225225
"@build_bazel_apple_support//lib:apple_support",
226+
"@rules_cc//cc/common",
226227
],
227228
)
228229

apple/internal/entitlements_support.bzl

Lines changed: 36 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ load(
1818
"@build_bazel_apple_support//lib:apple_support.bzl",
1919
"apple_support",
2020
)
21+
load("@rules_cc//cc/common:cc_common.bzl", "cc_common")
2122
load(
2223
"//apple:common.bzl",
2324
"entitlements_validation_mode",
@@ -30,6 +31,10 @@ load(
3031
"//apple/internal:bundling_support.bzl",
3132
"bundling_support",
3233
)
34+
load(
35+
"//apple/internal:providers.bzl",
36+
"ApplePlatformInfo",
37+
)
3338
load(
3439
"//apple/internal:resource_actions.bzl",
3540
"resource_actions",
@@ -201,9 +206,7 @@ def _process_entitlements(
201206
apple_xplat_toolchain_info,
202207
bundle_id,
203208
cc_configured_features_init,
204-
cc_toolchain,
205-
disabled_features,
206-
enabled_features,
209+
cc_toolchains,
207210
entitlements_file,
208211
platform_prerequisites,
209212
product_type,
@@ -238,9 +241,7 @@ def _process_entitlements(
238241
bundle_id: The bundle identifier.
239242
cc_configured_features_init: The function to initialize the feature configuration for a
240243
given cc_toolchain.
241-
cc_toolchain: A cc_toolchain as found from the rule context's toolchains.
242-
disabled_features: The features requested to be disabled for the target.
243-
enabled_features: The features requested for the target.
244+
cc_toolchains: The cc_toolchain_forwarder target with its providers.
244245
entitlements_file: The `File` containing the unprocessed entitlements
245246
(or `None` if none were provided).
246247
platform_prerequisites: The platform prerequisites.
@@ -283,25 +284,36 @@ def _process_entitlements(
283284
app_clip = {"com.apple.developer.on-demand-install-capable": True}
284285
forced_plists.append(struct(**app_clip))
285286
if secure_features:
286-
if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
287-
fail("secure_features are still a work in progress and not yet supported in the rules.")
288-
289-
# Calculate the effective set of Crosstool features for this target, as we do want to double
290-
# check that the secure features are supported and enabled.
291-
feature_configuration = cc_configured_features_init(
292-
cc_toolchain = cc_toolchain,
293-
requested_features = enabled_features,
294-
unsupported_features = disabled_features,
295-
)
287+
all_secure_features_entitlements = dict()
288+
for cc_toolchain in cc_toolchains.values():
289+
cc_toolchain_info = cc_toolchain[cc_common.CcToolchainInfo]
290+
291+
# Calculate the effective set of Crosstool features for this toolchain, as we do want to
292+
# double check that the secure features are supported and enabled.
293+
feature_configuration = cc_configured_features_init(
294+
cc_toolchain = cc_toolchain_info,
295+
language = "objc",
296+
)
296297

297-
# Retrieve the entitlements required by the requested secure features, if there are any.
298-
secure_features_entitlements = secure_features_support.entitlements_from_secure_features(
299-
feature_configuration = feature_configuration,
300-
rule_label = rule_label,
301-
secure_features = secure_features,
302-
xcode_version = platform_prerequisites.xcode_version_config.xcode_version(),
303-
)
304-
forced_plists.append(struct(**secure_features_entitlements))
298+
# Check that the requested secure features are supported and enabled for the toolchain.
299+
secure_features_support.validate_secure_features_support(
300+
cc_toolchain_info = cc_toolchain_info,
301+
feature_configuration = feature_configuration,
302+
platform_info = cc_toolchain[ApplePlatformInfo],
303+
rule_label = rule_label,
304+
secure_features = secure_features,
305+
)
306+
307+
# Retrieve the entitlements required by the requested secure features, if there are any.
308+
secure_features_entitlements = (
309+
secure_features_support.entitlements_from_secure_features(
310+
secure_features = secure_features,
311+
xcode_version = platform_prerequisites.xcode_version_config.xcode_version(),
312+
)
313+
)
314+
all_secure_features_entitlements.update(secure_features_entitlements)
315+
if all_secure_features_entitlements:
316+
forced_plists.append(struct(**all_secure_features_entitlements))
305317

306318
inputs = list(plists)
307319

apple/internal/features_support.bzl

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,13 @@ def _make_cc_configured_features_init(ctx):
4646
context as the `ctx` argument of `cc_common.configure_features(...)` and will forward any
4747
arguments it is given to `cc_common.configure_features(...)`.
4848
"""
49-
return lambda *args, **kwargs: cc_common.configure_features(ctx = ctx, *args, **kwargs)
49+
return lambda *args, **kwargs: cc_common.configure_features(
50+
ctx = ctx,
51+
requested_features = ctx.features,
52+
unsupported_features = ctx.disabled_features,
53+
*args,
54+
**kwargs
55+
)
5056

5157
features_support = struct(
5258
compute_enabled_features = _compute_enabled_features,

apple/internal/ios_rules.bzl

Lines changed: 34 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -180,7 +180,6 @@ def _ios_application_impl(ctx):
180180
shared_capabilities = ctx.attr.shared_capabilities,
181181
)
182182
bundle_verification_targets = [struct(target = ext) for ext in ctx.attr.extensions]
183-
cc_toolchain = find_cpp_toolchain(ctx)
184183
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
185184
embeddable_targets = (
186185
ctx.attr.frameworks +
@@ -236,9 +235,7 @@ def _ios_application_impl(ctx):
236235
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
237236
bundle_id = bundle_id,
238237
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
239-
cc_toolchain = cc_toolchain,
240-
disabled_features = ctx.disabled_features,
241-
enabled_features = ctx.features,
238+
cc_toolchains = cc_toolchain_forwarder,
242239
entitlements_file = ctx.file.entitlements,
243240
platform_prerequisites = platform_prerequisites,
244241
product_type = rule_descriptor.product_type,
@@ -583,7 +580,6 @@ def _ios_app_clip_impl(ctx):
583580
suffix_default = ctx.attr._bundle_id_suffix_default,
584581
shared_capabilities = ctx.attr.shared_capabilities,
585582
)
586-
cc_toolchain = find_cpp_toolchain(ctx)
587583
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
588584
bundle_verification_targets = [struct(target = ext) for ext in ctx.attr.extensions]
589585
embeddable_targets = (
@@ -635,9 +631,7 @@ def _ios_app_clip_impl(ctx):
635631
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
636632
bundle_id = bundle_id,
637633
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
638-
cc_toolchain = cc_toolchain,
639-
disabled_features = ctx.disabled_features,
640-
enabled_features = ctx.features,
634+
cc_toolchains = cc_toolchain_forwarder,
641635
entitlements_file = ctx.file.entitlements,
642636
platform_prerequisites = platform_prerequisites,
643637
product_type = rule_descriptor.product_type,
@@ -913,7 +907,6 @@ def _ios_framework_impl(ctx):
913907
bundle_name = bundle_name,
914908
suffix_default = ctx.attr._bundle_id_suffix_default,
915909
)
916-
cc_toolchain = find_cpp_toolchain(ctx)
917910
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
918911
executable_name = ctx.attr.executable_name
919912
features = features_support.compute_enabled_features(
@@ -1067,9 +1060,7 @@ def _ios_framework_impl(ctx):
10671060
bundle_only = ctx.attr.bundle_only,
10681061
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
10691062
cc_linking_contexts = linking_contexts,
1070-
cc_toolchain = cc_toolchain,
1071-
features = features,
1072-
disabled_features = ctx.disabled_features,
1063+
cc_toolchain = find_cpp_toolchain(ctx),
10731064
rule_label = label,
10741065
),
10751066
partials.resources_partial(
@@ -1168,7 +1159,6 @@ def _ios_extension_impl(ctx):
11681159
suffix_default = ctx.attr._bundle_id_suffix_default,
11691160
shared_capabilities = ctx.attr.shared_capabilities,
11701161
)
1171-
cc_toolchain = find_cpp_toolchain(ctx)
11721162
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
11731163
features = features_support.compute_enabled_features(
11741164
requested_features = ctx.features,
@@ -1215,9 +1205,7 @@ def _ios_extension_impl(ctx):
12151205
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
12161206
bundle_id = bundle_id,
12171207
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
1218-
cc_toolchain = cc_toolchain,
1219-
disabled_features = ctx.disabled_features,
1220-
enabled_features = ctx.features,
1208+
cc_toolchains = cc_toolchain_forwarder,
12211209
entitlements_file = ctx.file.entitlements,
12221210
platform_prerequisites = platform_prerequisites,
12231211
product_type = rule_descriptor.product_type,
@@ -1654,8 +1642,6 @@ def _ios_dynamic_framework_impl(ctx):
16541642
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
16551643
cc_linking_contexts = linking_contexts,
16561644
cc_toolchain = cc_toolchain,
1657-
features = features,
1658-
disabled_features = ctx.disabled_features,
16591645
rule_label = label,
16601646
),
16611647
partials.resources_partial(
@@ -1896,6 +1882,22 @@ def _ios_static_framework_impl(ctx):
18961882

18971883
def _ios_imessage_application_impl(ctx):
18981884
"""Experimental implementation of ios_imessage_application."""
1885+
1886+
# Using "deps" to compute binary architectures, entitlements and features, but we're using a
1887+
# stub binary to handle the actual binary, just like a rule for a watchOS 2 app bundle.
1888+
if ctx.attr.deps:
1889+
fail("""
1890+
ios_imessage_application does not support `deps`.
1891+
1892+
This rule is merely a container for an iMessage extension with limited functionality. If this \
1893+
iMessage extension requires a hosting binary, it should be assigned as one of the `extensions` \
1894+
of an `ios_application` rather than an `ios_imessage_application`.
1895+
1896+
If you mean to use this for packaging an iMessage extension and nothing more, please assign a \
1897+
reference to an ios_imessage_extension target to the `extension` attribute instead, to give this \
1898+
app an implementation.
1899+
""")
1900+
18991901
rule_descriptor = rule_support.rule_descriptor(
19001902
platform_type = ctx.attr.platform_type,
19011903
product_type = apple_product_type.messages_application,
@@ -1922,7 +1924,7 @@ def _ios_imessage_application_impl(ctx):
19221924
unsupported_features = ctx.disabled_features,
19231925
)
19241926
bundle_verification_targets = [struct(target = ctx.attr.extension)]
1925-
cc_toolchain = find_cpp_toolchain(ctx)
1927+
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
19261928
embeddable_targets = [ctx.attr.extension]
19271929
label = ctx.label
19281930
platform_prerequisites = platform_support.platform_prerequisites(
@@ -1963,9 +1965,7 @@ def _ios_imessage_application_impl(ctx):
19631965
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
19641966
bundle_id = bundle_id,
19651967
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
1966-
cc_toolchain = cc_toolchain,
1967-
disabled_features = ctx.disabled_features,
1968-
enabled_features = ctx.features,
1968+
cc_toolchains = cc_toolchain_forwarder,
19691969
entitlements_file = ctx.file.entitlements,
19701970
platform_prerequisites = platform_prerequisites,
19711971
product_type = rule_descriptor.product_type,
@@ -2133,7 +2133,6 @@ def _ios_imessage_extension_impl(ctx):
21332133
shared_capabilities = ctx.attr.shared_capabilities,
21342134
)
21352135
executable_name = ctx.attr.executable_name
2136-
cc_toolchain = find_cpp_toolchain(ctx)
21372136
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
21382137
features = features_support.compute_enabled_features(
21392138
requested_features = ctx.features,
@@ -2178,9 +2177,7 @@ def _ios_imessage_extension_impl(ctx):
21782177
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
21792178
bundle_id = bundle_id,
21802179
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
2181-
cc_toolchain = cc_toolchain,
2182-
disabled_features = ctx.disabled_features,
2183-
enabled_features = ctx.features,
2180+
cc_toolchains = cc_toolchain_forwarder,
21842181
entitlements_file = ctx.file.entitlements,
21852182
platform_prerequisites = platform_prerequisites,
21862183
product_type = rule_descriptor.product_type,
@@ -2412,7 +2409,7 @@ def _ios_sticker_pack_extension_impl(ctx):
24122409
suffix_default = ctx.attr._bundle_id_suffix_default,
24132410
shared_capabilities = ctx.attr.shared_capabilities,
24142411
)
2415-
cc_toolchain = find_cpp_toolchain(ctx)
2412+
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
24162413
executable_name = ctx.attr.executable_name
24172414
features = features_support.compute_enabled_features(
24182415
requested_features = ctx.features,
@@ -2457,9 +2454,7 @@ def _ios_sticker_pack_extension_impl(ctx):
24572454
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
24582455
bundle_id = bundle_id,
24592456
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
2460-
cc_toolchain = cc_toolchain,
2461-
disabled_features = ctx.disabled_features,
2462-
enabled_features = ctx.features,
2457+
cc_toolchains = cc_toolchain_forwarder,
24632458
entitlements_file = ctx.file.entitlements,
24642459
platform_prerequisites = platform_prerequisites,
24652460
product_type = rule_descriptor.product_type,
@@ -3105,6 +3100,15 @@ for either an iOS iMessage extension or a Sticker Pack extension.""",
31053100
icon_extension = ".appiconset",
31063101
icon_parent_extension = ".xcassets",
31073102
),
3103+
rule_attrs.binary_linking_attrs(
3104+
deps_cfg = transition_support.apple_platform_split_transition,
3105+
extra_deps_aspects = [
3106+
apple_resource_aspect,
3107+
framework_provider_aspect,
3108+
],
3109+
is_test_supporting_rule = False,
3110+
requires_legacy_cc_toolchain = True,
3111+
),
31083112
rule_attrs.common_bundle_attrs(deps_cfg = transition_support.apple_platform_split_transition),
31093113
rule_attrs.common_tool_attrs(),
31103114
rule_attrs.device_family_attrs(

0 commit comments

Comments
 (0)