Add secure_features support to SDK rules, backed by tests to validate arm64e support and disabled features.

Cherry-pick: 4012850

Author: nglevin

apple/BUILD

@@ -74,10 +74,12 @@ bzl_library(
     srcs = ["apple_binary.bzl"],
     deps = [
         "//apple/internal:apple_toolchains",
+        "//apple/internal:features_support",
         "//apple/internal:linking_support",
         "//apple/internal:providers",
         "//apple/internal:rule_attrs",
         "//apple/internal:rule_factory",
+        "//apple/internal:secure_features_support",
         "//apple/internal:transition_support",
         "@build_bazel_apple_support//lib:apple_support",
         "@rules_cc//cc/common",
@@ -88,11 +90,12 @@ bzl_library(
     name = "apple_static_library",
     srcs = ["apple_static_library.bzl"],
     deps = [
-        ":providers",
+        "//apple/internal:features_support",
         "//apple/internal:linking_support",
         "//apple/internal:providers",
         "//apple/internal:rule_attrs",
         "//apple/internal:rule_factory",
+        "//apple/internal:secure_features_support",
         "//apple/internal:transition_support",
         "@rules_cc//cc/common",
     ],

apple/apple_binary.bzl

@@ -24,6 +24,10 @@ load(
     "AppleXPlatToolsToolchainInfo",
     "apple_toolchain_utils",
 )
+load(
+    "//apple/internal:features_support.bzl",
+    "features_support",
+)
 load(
     "//apple/internal:linking_support.bzl",
     "linking_support",
@@ -41,6 +45,10 @@ load(
     "//apple/internal:rule_factory.bzl",
     "rule_factory",
 )
+load(
+    "//apple/internal:secure_features_support.bzl",
+    "secure_features_support",
+)
 load(
     "//apple/internal:transition_support.bzl",
     "transition_support",
@@ -76,12 +84,19 @@ Resolved Xcode is version {xcode_version}.
     apple_xplat_toolchain_info = ctx.attr._xplat_toolchain[AppleXPlatToolsToolchainInfo]
     binary_type = ctx.attr.binary_type
     bundle_loader = ctx.attr.bundle_loader
+    cc_configured_features_init = features_support.make_cc_configured_features_init(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
 
+    rule_label = ctx.label
     secure_features = ctx.attr.secure_features
-    if secure_features:
-        if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
-            fail("secure_features are still a work in progress and not yet supported in the rules.")
+
+    # Check that the requested secure features are supported and enabled for the toolchain.
+    secure_features_support.validate_secure_features_support(
+        cc_configured_features_init = cc_configured_features_init,
+        cc_toolchain_forwarder = cc_toolchain_forwarder,
+        rule_label = rule_label,
+        secure_features = secure_features,
+    )
 
     extra_linkopts = []
 
@@ -111,7 +126,7 @@ Resolved Xcode is version {xcode_version}.
         cc_toolchains = cc_toolchain_forwarder,
         build_settings = apple_xplat_toolchain_info.build_settings,
         bundle_loader = bundle_loader,
-        bundle_name = ctx.label.name,
+        bundle_name = rule_label.name,
         exported_symbols_lists = ctx.files.exported_symbols_lists,
         extra_linkopts = extra_linkopts,
         platform_prerequisites = None,

apple/apple_static_library.bzl

@@ -20,8 +20,8 @@ load(
     "ApplePlatformInfo",
 )
 load(
-    "//apple/internal:apple_toolchains.bzl",
-    "AppleXPlatToolsToolchainInfo",
+    "//apple/internal:features_support.bzl",
+    "features_support",
 )
 load(
     "//apple/internal:linking_support.bzl",
@@ -39,13 +39,19 @@ load(
     "//apple/internal:rule_factory.bzl",
     "rule_factory",
 )
+load(
+    "//apple/internal:secure_features_support.bzl",
+    "secure_features_support",
+)
 load(
     "//apple/internal:transition_support.bzl",
     "transition_support",
 )
 
 def _apple_static_library_impl(ctx):
-    apple_xplat_toolchain_info = ctx.attr._xplat_toolchain[AppleXPlatToolsToolchainInfo]
+    cc_configured_features_init = features_support.make_cc_configured_features_init(ctx)
+    cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
+    rule_label = ctx.label
 
     if ctx.attr.platform_type == "visionos":
         xcode_version_config = ctx.attr._xcode_config[apple_common.XcodeVersionConfig]
@@ -61,13 +67,10 @@ Resolved Xcode is version {xcode_version}.
     # `dotted_version` or explicitly through `fail` on an unrecognized platform type value.
 
     secure_features = ctx.attr.secure_features
-    if secure_features:
-        if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
-            fail("secure_features are still a work in progress and not yet supported in the rules.")
 
-    # Validate that the resolved platform matches the platform_type attr.
-    for toolchain_key, resolved_toolchain in ctx.split_attr._cc_toolchain_forwarder.items():
-        if resolved_toolchain[ApplePlatformInfo].target_os != ctx.attr.platform_type:
+    for toolchain_key, cc_toolchain in cc_toolchain_forwarder.items():
+        # Validate that the resolved platform matches the platform_type attr.
+        if cc_toolchain[ApplePlatformInfo].target_os != ctx.attr.platform_type:
             fail("""
 ERROR: Unexpected resolved platform:
 Expected Apple platform type of "{platform_type}", but that was not found in {toolchain_key}.
@@ -76,7 +79,14 @@ Expected Apple platform type of "{platform_type}", but that was not found in {to
                 toolchain_key = toolchain_key,
             ))
 
-    cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
+    # Check that the requested secure features are supported and enabled for the toolchain.
+    secure_features_support.validate_secure_features_support(
+        cc_configured_features_init = cc_configured_features_init,
+        cc_toolchain_forwarder = cc_toolchain_forwarder,
+        rule_label = rule_label,
+        secure_features = secure_features,
+    )
+
     archive_result = linking_support.register_static_library_archive_action(
         ctx = ctx,
         cc_toolchains = cc_toolchain_forwarder,

apple/internal/BUILD

@@ -224,7 +224,6 @@ bzl_library(
         "//apple:common",
         "//apple/internal/utils:defines",
         "@build_bazel_apple_support//lib:apple_support",
-        "@rules_cc//cc/common",
     ],
 )
 
@@ -326,6 +325,7 @@ bzl_library(
         ":rule_factory",
         ":rule_support",
         ":run_support",
+        ":secure_features_support",
         ":stub_support",
         ":swift_support",
         ":transition_support",
@@ -413,6 +413,7 @@ bzl_library(
         ":rule_factory",
         ":rule_support",
         ":run_support",
+        ":secure_features_support",
         ":swift_support",
         ":transition_support",
         "//apple:providers",
@@ -640,9 +641,10 @@ bzl_library(
     name = "secure_features_support",
     srcs = ["secure_features_support.bzl"],
     visibility = [
-        "//apple/internal:__subpackages__",
+        "//apple:__subpackages__",
     ],
     deps = [
+        ":providers",
         "@rules_cc//cc/common",
     ],
 )
@@ -729,6 +731,7 @@ bzl_library(
         ":rule_factory",
         ":rule_support",
         ":run_support",
+        ":secure_features_support",
         ":swift_support",
         ":transition_support",
         "//apple:providers",
@@ -843,6 +846,7 @@ bzl_library(
         ":rule_attrs",
         ":rule_factory",
         ":rule_support",
+        ":secure_features_support",
         ":swift_support",
         ":transition_support",
         "//apple:providers",

apple/internal/entitlements_support.bzl

@@ -18,7 +18,6 @@ load(
     "@build_bazel_apple_support//lib:apple_support.bzl",
     "apple_support",
 )
-load("@rules_cc//cc/common:cc_common.bzl", "cc_common")
 load(
     "//apple:common.bzl",
     "entitlements_validation_mode",
@@ -31,10 +30,6 @@ load(
     "//apple/internal:bundling_support.bzl",
     "bundling_support",
 )
-load(
-    "//apple/internal:providers.bzl",
-    "ApplePlatformInfo",
-)
 load(
     "//apple/internal:resource_actions.bzl",
     "resource_actions",
@@ -203,7 +198,6 @@ def _extract_signing_info(
 def _process_entitlements(
         actions,
         apple_mac_toolchain_info,
-        apple_xplat_toolchain_info,
         bundle_id,
         cc_configured_features_init,
         cc_toolchains,
@@ -236,8 +230,6 @@ def _process_entitlements(
         actions: The object used to register actions.
         apple_mac_toolchain_info: The `struct` of tools from the shared Apple
             toolchain.
-        apple_xplat_toolchain_info: The `struct` of tools from the shared Apple
-            cross platform toolchain.
         bundle_id: The bundle identifier.
         cc_configured_features_init: The function to initialize the feature configuration for a
             given cc_toolchain.
@@ -284,36 +276,23 @@ def _process_entitlements(
         app_clip = {"com.apple.developer.on-demand-install-capable": True}
         forced_plists.append(struct(**app_clip))
     if secure_features:
-        all_secure_features_entitlements = dict()
-        for cc_toolchain in cc_toolchains.values():
-            cc_toolchain_info = cc_toolchain[cc_common.CcToolchainInfo]
-
-            # Calculate the effective set of Crosstool features for this toolchain, as we do want to
-            # double check that the secure features are supported and enabled.
-            feature_configuration = cc_configured_features_init(
-                cc_toolchain = cc_toolchain_info,
-                language = "objc",
-            )
+        # Check that the requested secure features are supported and enabled for the toolchain.
+        secure_features_support.validate_secure_features_support(
+            cc_configured_features_init = cc_configured_features_init,
+            cc_toolchain_forwarder = cc_toolchains,
+            rule_label = rule_label,
+            secure_features = secure_features,
+        )
 
-            # Check that the requested secure features are supported and enabled for the toolchain.
-            secure_features_support.validate_secure_features_support(
-                cc_toolchain_info = cc_toolchain_info,
-                feature_configuration = feature_configuration,
-                platform_info = cc_toolchain[ApplePlatformInfo],
-                rule_label = rule_label,
+        # Retrieve the entitlements required by the requested secure features, if there are any.
+        secure_features_entitlements = (
+            secure_features_support.entitlements_from_secure_features(
                 secure_features = secure_features,
+                xcode_version = platform_prerequisites.xcode_version_config.xcode_version(),
             )
-
-            # Retrieve the entitlements required by the requested secure features, if there are any.
-            secure_features_entitlements = (
-                secure_features_support.entitlements_from_secure_features(
-                    secure_features = secure_features,
-                    xcode_version = platform_prerequisites.xcode_version_config.xcode_version(),
-                )
-            )
-            all_secure_features_entitlements.update(secure_features_entitlements)
-        if all_secure_features_entitlements:
-            forced_plists.append(struct(**all_secure_features_entitlements))
+        )
+        if secure_features_entitlements:
+            forced_plists.append(struct(**secure_features_entitlements))
 
     inputs = list(plists)
 

apple/internal/ios_rules.bzl

@@ -122,6 +122,10 @@ load(
     "//apple/internal:run_support.bzl",
     "run_support",
 )
+load(
+    "//apple/internal:secure_features_support.bzl",
+    "secure_features_support",
+)
 load(
     "//apple/internal:stub_support.bzl",
     "stub_support",
@@ -232,7 +236,6 @@ def _ios_application_impl(ctx):
     entitlements = entitlements_support.process_entitlements(
         actions = actions,
         apple_mac_toolchain_info = apple_mac_toolchain_info,
-        apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
         cc_toolchains = cc_toolchain_forwarder,
@@ -625,7 +628,6 @@ def _ios_app_clip_impl(ctx):
     entitlements = entitlements_support.process_entitlements(
         actions = actions,
         apple_mac_toolchain_info = apple_mac_toolchain_info,
-        apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
         cc_toolchains = cc_toolchain_forwarder,
@@ -1208,7 +1210,6 @@ def _ios_extension_impl(ctx):
     entitlements = entitlements_support.process_entitlements(
         actions = actions,
         apple_mac_toolchain_info = apple_mac_toolchain_info,
-        apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
         cc_toolchains = cc_toolchain_forwarder,
@@ -1752,6 +1753,7 @@ def _ios_static_framework_impl(ctx):
     apple_mac_toolchain_info = ctx.attr._mac_toolchain[AppleMacToolsToolchainInfo]
     apple_xplat_toolchain_info = ctx.attr._xplat_toolchain[AppleXPlatToolsToolchainInfo]
     avoid_deps = ctx.attr.avoid_deps
+    cc_configured_features_init = features_support.make_cc_configured_features_init(ctx)
     cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
     deps = ctx.attr.deps
     label = ctx.label
@@ -1782,6 +1784,15 @@ def _ios_static_framework_impl(ctx):
         xcode_version_config = ctx.attr._xcode_config[apple_common.XcodeVersionConfig],
     )
     resource_deps = ctx.attr.deps + ctx.attr.resources
+    secure_features = ctx.attr.secure_features
+
+    # Check that the requested secure features are supported and enabled for the toolchain.
+    secure_features_support.validate_secure_features_support(
+        cc_configured_features_init = cc_configured_features_init,
+        cc_toolchain_forwarder = cc_toolchain_forwarder,
+        rule_label = label,
+        secure_features = secure_features,
+    )
 
     archive_result = linking_support.register_static_library_archive_action(
         ctx = ctx,
@@ -1965,7 +1976,6 @@ app an implementation.
     entitlements = entitlements_support.process_entitlements(
         actions = actions,
         apple_mac_toolchain_info = apple_mac_toolchain_info,
-        apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
         cc_toolchains = cc_toolchain_forwarder,
@@ -2177,7 +2187,6 @@ def _ios_imessage_extension_impl(ctx):
     entitlements = entitlements_support.process_entitlements(
         actions = actions,
         apple_mac_toolchain_info = apple_mac_toolchain_info,
-        apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
         cc_toolchains = cc_toolchain_forwarder,
@@ -2454,7 +2463,6 @@ def _ios_sticker_pack_extension_impl(ctx):
     entitlements = entitlements_support.process_entitlements(
         actions = actions,
         apple_mac_toolchain_info = apple_mac_toolchain_info,
-        apple_xplat_toolchain_info = apple_xplat_toolchain_info,
         bundle_id = bundle_id,
         cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
         cc_toolchains = cc_toolchain_forwarder,
@@ -3075,6 +3083,12 @@ fashion, such as a Cocoapod.
 A list of `.h` files that will be publicly exposed by this framework. These headers should have
 framework-relative imports, and if non-empty, an umbrella header named `%{bundle_name}.h` will also
 be generated that imports all of the headers listed here.
+""",
+            ),
+            "secure_features": attr.string_list(
+                doc = """
+A list of strings representing Apple Enhanced Security crosstool features that should be enabled for
+this target.
 """,
             ),
             "umbrella_header": attr.label(