Skip to content

Commit a2fc3d5

Browse files
nglevinluispadron
authored andcommitted
Add secure_features support to SDK rules, backed by tests to validate arm64e support and disabled features.
Cherry-pick: 4012850
1 parent 6e8e8b8 commit a2fc3d5

25 files changed

Lines changed: 701 additions & 140 deletions

apple/BUILD

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,10 +53,12 @@ bzl_library(
5353
srcs = ["apple_binary.bzl"],
5454
deps = [
5555
"//apple/internal:apple_toolchains",
56+
"//apple/internal:features_support",
5657
"//apple/internal:linking_support",
5758
"//apple/internal:providers",
5859
"//apple/internal:rule_attrs",
5960
"//apple/internal:rule_factory",
61+
"//apple/internal:secure_features_support",
6062
"//apple/internal:transition_support",
6163
"@build_bazel_apple_support//lib:apple_support",
6264
"@rules_cc//cc/common",
@@ -67,11 +69,12 @@ bzl_library(
6769
name = "apple_static_library",
6870
srcs = ["apple_static_library.bzl"],
6971
deps = [
70-
":providers",
72+
"//apple/internal:features_support",
7173
"//apple/internal:linking_support",
7274
"//apple/internal:providers",
7375
"//apple/internal:rule_attrs",
7476
"//apple/internal:rule_factory",
77+
"//apple/internal:secure_features_support",
7578
"//apple/internal:transition_support",
7679
"@rules_cc//cc/common",
7780
],

apple/apple_binary.bzl

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,10 @@ load(
2424
"AppleXPlatToolsToolchainInfo",
2525
"apple_toolchain_utils",
2626
)
27+
load(
28+
"//apple/internal:features_support.bzl",
29+
"features_support",
30+
)
2731
load(
2832
"//apple/internal:linking_support.bzl",
2933
"linking_support",
@@ -41,6 +45,10 @@ load(
4145
"//apple/internal:rule_factory.bzl",
4246
"rule_factory",
4347
)
48+
load(
49+
"//apple/internal:secure_features_support.bzl",
50+
"secure_features_support",
51+
)
4452
load(
4553
"//apple/internal:transition_support.bzl",
4654
"transition_support",
@@ -76,12 +84,19 @@ Resolved Xcode is version {xcode_version}.
7684
apple_xplat_toolchain_info = ctx.attr._xplat_toolchain[AppleXPlatToolsToolchainInfo]
7785
binary_type = ctx.attr.binary_type
7886
bundle_loader = ctx.attr.bundle_loader
87+
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx)
7988
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
8089

90+
rule_label = ctx.label
8191
secure_features = ctx.attr.secure_features
82-
if secure_features:
83-
if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
84-
fail("secure_features are still a work in progress and not yet supported in the rules.")
92+
93+
# Check that the requested secure features are supported and enabled for the toolchain.
94+
secure_features_support.validate_secure_features_support(
95+
cc_configured_features_init = cc_configured_features_init,
96+
cc_toolchain_forwarder = cc_toolchain_forwarder,
97+
rule_label = rule_label,
98+
secure_features = secure_features,
99+
)
85100

86101
extra_linkopts = []
87102

@@ -111,7 +126,7 @@ Resolved Xcode is version {xcode_version}.
111126
cc_toolchains = cc_toolchain_forwarder,
112127
build_settings = apple_xplat_toolchain_info.build_settings,
113128
bundle_loader = bundle_loader,
114-
bundle_name = ctx.label.name,
129+
bundle_name = rule_label.name,
115130
exported_symbols_lists = ctx.files.exported_symbols_lists,
116131
extra_linkopts = extra_linkopts,
117132
platform_prerequisites = None,

apple/apple_static_library.bzl

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,8 @@ load(
2020
"ApplePlatformInfo",
2121
)
2222
load(
23-
"//apple/internal:apple_toolchains.bzl",
24-
"AppleXPlatToolsToolchainInfo",
23+
"//apple/internal:features_support.bzl",
24+
"features_support",
2525
)
2626
load(
2727
"//apple/internal:linking_support.bzl",
@@ -39,13 +39,19 @@ load(
3939
"//apple/internal:rule_factory.bzl",
4040
"rule_factory",
4141
)
42+
load(
43+
"//apple/internal:secure_features_support.bzl",
44+
"secure_features_support",
45+
)
4246
load(
4347
"//apple/internal:transition_support.bzl",
4448
"transition_support",
4549
)
4650

4751
def _apple_static_library_impl(ctx):
48-
apple_xplat_toolchain_info = ctx.attr._xplat_toolchain[AppleXPlatToolsToolchainInfo]
52+
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx)
53+
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
54+
rule_label = ctx.label
4955

5056
if ctx.attr.platform_type == "visionos":
5157
xcode_version_config = ctx.attr._xcode_config[apple_common.XcodeVersionConfig]
@@ -61,13 +67,10 @@ Resolved Xcode is version {xcode_version}.
6167
# `dotted_version` or explicitly through `fail` on an unrecognized platform type value.
6268

6369
secure_features = ctx.attr.secure_features
64-
if secure_features:
65-
if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
66-
fail("secure_features are still a work in progress and not yet supported in the rules.")
6770

68-
# Validate that the resolved platform matches the platform_type attr.
69-
for toolchain_key, resolved_toolchain in ctx.split_attr._cc_toolchain_forwarder.items():
70-
if resolved_toolchain[ApplePlatformInfo].target_os != ctx.attr.platform_type:
71+
for toolchain_key, cc_toolchain in cc_toolchain_forwarder.items():
72+
# Validate that the resolved platform matches the platform_type attr.
73+
if cc_toolchain[ApplePlatformInfo].target_os != ctx.attr.platform_type:
7174
fail("""
7275
ERROR: Unexpected resolved platform:
7376
Expected Apple platform type of "{platform_type}", but that was not found in {toolchain_key}.
@@ -76,7 +79,14 @@ Expected Apple platform type of "{platform_type}", but that was not found in {to
7679
toolchain_key = toolchain_key,
7780
))
7881

79-
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
82+
# Check that the requested secure features are supported and enabled for the toolchain.
83+
secure_features_support.validate_secure_features_support(
84+
cc_configured_features_init = cc_configured_features_init,
85+
cc_toolchain_forwarder = cc_toolchain_forwarder,
86+
rule_label = rule_label,
87+
secure_features = secure_features,
88+
)
89+
8090
archive_result = linking_support.register_static_library_archive_action(
8191
ctx = ctx,
8292
cc_toolchains = cc_toolchain_forwarder,

apple/internal/BUILD

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -223,7 +223,6 @@ bzl_library(
223223
"//apple:common",
224224
"//apple/internal/utils:defines",
225225
"@build_bazel_apple_support//lib:apple_support",
226-
"@rules_cc//cc/common",
227226
],
228227
)
229228

@@ -325,6 +324,7 @@ bzl_library(
325324
":rule_factory",
326325
":rule_support",
327326
":run_support",
327+
":secure_features_support",
328328
":stub_support",
329329
":swift_support",
330330
":transition_support",
@@ -412,6 +412,7 @@ bzl_library(
412412
":rule_factory",
413413
":rule_support",
414414
":run_support",
415+
":secure_features_support",
415416
":swift_support",
416417
":transition_support",
417418
"//apple:providers",
@@ -638,9 +639,10 @@ bzl_library(
638639
name = "secure_features_support",
639640
srcs = ["secure_features_support.bzl"],
640641
visibility = [
641-
"//apple/internal:__subpackages__",
642+
"//apple:__subpackages__",
642643
],
643644
deps = [
645+
":providers",
644646
"@rules_cc//cc/common",
645647
],
646648
)
@@ -727,6 +729,7 @@ bzl_library(
727729
":rule_factory",
728730
":rule_support",
729731
":run_support",
732+
":secure_features_support",
730733
":swift_support",
731734
":transition_support",
732735
"//apple:providers",
@@ -838,6 +841,7 @@ bzl_library(
838841
":rule_attrs",
839842
":rule_factory",
840843
":rule_support",
844+
":secure_features_support",
841845
":swift_support",
842846
":transition_support",
843847
"//apple:providers",

apple/internal/entitlements_support.bzl

Lines changed: 14 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,6 @@ load(
1818
"@build_bazel_apple_support//lib:apple_support.bzl",
1919
"apple_support",
2020
)
21-
load("@rules_cc//cc/common:cc_common.bzl", "cc_common")
2221
load(
2322
"//apple:common.bzl",
2423
"entitlements_validation_mode",
@@ -31,10 +30,6 @@ load(
3130
"//apple/internal:bundling_support.bzl",
3231
"bundling_support",
3332
)
34-
load(
35-
"//apple/internal:providers.bzl",
36-
"ApplePlatformInfo",
37-
)
3833
load(
3934
"//apple/internal:resource_actions.bzl",
4035
"resource_actions",
@@ -203,7 +198,6 @@ def _extract_signing_info(
203198
def _process_entitlements(
204199
actions,
205200
apple_mac_toolchain_info,
206-
apple_xplat_toolchain_info,
207201
bundle_id,
208202
cc_configured_features_init,
209203
cc_toolchains,
@@ -236,8 +230,6 @@ def _process_entitlements(
236230
actions: The object used to register actions.
237231
apple_mac_toolchain_info: The `struct` of tools from the shared Apple
238232
toolchain.
239-
apple_xplat_toolchain_info: The `struct` of tools from the shared Apple
240-
cross platform toolchain.
241233
bundle_id: The bundle identifier.
242234
cc_configured_features_init: The function to initialize the feature configuration for a
243235
given cc_toolchain.
@@ -284,36 +276,23 @@ def _process_entitlements(
284276
app_clip = {"com.apple.developer.on-demand-install-capable": True}
285277
forced_plists.append(struct(**app_clip))
286278
if secure_features:
287-
all_secure_features_entitlements = dict()
288-
for cc_toolchain in cc_toolchains.values():
289-
cc_toolchain_info = cc_toolchain[cc_common.CcToolchainInfo]
290-
291-
# Calculate the effective set of Crosstool features for this toolchain, as we do want to
292-
# double check that the secure features are supported and enabled.
293-
feature_configuration = cc_configured_features_init(
294-
cc_toolchain = cc_toolchain_info,
295-
language = "objc",
296-
)
279+
# Check that the requested secure features are supported and enabled for the toolchain.
280+
secure_features_support.validate_secure_features_support(
281+
cc_configured_features_init = cc_configured_features_init,
282+
cc_toolchain_forwarder = cc_toolchains,
283+
rule_label = rule_label,
284+
secure_features = secure_features,
285+
)
297286

298-
# Check that the requested secure features are supported and enabled for the toolchain.
299-
secure_features_support.validate_secure_features_support(
300-
cc_toolchain_info = cc_toolchain_info,
301-
feature_configuration = feature_configuration,
302-
platform_info = cc_toolchain[ApplePlatformInfo],
303-
rule_label = rule_label,
287+
# Retrieve the entitlements required by the requested secure features, if there are any.
288+
secure_features_entitlements = (
289+
secure_features_support.entitlements_from_secure_features(
304290
secure_features = secure_features,
291+
xcode_version = platform_prerequisites.xcode_version_config.xcode_version(),
305292
)
306-
307-
# Retrieve the entitlements required by the requested secure features, if there are any.
308-
secure_features_entitlements = (
309-
secure_features_support.entitlements_from_secure_features(
310-
secure_features = secure_features,
311-
xcode_version = platform_prerequisites.xcode_version_config.xcode_version(),
312-
)
313-
)
314-
all_secure_features_entitlements.update(secure_features_entitlements)
315-
if all_secure_features_entitlements:
316-
forced_plists.append(struct(**all_secure_features_entitlements))
293+
)
294+
if secure_features_entitlements:
295+
forced_plists.append(struct(**secure_features_entitlements))
317296

318297
inputs = list(plists)
319298

apple/internal/ios_rules.bzl

Lines changed: 20 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,10 @@ load(
122122
"//apple/internal:run_support.bzl",
123123
"run_support",
124124
)
125+
load(
126+
"//apple/internal:secure_features_support.bzl",
127+
"secure_features_support",
128+
)
125129
load(
126130
"//apple/internal:stub_support.bzl",
127131
"stub_support",
@@ -232,7 +236,6 @@ def _ios_application_impl(ctx):
232236
entitlements = entitlements_support.process_entitlements(
233237
actions = actions,
234238
apple_mac_toolchain_info = apple_mac_toolchain_info,
235-
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
236239
bundle_id = bundle_id,
237240
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
238241
cc_toolchains = cc_toolchain_forwarder,
@@ -628,7 +631,6 @@ def _ios_app_clip_impl(ctx):
628631
entitlements = entitlements_support.process_entitlements(
629632
actions = actions,
630633
apple_mac_toolchain_info = apple_mac_toolchain_info,
631-
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
632634
bundle_id = bundle_id,
633635
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
634636
cc_toolchains = cc_toolchain_forwarder,
@@ -1202,7 +1204,6 @@ def _ios_extension_impl(ctx):
12021204
entitlements = entitlements_support.process_entitlements(
12031205
actions = actions,
12041206
apple_mac_toolchain_info = apple_mac_toolchain_info,
1205-
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
12061207
bundle_id = bundle_id,
12071208
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
12081209
cc_toolchains = cc_toolchain_forwarder,
@@ -1749,6 +1750,7 @@ def _ios_static_framework_impl(ctx):
17491750
apple_mac_toolchain_info = ctx.attr._mac_toolchain[AppleMacToolsToolchainInfo]
17501751
apple_xplat_toolchain_info = ctx.attr._xplat_toolchain[AppleXPlatToolsToolchainInfo]
17511752
avoid_deps = ctx.attr.avoid_deps
1753+
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx)
17521754
cc_toolchain_forwarder = ctx.split_attr._cc_toolchain_forwarder
17531755
deps = ctx.attr.deps
17541756
label = ctx.label
@@ -1779,6 +1781,15 @@ def _ios_static_framework_impl(ctx):
17791781
xcode_version_config = ctx.attr._xcode_config[apple_common.XcodeVersionConfig],
17801782
)
17811783
resource_deps = ctx.attr.deps + ctx.attr.resources
1784+
secure_features = ctx.attr.secure_features
1785+
1786+
# Check that the requested secure features are supported and enabled for the toolchain.
1787+
secure_features_support.validate_secure_features_support(
1788+
cc_configured_features_init = cc_configured_features_init,
1789+
cc_toolchain_forwarder = cc_toolchain_forwarder,
1790+
rule_label = label,
1791+
secure_features = secure_features,
1792+
)
17821793

17831794
archive_result = linking_support.register_static_library_archive_action(
17841795
ctx = ctx,
@@ -1962,7 +1973,6 @@ app an implementation.
19621973
entitlements = entitlements_support.process_entitlements(
19631974
actions = actions,
19641975
apple_mac_toolchain_info = apple_mac_toolchain_info,
1965-
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
19661976
bundle_id = bundle_id,
19671977
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
19681978
cc_toolchains = cc_toolchain_forwarder,
@@ -2174,7 +2184,6 @@ def _ios_imessage_extension_impl(ctx):
21742184
entitlements = entitlements_support.process_entitlements(
21752185
actions = actions,
21762186
apple_mac_toolchain_info = apple_mac_toolchain_info,
2177-
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
21782187
bundle_id = bundle_id,
21792188
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
21802189
cc_toolchains = cc_toolchain_forwarder,
@@ -2451,7 +2460,6 @@ def _ios_sticker_pack_extension_impl(ctx):
24512460
entitlements = entitlements_support.process_entitlements(
24522461
actions = actions,
24532462
apple_mac_toolchain_info = apple_mac_toolchain_info,
2454-
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
24552463
bundle_id = bundle_id,
24562464
cc_configured_features_init = features_support.make_cc_configured_features_init(ctx),
24572465
cc_toolchains = cc_toolchain_forwarder,
@@ -3072,6 +3080,12 @@ fashion, such as a Cocoapod.
30723080
A list of `.h` files that will be publicly exposed by this framework. These headers should have
30733081
framework-relative imports, and if non-empty, an umbrella header named `%{bundle_name}.h` will also
30743082
be generated that imports all of the headers listed here.
3083+
""",
3084+
),
3085+
"secure_features": attr.string_list(
3086+
doc = """
3087+
A list of strings representing Apple Enhanced Security crosstool features that should be enabled for
3088+
this target.
30753089
""",
30763090
),
30773091
"umbrella_header": attr.label(

0 commit comments

Comments
 (0)