Harden DLL loading, enable SSL for pcm-sensor-server on Windows CI

Security:
- Add SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32) to PCM_SET_DLL_DIR
  macro in utils.h to prevent DLL planting attacks (CWE-427)
- Update WINDOWS_HOWTO.md with DLL planting prevention guidance

SSL enablement:
- Set OPENSSL_ROOT_DIR and pass LIB_EAY_RELEASE/SSL_EAY_RELEASE to CMake so
  FindOpenSSL locates the static libraries in lib/VC/x64/MT/
- Remove premature include(FindOpenSSL) from src/CMakeLists.txt
- Link crypt32 and ws2_32 on MSVC for static OpenSSL dependencies

Author: markovamaria

.github/workflows/ci-windows.yml

@@ -8,6 +8,7 @@ on:
 
 env:
   BUILD_TYPE: Release
+  OPENSSL_ROOT_DIR: "C:\\Program Files\\OpenSSL-Win64"
 
 permissions:
   contents: read
@@ -30,7 +31,11 @@ jobs:
     - name: Configure CMake
       run: |
         if (Test-Path ${{github.workspace}}\build){ Remove-Item ${{github.workspace}}\build -Recurse }
-        cmake -B ${{github.workspace}}\build
+        $cryptoLib = "$env:OPENSSL_ROOT_DIR\lib\VC\x64\MT\libcrypto_static.lib"
+        $sslLib = "$env:OPENSSL_ROOT_DIR\lib\VC\x64\MT\libssl_static.lib"
+        cmake -B ${{github.workspace}}\build `
+          -DLIB_EAY_RELEASE:FILEPATH="$cryptoLib" `
+          -DSSL_EAY_RELEASE:FILEPATH="$sslLib"
     - name: Build
       run: |
         cmake --build ${{github.workspace}}\build --config ${{env.BUILD_TYPE}} --parallel

doc/WINDOWS_HOWTO.md

@@ -122,7 +122,7 @@ Starting from this release, **pcm-sensor-server** is now supported on Windows. T
 
 ### Running pcm-sensor-server on Windows
 
-1. Choose or create a directory for PCM (e.g., `C:\Program Files\PCM\` or `C:\Program Files (x86)\PCM\`). Copy `msr.sys` and `pcm-sensor-server.exe` to this directory.
+1. Create a directory for PCM in a protected location (e.g., `C:\Program Files\PCM\` or `C:\Program Files (x86)\PCM\`). Copy `msr.sys` and `pcm-sensor-server.exe` to this directory. **Important:** Do not place PCM binaries in user-writable directories (e.g., Downloads, Desktop, `C:\Users\Public\`) to prevent DLL planting attacks.
 
 2. Run as Administrator (required for MSR access):
    ```

src/CMakeLists.txt

@@ -1,8 +1,6 @@
 # SPDX-License-Identifier: BSD-3-Clause
 # Copyright (c) 2022-2025, Intel Corporation
 
-include(FindOpenSSL)
-
 # All pcm-* executables
 set(PROJECT_NAMES pcm pcm-numa pcm-latency pcm-power pcm-msr pcm-memory pcm-tsx pcm-pcie pcm-core pcm-iio pcm-pcicfg pcm-mmio pcm-tpmi pcm-raw pcm-accel pcm-sensor-server)
 
@@ -220,6 +218,10 @@ if(PCM_BUILD_EXECUTABLES)
               message(STATUS "OpenSSL version ${OPENSSL_VERSION} >= ${MINIMUM_OPENSSL_VERSION}, OpenSSL support enabled")
               target_compile_options(${PROJECT_NAME} PRIVATE "-DUSE_SSL")
               set(LIBS ${LIBS} OpenSSL::SSL OpenSSL::Crypto)
+              if(MSVC)
+                # Static OpenSSL on Windows depends on these system libraries
+                set(LIBS ${LIBS} crypt32 ws2_32)
+              endif()
             else()
               message(STATUS "OpenSSL support has been disabled, the version is less than ${MINIMUM_OPENSSL_VERSION}")
             endif()

src/utils.h

@@ -87,7 +87,10 @@ namespace pcm {
 }
 
 #ifdef _MSC_VER
-#define PCM_SET_DLL_DIR SetDllDirectory(_T(""));
+// Security hardening: remove the current working directory from the DLL search
+// order to prevent DLL planting attacks (CWE-427). This ensures DLLs are only
+// loaded from trusted system directories.
+#define PCM_SET_DLL_DIR SetDllDirectory(_T("")); SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32);
 #else
 #define PCM_SET_DLL_DIR
 #endif