Merged PR 7833797: Fix broken 32-bit Linux pipeline. Refactor toolchain files.

!7775773 added a CI build for 32-bit Linux, but the unit tests didn't run correctly due to a mismatch in architecture names. This PR fixes that issue and refactors a number of other things in our CMakeLists and ADO template to make it more flexible and separate out different parameters that were being used as proxies for each other.

- Removed platform and architecture from output paths. CMake requires separate top-level build directories for each platform and architecture, so including the platform and architecture as subdirectories of the build directory provides no benefit and complicates the process of invoking the unit test.
- Separated whether to use ASM optimizations from environment definition. Previously we were assuming that the Generic environment implied no ASM optimizations and vice versa, so e.g. building with the `LinuxUserMode` environment but no ASM optimizations was not well-supported. Added a new CMake variable `SYMCRYPT_USE_ASM` for this (defaults to enabled).
- Added `SYMCRYPT_FIPS_BUILD` CMake variable which can be used to specify whether or not FIPS integrity verification and self-tests will be run in the Linux modules (defaults to enabled).
- No longer running perf tests in CI builds since they take a long time and we don't use CI builds for perf comparisons.

Author: mlindgren

CMakeLists.txt

@@ -2,6 +2,7 @@ cmake_minimum_required(VERSION 3.13.0)
 
 if(WIN32)
     # Require Windows 10 SDK version 18362 for BCRYPT_TLS_CBC_HMAC_VERIFY_FLAG
+    # Must be done before the "project" directive
     set(CMAKE_SYSTEM_VERSION 10.0.18362)
 endif()
 
@@ -24,140 +25,46 @@ project(SymCrypt
     DESCRIPTION "Cryptographic library"
     HOMEPAGE_URL "https://github.com/microsoft/SymCrypt")
 
-if(NOT CMAKE_BUILD_TYPE)
-  set(CMAKE_BUILD_TYPE Debug)
+option(
+    SYMCRYPT_USE_ASM
+    "When enabled, SymCrypt will use ASM implementations of performance-critical functions where available.
+    Not supported on all platforms/architectures."
+    ON)
+
+if(NOT SYMCRYPT_USE_ASM)
+    add_compile_options("-DSYMCRYPT_IGNORE_PLATFORM")
 endif()
 
-# SYMCRYPT_TARGET_ENV should be set by the toolchain file. If no toolchain file is specified, we will build
-# with no CPU-specific optimizations. Some toolchain files may require additional arguments; see the files
-# under cmake-toolchain for more information.
-if(NOT SYMCRYPT_TARGET_ENV)
-    message(STATUS "No toolchain file specified (or toolchain file did not set SYMCRYPT_TARGET_ENV).")
-    message(STATUS "Building for generic environment with SYMCRYPT_IGNORE_PLATFORM.")
-    set(SYMCRYPT_TARGET_ENV Generic)
-    add_compile_options(-DSYMCRYPT_IGNORE_PLATFORM)
-else()
-    # Just to avoid an unused variable warning
-    message(STATUS "Using toolchain file: ${CMAKE_TOOLCHAIN_FILE}.")
+option(
+    SYMCRYPT_FIPS_BUILD
+    "When enabled, SymCrypt will build FIPS-compliant modules with self-tests enabled. Not supported on all platforms/architectures.
+    On Windows, this option is ignored, as self-tests are performed at a higher layer."
+    ON)
+
+if(SYMCRYPT_FIPS_BUILD)
+    add_compile_options(-DSYMCRYPT_DO_FIPS_SELFTESTS=1)
+endif()
+
+include(${CMAKE_SOURCE_DIR}/cmake-configs/SymCrypt-Platforms.cmake)
+
+if(NOT DEFINED CMAKE_BUILD_TYPE)
+  set(CMAKE_BUILD_TYPE Debug)
 endif()
 
 message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}")
-message(STATUS "Target: ${CMAKE_SYSTEM_NAME} ${CMAKE_SYSTEM_PROCESSOR} ${SYMCRYPT_TARGET_ENV}")
+message(STATUS "Target: ${CMAKE_SYSTEM_NAME} ${SYMCRYPT_TARGET_ARCH} ${SYMCRYPT_TARGET_ENV}")
+message(STATUS "ASM optimizations: ${SYMCRYPT_USE_ASM}")
+message(STATUS "FIPS build: ${SYMCRYPT_FIPS_BUILD}")
 
 # Set output directories binaries
-set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib/${CMAKE_SYSTEM_PROCESSOR}/${SYMCRYPT_TARGET_ENV})
-set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/module/${CMAKE_SYSTEM_PROCESSOR}/${SYMCRYPT_TARGET_ENV})
-set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/exe/${CMAKE_SYSTEM_PROCESSOR}/${SYMCRYPT_TARGET_ENV})
-
-if(WIN32)
-    if(NOT SYMCRYPT_TARGET_ENV MATCHES "Generic")
-        # Enable ASM_MASM. Annoyingly, this has to be done in the main CMake file rather than in the
-        # toolchain file
-        enable_language(ASM_MASM)
-    endif()
-    add_compile_options(/MP)
-    add_compile_options(/Zp8)
-    # Remove /RTC1, incompatible of /Ox
-    string( REPLACE "/RTC1" "" CMAKE_CXX_FLAGS_DEBUG ${CMAKE_CXX_FLAGS_DEBUG})
-    string( REPLACE "/RTC1" "" CMAKE_C_FLAGS_DEBUG ${CMAKE_C_FLAGS_DEBUG})
-    string( REPLACE "/RTC1" "" CMAKE_CXX_FLAGS_RELEASE ${CMAKE_CXX_FLAGS_RELEASE})
-    string( REPLACE "/RTC1" "" CMAKE_C_FLAGS_RELEASE ${CMAKE_C_FLAGS_RELEASE})
-    # /Od incompatible with /Ox
-    string( REPLACE "/Od" "" CMAKE_CXX_FLAGS_DEBUG ${CMAKE_CXX_FLAGS_DEBUG})
-    string( REPLACE "/Od" "" CMAKE_C_FLAGS_DEBUG ${CMAKE_C_FLAGS_DEBUG})
-    string( REPLACE "/Od" "" CMAKE_CXX_FLAGS_RELEASE ${CMAKE_CXX_FLAGS_RELEASE})
-    string( REPLACE "/Od" "" CMAKE_C_FLAGS_RELEASE ${CMAKE_C_FLAGS_RELEASE})
-
-    if(CMAKE_BUILD_TYPE MATCHES Release)
-        add_compile_options(/Oxs)
-        add_compile_options(/GL)
-        add_compile_options(/GF)
-        add_compile_options(/Gy)
-        add_compile_options(/Gw)
-    endif()
-else()
-    if(NOT SYMCRYPT_TARGET_ENV MATCHES "Generic")
-        enable_language(ASM)
-        # Suppress noisy warnings about compile options which are ignored for ASM
-        # Less messy than restricting most of the below options to only C/CXX!
-        add_compile_options($<$<COMPILE_LANGUAGE:ASM>:-Wno-unused-command-line-argument>)
-    endif()
-    # add_compile_options(-Wall)
-    # add_compile_options(-Wno-unknown-pragmas)
-    add_compile_options(-Wno-deprecated-declarations -Wno-deprecated)
-    add_compile_options(-g)
-    add_compile_options(-Wno-multichar)
-    add_compile_options(-fPIC)
-    add_compile_options(-fno-plt)
-    add_compile_options(-fno-builtin-bcmp)
-
-    # Required for cross-compiling from AMD64 to ARM64
-    # Avoids error: cast from pointer to smaller type 'uintptr_t' when including <memory> from aarch64-linux-gnu
-    add_compile_options(-fms-extensions)
-
-    # GCC and clang unroll more aggressively than they should for best performance
-    # When we want to unroll loops, we unroll in the source code, so tell the compiler not to unroll
-    # (clang seems to respect this option globally, but I could only make GCC behave in AES-GCM by
-    # using GCC-specific pragmas for the loops of interest)
-    add_compile_options(-fno-unroll-loops)
-
-    # Do not optimize Debug builds
-    if (CMAKE_BUILD_TYPE MATCHES Debug)
-        add_compile_options(-O0)
-    else()
-        add_compile_options(-O3)
-    endif()
-
-    # In Sanitize version, enable sanitizers
-    if (CMAKE_BUILD_TYPE MATCHES Sanitize)
-        add_compile_options(-fsanitize=address)
-        add_compile_options(-fsanitize=leak)
-
-        # add_compile_options(-fsanitize=undefined)
-        # Not using undefined as we do not want to include alignment sanitizer
-        add_compile_options(-fsanitize=bool)
-        add_compile_options(-fsanitize=builtin)
-        add_compile_options(-fsanitize=bounds)
-        add_compile_options(-fsanitize=enum)
-        add_compile_options(-fsanitize=float-cast-overflow)
-        add_compile_options(-fsanitize=float-divide-by-zero)
-        add_compile_options(-fsanitize=integer-divide-by-zero)
-        add_compile_options(-fsanitize=nonnull-attribute)
-        add_compile_options(-fsanitize=pointer-overflow)
-        add_compile_options(-fsanitize=return)
-        add_compile_options(-fsanitize=returns-nonnull-attribute)
-        add_compile_options(-fsanitize=shift)
-        add_compile_options(-fsanitize=signed-integer-overflow)
-        add_compile_options(-fsanitize=unreachable)
-        add_compile_options(-fsanitize=vla-bound)
-        add_compile_options(-fsanitize=vptr)
-        add_compile_options(-fno-sanitize-recover=all)
-        add_link_options(-fsanitize=address)
-        add_link_options(-fsanitize=leak)
-        add_link_options(-fsanitize=bool)
-        add_link_options(-fsanitize=builtin)
-        add_link_options(-fsanitize=bounds)
-        add_link_options(-fsanitize=enum)
-        add_link_options(-fsanitize=float-cast-overflow)
-        add_link_options(-fsanitize=float-divide-by-zero)
-        add_link_options(-fsanitize=integer-divide-by-zero)
-        add_link_options(-fsanitize=nonnull-attribute)
-        add_link_options(-fsanitize=pointer-overflow)
-        add_link_options(-fsanitize=return)
-        add_link_options(-fsanitize=returns-nonnull-attribute)
-        add_link_options(-fsanitize=shift)
-        add_link_options(-fsanitize=signed-integer-overflow)
-        add_link_options(-fsanitize=unreachable)
-        add_link_options(-fsanitize=vla-bound)
-        add_link_options(-fsanitize=vptr)
-        add_link_options(-fno-sanitize-recover=all)
-    endif()
-endif()
+set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/lib)
+set(CMAKE_LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/module)
+set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/exe)
 
 if(CMAKE_BUILD_TYPE MATCHES Release)
-    message("Release mode")
+    message(STATUS "Release mode")
 else()
-    message("Debug mode")
+    message(STATUS "Debug mode")
     add_compile_options(-DDBG=1)
 endif()
 

README.md

@@ -45,9 +45,9 @@ be portable to various architectures. However, they do not offer optimal perform
 advantage of CPU-specific optimizations. To that end, we also have hand-written assembly implementations of
 performance-critical internal functions. Our CMake build scripts do not currently support ASM optimizations on all
 combinations of architectures and platforms; the Build Instructions section below lists some of the currently supported
-combinations, and we're working on adding support for more.
+combinations, and we're working on adding support for more. 
 
-The ability to build SymCrypt on any particular platform or architecture, with or without CPU optimizations, does not
+The ability to build SymCrypt on any particular platform or architecture, with or without ASM optimizations, does not
 imply that it has been tested for or is actively supported by Microsoft on that platform/architecture. While we make
 every effort to ensure that SymCrypt is reliable, stable and bug-free on every platform we run on, the code in this
 repository is provided *as is*, without warranty of any kind, express or implied, including but not limited to the
@@ -57,24 +57,22 @@ warranties of merchantability, fitness for a particular purpose and noninfringem
 1. For Microsoft employees building the library internally, to include msbignum and RSA32 implementation benchmarks in the unit tests:
     1. Make sure the SymCryptDependencies submodule is initialized by following the steps above (`git submodule update --init`)
     1. In step 4 below, add the additional cmake argument `-DSYMCRYPT_INTERNAL_BUILD=1`
-1. `mkdir bin; cd bin`
-1. Use the appropriate CMake arguments to specify which architecture you want to compile for:
-    * For x86-64 Windows targets: `cmake .. -DCMAKE_TOOLCHAIN_FILE="../cmake-toolchain/WindowsUserMode-AMD64.cmake"`
-    * For x86 Windows targets: `cmake .. -DCMAKE_TOOLCHAIN_FILE="../cmake-toolchain/WindowsUserMode-X86.cmake" -A Win32`
-    * For x86-64 Linux targets: `cmake .. -DCMAKE_TOOLCHAIN_FILE="../cmake-toolchain/LinuxUserMode-AMD64.cmake"`
-    * For x86 Linux targets **no ASM optimizations**: `cmake .. -DCMAKE_TOOLCHAIN_FILE="../cmake-toolchain/LinuxUserMode-X86.cmake"`
-    * For ARM64 Linux targets: `cmake .. -DCMAKE_TOOLCHAIN_FILE="../cmake-toolchain/LinuxUserMode-ARM64.cmake"`
-    * To use the host system architecture **with no ASM optimizations**: `cmake ..`
-    * Optionally, for a release build, specify `-DCMAKE_BUILD_TYPE=Release`
-1. `cmake --build .`
+1. Run `cmake -S . -B bin` to configure your build. You can add the following optional CMake arguments to change build options:
+    * `-DSYMCRYPT_TARGET_ARCH=<AMD64|X86|ARM64>` to choose a target architecture. If not specified, it will default to the host system architecture.
+      * To cross-compile for Windows X86 from Windows AMD64, you must also use `-A Win32`
+      * To cross-compile for Linux ARM64, you must also use `--toolchain=cmake-configs/Toolchain-Clang-ARM64.cmake`
+    * `-DSYMCRYPT_USE_ASM=<ON|OFF>` to choose whether to use assembly optimizations. Defaults to `ON`. 
+    * `-DSYMCRYPT_FIPS_BUILD=<ON|OFF>` to choose whether to enable FIPS self-tests in the SymCrypt shared object module. Defaults to `ON`. Currently only affects Linux builds.
+    * For a release build, specify `-DCMAKE_BUILD_TYPE=Release`
+1. `cmake --build bin`
     * Optionally, for a release build on Windows, specify `--config Release`
     * Optionally specify `-jN` where N is the number of processes you wish to spawn for the build
 
 After successful compilation, the generated binaries will be placed in the following directories relative
 to your build directory:
-* `lib/\<arch\>/\<environment\>/` - static libraries
-* `module\<arch\>/\<environment\>/` - shared object libraries (currently only on Linux)
-* `exe/\<arch\>/\<environment\>/` - unit tests
+* `lib` - static libraries
+* `module` - shared object libraries (currently only on Linux)
+* `exe` - unit tests
 
 # Testing
 The SymCrypt unit test runs extensive functional tests on the SymCrypt library. On Windows it also compares results