Rework Buildtime Random Stack Cookie Values to Improve Incremental Build Times and Ensure Binary Reproducibility

BaseTools/Source/Python/AutoGen/GenC.py

@@ -21,7 +21,10 @@
 from .GenPcdDb import CreatePcdDatabaseCode
 from .IdfClassObject import *
 
-import secrets # MU_CHANGE: Add Stack Cookie Support
+# MU_CHANGE [BEGIN]: Add build-time random stack cookie support
+import json
+import secrets
+# MU_CHANGE [END]
 
 ## PCD type string
 gItemTypeStringDatabase  = {
@@ -2047,21 +2050,38 @@ def CreateFooterCode(Info, AutoGenC, AutoGenH):
 def CreateCode(Info, AutoGenC, AutoGenH, StringH, UniGenCFlag, UniGenBinBuffer, StringIdf, IdfGenCFlag, IdfGenBinBuffer):
     CreateHeaderCode(Info, AutoGenC, AutoGenH)
 
-    # MU_CHANGE [START]: Add Stack Cookie Support
+    # MU_CHANGE [BEGIN]: Add build-time random stack cookie support
     if Info.ModuleType != SUP_MODULE_HOST_APPLICATION:
         if Info.Arch not in ['X64', 'IA32', 'ARM', 'AARCH64']:
             EdkLogger.error("build", AUTOGEN_ERROR, "Unsupported Arch %s" % Info.Arch, ExtraData="[%s]" % str(Info))
         else:
             Bitwidth = 64 if Info.Arch == 'X64' or Info.Arch == 'AARCH64' else 32
 
-        CookieValue = secrets.randbelow(0xFFFFFFFFFFFFFFFF if Bitwidth == 64 else 0xFFFFFFFF)
+        if GlobalData.gStackCookieValues64 == [] and os.path.exists(os.path.join(Info.PlatformInfo.BuildDir, "StackCookieValues64.json")):
+            with open (os.path.join(Info.PlatformInfo.BuildDir, "StackCookieValues64.json"), "r") as file:
+                GlobalData.gStackCookieValues64 = json.load(file)
+        if GlobalData.gStackCookieValues32 == [] and os.path.exists(os.path.join(Info.PlatformInfo.BuildDir, "StackCookieValues32.json")):
+            with open (os.path.join(Info.PlatformInfo.BuildDir, "StackCookieValues32.json"), "r") as file:
+                GlobalData.gStackCookieValues32 = json.load(file)
+
+        try:
+            if Bitwidth == 32:
+                CookieValue = int(GlobalData.gStackCookieValues32[hash(Info.Guid) % len(GlobalData.gStackCookieValues32)])
+            else:
+                CookieValue = int(GlobalData.gStackCookieValues64[hash(Info.Guid) % len(GlobalData.gStackCookieValues64)])
+        except:
+            EdkLogger.error("build", AUTOGEN_ERROR, "Failed to get Stack Cookie Value List! Generating random value.", ExtraData="[%s]" % str(Info))
+            if Bitwidth == 32:
+                CookieValue = secrets.randbelow (0xFFFFFFFF)
+            else:
+                CookieValue = secrets.randbelow (0xFFFFFFFFFFFFFFFF)
 
         AutoGenH.Append((
             '#define STACK_COOKIE_VALUE 0x%XULL\n' % CookieValue
             if Bitwidth == 64 else
             '#define STACK_COOKIE_VALUE 0x%X\n' % CookieValue
         ))
-    # MU_CHANGE [END]: Add Stack Cookie Support
+    # MU_CHANGE [END]
 
     CreateGuidDefinitionCode(Info, AutoGenC, AutoGenH)
     CreateProtocolDefinitionCode(Info, AutoGenC, AutoGenH)

BaseTools/Source/Python/Common/GlobalData.py

@@ -123,3 +123,7 @@
 # Common lock for the file access in multiple process AutoGens
 file_lock = None
 gLogLibraryMismatch = True # MU_CHANGE
+# MU_CHANGE [BEGIN]: Add build-time random stack cookie support
+gStackCookieValues32 = []
+gStackCookieValues64 = []
+# MU_CHANGE [END]

BaseTools/Source/Python/build/build.py

@@ -29,6 +29,10 @@
 from subprocess import Popen,PIPE, STDOUT
 from collections import OrderedDict, defaultdict
 import pathlib
+# MU_CHANGE [BEGIN]: Add build-time random stack cookie support
+import json
+import secrets
+# MU_CHANGE [END]
 
 from AutoGen.PlatformAutoGen import PlatformAutoGen
 from AutoGen.ModuleAutoGen import ModuleAutoGen
@@ -307,6 +311,24 @@ def LaunchCommand(Command, WorkingDir,ModuleAuto = None):
         iau.CreateDepsTarget()
     return "%dms" % (int(round((time.time() - BeginTime) * 1000)))
 
+# MU_CHANGE [BEGIN]: Add build-time random stack cookie support
+def GenerateStackCookieValues():
+    if GlobalData.gBuildDirectory == "":
+        return
+
+    # Check if the 32 bit values array needs to be created
+    if not os.path.exists(os.path.join(GlobalData.gBuildDirectory, "StackCookieValues32.json")):
+        StackCookieValues32 = [secrets.randbelow(0xFFFFFFFF) for _ in range(0, 100)]
+        with open (os.path.join(GlobalData.gBuildDirectory, "StackCookieValues32.json"), "w") as file:
+            json.dump(StackCookieValues32, file)
+
+    # Check if the 64 bit values array needs to be created
+    if not os.path.exists(os.path.join(GlobalData.gBuildDirectory, "StackCookieValues64.json")):
+        StackCookieValues64 = [secrets.randbelow(0xFFFFFFFFFFFFFFFF) for _ in range(0, 100)]
+        with open (os.path.join(GlobalData.gBuildDirectory, "StackCookieValues64.json"), "w") as file:
+            json.dump(StackCookieValues64, file)
+# MU_CHANGE [END]
+
 ## The smallest unit that can be built in multi-thread build mode
 #
 # This is the base class of build unit. The "Obj" parameter must provide
@@ -1848,6 +1870,7 @@ def _BuildPlatform(self):
                         self.UniFlag,
                         self.Progress
                         )
+                GenerateStackCookieValues() # MU_CHANGE [BEGIN]: Add build-time random stack cookie support
                 self.Fdf = Wa.FdfFile
                 self.LoadFixAddress = Wa.Platform.LoadFixAddress
                 self.BuildReport.AddPlatformReport(Wa)
@@ -2200,7 +2223,8 @@ def PerformAutoGen(self,BuildTarget,ToolChain):
                 self.SkuId,
                 self.UniFlag,
                 self.Progress
-                )
+                )        
+        GenerateStackCookieValues() # MU_CHANGE [BEGIN]: Add build-time random stack cookie support
         self.Fdf = Wa.FdfFile
         self.LoadFixAddress = Wa.Platform.LoadFixAddress
         self.BuildReport.AddPlatformReport(Wa)